Salt Typhoon, a Chinese advanced persistent threat (APT) group, has been making significant news headlines recently with its highly sophisticated and damaging cyber-attacks on critical infrastructure worldwide. Known under various aliases including RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, this group has systematically targeted telecommunications infrastructure, internet service providers (ISPs), and academic institutions. Recent reports have highlighted the group’s ongoing exploitation of vulnerabilities in Cisco devices, underscoring a persistent and evolving threat to global networks and emphasizing the critical need for a robust cybersecurity response.
Salt Typhoon’s Initial Infiltrations
High-Profile Targets in the US
Salt Typhoon first came into the spotlight last fall with explosive revelations about its infiltration of major US telecommunications providers such as T-Mobile, AT&T, and Verizon. The group managed to eavesdrop on US law enforcement wiretaps and even the activities of the Democratic and Republican presidential campaigns.
Their ability to penetrate such high-profile targets raised significant alarm within the cybersecurity community and among affected organizations. The breach not only highlighted the technical proficiency of Salt Typhoon but also revealed the inadequacies in existing cybersecurity defenses.
Continued Assault on Global Networks
Recent findings by Recorded Future’s Insikt Group indicate that Salt Typhoon, tracked as “RedMike,” has continued its aggressive assault on global communication networks with undeterred momentum. Between December and January, the group systematically targeted telecommunications providers and research universities across multiple continents. These coordinated attacks exploited known vulnerabilities in Cisco network devices, specifically two critical flaws in the IOS XE operating system: CVE-2023-20198 and CVE-2023-20273. These vulnerabilities enabled the attackers to gain administrative privileges and execute malicious commands on compromised devices, thereby granting them significant control and access to sensitive data.
This systematic exploitation of known vulnerabilities allowed Salt Typhoon to sidestep traditional cybersecurity defenses, highlighting the group’s sophisticated attack strategies.
Cisco’s Response and Vulnerability Details
Cisco’s Acknowledgment and Advisories
In response to these relentless attacks, a Cisco spokesperson issued a statement acknowledging awareness of the claims regarding the exploitation of these vulnerabilities. Cisco reiterated its previous guidance and advisories, urging customers to patch known vulnerabilities and strictly adhere to best practices for securing management protocols.
Critical Vulnerabilities in IOS XE
In October 2023, Cisco issued an urgent advisory for all its customers to immediately remove routers, switches, and other devices running the IOS XE operating system from the web. This drastic measure was prompted by the active exploitation of an unknown vulnerability within the user interface, resulting in the unauthorized creation of local admin accounts. This zero-day vulnerability, designated CVE-2023-20198, received a perfect score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS). Shortly thereafter, Cisco revealed a second significant vulnerability, CVE-2023-20273, that compounded the already severe threat landscape.
Salt Typhoon’s Modus Operandi
Exploitation Tactics
Despite Cisco’s multiple advisories and warnings, a substantial number of organizations failed to promptly heed the advice. The group’s modus operandi involved the meticulous configuration of Generic Routing Encapsulation (GRE) tunnels to link compromised devices to its infrastructure. This sophisticated tactic permitted them to establish persistence on the target network and facilitate data exfiltration, all while evading detection by firewall and network monitoring systems.
Broader Implications of the Attacks
The broader implications of these sophisticated attacks are profound. The recurring incidents involving Cisco devices underscore the importance of constant vigilance and proactive security postures within organizations.
Global Reach and Strategic Aims
Diverse and Global Targets
Salt Typhoon’s recent campaign has affected a broad spectrum of organizations spread across various continents, highlighting the group’s strategic objectives of accessing sensitive networks for espionage, disruption, or potential data manipulation in the event of geopolitical tensions or conflict. Their targets included a US affiliate of a UK telecommunications company, several ISPs and telcos across different countries, and a notable ISP in Italy.
Academic Institutions Under Attack
In addition to telecommunications and ISPs, Salt Typhoon has directed its cyber-attacks against academic institutions engaged in significant research, particularly within fields like telecommunications and engineering. Notable targets have included esteemed institutions such as the University of California, Los Angeles (UCLA) and other prominent universities across the US, as well as universities in Argentina, Indonesia, and the Netherlands.
Persistent Threat and Security Challenges
Global Impact and Reach
The pervasive nature of Salt Typhoon’s threat is evident, with their campaign touching over 100 countries worldwide. The highest number of compromised devices has been recorded in regions such as South America, India, and the US, underscoring the group’s expansive operational footprint and its ability to execute coordinated attacks on a global scale.
Need for Robust Cybersecurity Measures
Salt Typhoon, a Chinese advanced persistent threat (APT) group, has recently garnered significant attention due to its highly sophisticated and damaging cyber-attacks targeting critical infrastructure worldwide. This ongoing menace underlines the urgent and critical requirement for a strong cybersecurity response to safeguard essential infrastructure. As Salt Typhoon continues to adapt its tactics, it reinforces the importance of vigilance and robust, up-to-date security measures in counteracting such threats effectively.