Introduction to the Threat

The Chinese advanced persistent threat (APT) known as Salt Typhoon has launched a large-scale attack on over a thousand Cisco devices. These devices are primarily located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities. This campaign highlights the group’s strategic targeting of critical infrastructure worldwide.

Background on Salt Typhoon

Salt Typhoon, also known as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, first gained notoriety last fall with its attacks on major US telecommunications providers like T-Mobile, AT&T, and Verizon. The group managed to eavesdrop on US law enforcement wiretaps and even targeted the Democratic and Republican presidential campaigns. Despite the media attention, Salt Typhoon continued its operations, attacking communications providers and research universities worldwide on six occasions in December and January.

Salt Typhoon’s Latest Attacks on Elecom, Unis

In October 2023, Cisco warned its customers about a previously unknown vulnerability in the user interface (UI) of its IOS XE operating system, which allowed attackers to create new local accounts with administrative privileges without prior authorization. This issue was assigned CVE-2023-20198, with a CVSS score of 10 out of 10. Shortly after, Cisco revealed a second IOS XE web UI vulnerability, CVE-2023-20273, which allowed attackers to run malicious commands on compromised devices using root privileges. Salt Typhoon exploited these vulnerabilities to target large organizations on six continents, configuring Generic Routing Encapsulation (GRE) tunnels to establish persistence and enable data exfiltration.

Vulnerabilities Exploited

The exploitation of these vulnerabilities by Salt Typhoon has been linked to its ability to compromise Cisco devices, which were not properly patched or updated. This highlights the importance of keeping software and systems up to date with the latest security patches. The attack also demonstrates the need for continuous monitoring and detection capabilities to identify and respond to potential security incidents.

Salt Typhoon’s Latest Cyberattack Victims

The organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar’s premier telcos. Additionally, 13 universities were targeted, including the University of California, Los Angeles (UCLA) and three more US institutions, as well as universities in Argentina, Indonesia, and the Netherlands.

Global Reach and Implications

While more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US. The global nature of Salt Typhoon’s targeting extends far beyond US borders and speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for espionage, disruption, or destructive action. This underlines the importance of international cooperation and information sharing to combat such threats.

Conclusion

The Salt Typhoon attacks highlight the ongoing threat posed by Chinese APT groups and the need for organizations to prioritize cybersecurity. The exploitation of vulnerabilities in Cisco devices demonstrates the importance of keeping software and systems up to date and implementing robust security measures to detect and respond to potential security incidents. As Salt Typhoon’s activities continue to evolve, it is essential for organizations to remain vigilant and proactive in their cybersecurity efforts.