Chinese hackers infiltrate US telecoms for 3 years

The threat group employed “living-off-the-land” techniques, meaning they used the compromised network devices as pivot points to move across multiple telecom networks without raising alarms

A highly sophisticated Chinese state-sponsored threat group, identified as Salt Typhoon, has been infiltrating major US telecommunications companies for more than three years, maintaining long-term access to their networks, according to Cisco. The hackers gained initial access by exploiting a known security vulnerability and utilizing stolen login credentials. Cisco's threat intelligence arm, Cisco Talos, confirmed the group’s persistent and complex espionage campaign, demonstrating advanced methods and tactics typical of state-sponsored, advanced persistent threat (APT) actors.

Cisco Talos reported that Salt Typhoon exploited the CVE-2018-0171 vulnerability, a flaw in Cisco's IOS XE software, to gain access. The group also leveraged stolen login credentials to move freely within the networks, although the exact method by which the credentials were obtained remains unclear. Cisco confirmed that the hackers often accessed network configurations and deciphered local accounts with weak passwords. They also captured network traffic, including SNMP, TACACS, and RADIUS data, to collect more credentials and access keys for further attacks.

Salt Typhoon employs stealthy tactics

The threat group employed “living-off-the-land” techniques, meaning they used the compromised network devices as pivot points to move across multiple telecom networks without raising alarms. This strategy allowed them to remain undetected for prolonged periods. Cisco confirmed that the group altered network configurations, created local accounts, and enabled Guest Shell access to facilitate remote access via SSH.

Salt Typhoon’s methods included using a custom-built utility, JumbledPath, which helped mask the origin and destination of requests, further obscuring their activities. This tool allowed attackers to clear logs, disable logging, and modify loopback interfaces, making it difficult to trace their movements within the network. Cisco also found that the hackers erased key system logs to hinder forensic investigations and avoid detection.

A part of a larger trend

The infiltration is a part of a larger trend of persistent cyberattacks targeting critical U.S. infrastructure. While Cisco identified other targeting of Cisco devices related to CVE-2018-0171, these were not connected to Salt Typhoon, and there was no evidence linking the group to more recent vulnerabilities like CVE-2023-20198 or CVE-2023-20273.

Cisco's report highlights the sophisticated nature of state-sponsored cyber threats, underlining the challenges of securing networks against well-funded and patient adversaries.