Cisco revealed that a sophisticated Chinese threat actor group known as Salt Typhoon successfully exploited the CVE-2018-0171 vulnerability. Through well-funded and meticulously planned efforts, the adversary infiltrated major U.S. telecommunications networks, maintaining access for over three years. This campaign not only underscores the persistence and capacity of advanced persistent threat (APT) groups but also demonstrates their ability to compromise numerous vendors’ equipment over a prolonged period. Cisco’s findings paint a concerning picture of the tactics and techniques utilized by Salt Typhoon, as they highlight vulnerabilities within the critical infrastructure of telecommunications networks.
Sophisticated Planning and Infiltration
Cisco’s investigation into the breach revealed that contrary to the initial speculations, Salt Typhoon attackers did not exploit other vulnerabilities like CVE-2023-20198 and CVE-2023-20273. Instead, they primarily utilized stolen valid credentials to gain initial access. The details of how these credentials were initially obtained remain obscure, but once inside, the threat actor adopted a methodical approach to harvest even more credentials from network device configurations. These included SNMP, TACACS, and RADIUS traffic, which enabled them to grab additional credential details for uninterrupted access. The careful planning and execution resemble the operations of organized, state-sponsored activities.
Salt Typhoon’s expertise in leveraging living-off-the-land (LOTL) techniques allowed them to use compromised devices effectively as pivot points, enabling lateral movement within and between telecom networks. These intermediate relays facilitated inconspicuous data exfiltration, which helped the attackers to operate undetected for extended durations. Altering network configurations to create local accounts, allowing Guest Shell access, and establishing SSH-based remote access were just some of their critical maneuvers. Their application of a custom tool named JumbledPath enabled packet capture on remote Cisco devices, clearing and disabling logs thereby hindering forensic investigations.
Maintaining Stealth and Prolonged Access
To remain undetected, Salt Typhoon periodically erased logs such as .bash_history, auth.log, lastlog, wtmp, and btmp, leaving minimal forensic evidence. This deliberate log-cleanup routine cloaked their movements and activities on compromised devices. An additional tactic saw them modify loopback interface addresses on affected switches to create backdoor SSH connections, circumventing access control lists (ACLs) and thereby preserving their access without raising alarms. This level of operational security indicates the thoroughness and caution employed by the attackers throughout their campaign.
Moreover, a distinctive characteristic of Salt Typhoon’s methodology involved the significant targeting of devices with exposed Smart Install (SMI). However, despite identifying substantial exploitation of CVE-2018-0171, Cisco noted that this activity was not linked directly to Salt Typhoon nor associated with any other known threat actors. This finding suggests that while CVE-2018-0171 exploitation was widespread, it was likely conducted separately from the primary intrusion activities credited to Salt Typhoon. This distinction amidst their campaign reflects the complexity and layered structure of such cyber operations.
Implications and Future Considerations
Cisco has disclosed that a highly skilled Chinese threat actor group, named Salt Typhoon, successfully exploited the CVE-2018-0171 vulnerability. This group, supported by substantial resources and careful planning, managed to infiltrate significant U.S. telecommunications networks and sustain their access for over three years. This protracted campaign underscores the persistence and capability of advanced persistent threat (APT) groups. It also showcases their ability to compromise a wide array of vendors’ equipment over an extended period. Cisco’s investigation provides a troubling insight into the tactics and techniques employed by Salt Typhoon. Their efforts reveal critical vulnerabilities within the telecommunications infrastructure, which pose significant risks to the security and reliability of these networks. This discovery calls attention to the pressing need for enhanced security measures and vigilance within the telecommunications industry to combat such sophisticated cyber threats effectively.