China’s Salt Typhoon Hacked Critical Infrastructure Globally for Years – Source: www.securityweek.com

The China-linked cyberespionage group known as Salt Typhoon has been compromising backbone and edge routers globally for persistent access to networks across multiple industries, government agencies in the US and allied countries warn.

Also tracked as GhostEmperor, Operator Panda, RedMike, and UNC5807, the threat group has been conducting cyberespionage operations in the US, Australia, Canada, New Zealand, and UK, and across other regions for over half a decade, the agencies note in a joint advisory.

Blamed for multiple intrusions at telecom companies in the US and Canada, and for the hacking of a US National Guard unit, Salt Typhoon has been busy targeting government, telecom, transportation, lodging, and military infrastructure networks globally since at least 2021, the advisory reads.

The APT’s operations have been linked to China-based companies such as Sichuan Juxinhe Network Technology Co. Ltd. (sanctioned by the US), Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd., known for providing cyber products and services to the Chinese intelligence.

“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the advisory reads.

Salt Typhoon has exploited known vulnerabilities in Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273), Ivanti (CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400) products for initial access, but has not targeted zero-day flaws.

The APT was seen targeting backbone routers at telecom providers and edge routers, regardless of who owns them, and then leveraging them to pivot into other networks, as well as modifying routing and enabling traffic mirroring.

For persistence and evasion, the hackers have been tampering with Access Control Lists (ACLs), opening standard and non-standard ports, creating tunnels over protocols, leveraging open source multi-hop pivoting tools, enumerating and altering other device’s configuration, and executing various commands.

For lateral movement, they have been targeting authentication protocols, router interfaces, RSVP sessions, BGP routes, configuration files, network traffic, installed software, and provider-held data, and have been extracting credentials from captured network traffic.

Additionally, Salt Typhoon was seen modifying server configurations to point to IP addresses it controls,  creating privileged user accounts, scanning for ports, using monitoring tools, updating routing tables, hiding its tracks by deleting logs and disabling logging, and abusing peering connections for data exfiltration.

Warning of Salt Typhoon’s persistent, long-term access to the compromised networks, the joint advisory provides indicators-of-compromise (IOCs) and recommendations on actions threat hunters should conduct to identify compromises and evict the attackers.

“The APT actors often take steps to protect their established access, such as compromising mail servers or administrator devices/accounts to monitor for signs that their activity has been detected. Organizations should take steps to protect the details of their threat hunting and incident response from APT actor monitoring activities,” the advisory reads.

According to John Hultquist, chief analyst of Google’s Threat Intelligence Group, the hackers “are distinguished by deep familiarity with the tech allowing them to evade detection and spread broadly,” and heavily rely on Chinese contractors for their large-scale operations.

“The contractor ecosystem at the heart of Chinese cyber espionage has been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale. Contractors do everything from building infrastructure to the dirty work of carrying out intrusions,” he said.

In an emailed comment, Swimlane lead security automation architect Nick Tausek underlined the importance of corporate backing in Salt Typhoon’s operations, pointing out that the threat actor targeted hundreds of organizations in 80 countries in 2024 alone.

“Unfortunately, just because we understand how it happened doesn’t mean the threat is now gone. Salt Typhoon is still just as dangerous as ever, and companies need to be prepared. Organizations should follow the guidelines set by the NSA and gain a full understanding of the APT actors’ accesses before implementing visible incident response and mitigation actions to maximize the chance of achieving full eviction from compromised networks,” Tausek said.

Related: Report Links Chinese Companies to Tools Used by State-Sponsored Hackers

Related: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks

Related: Chinese Silk Typhoon Hackers Targeting Multiple Industries in North America

Related:Web Hosting Firms in Taiwan Attacked by Chinese APT for Access to High-Value Targets