Cisco has confirmed that a Chinese state-backed hacking group, known as Salt Typhoon, exploited a known security vulnerability (CVE-2018-0171) to infiltrate major U.S. telecommunications networks. The attackers also leveraged stolen credentials to maintain prolonged access within these environments.
Sophisticated Attack with Long-Term Persistence
According to Cisco Talos, Salt Typhoon demonstrated a high level of sophistication, successfully maintaining access to multiple vendors’ network equipment for extended periods—one instance lasted over three years. The group’s tactics align with those commonly associated with advanced persistent threats (APTs), including state-sponsored cyber espionage campaigns.
“The long timeline of this campaign suggests a high degree of coordination, planning, and patience—standard hallmarks of APTs and state-sponsored actors,” Cisco Talos stated.
No Evidence of Additional Vulnerabilities Exploited
While a recent report from Recorded Future suggested that Salt Typhoon may have exploited other vulnerabilities, specifically CVE-2023-20198 and CVE-2023-20273, Cisco has found no direct evidence linking these flaws to the group’s operations. Instead, the primary attack vector remains the exploitation of CVE-2018-0171 alongside stolen credentials.
Credential Theft
One of the most critical aspects of Salt Typhoon’s attack strategy is the use of valid but stolen credentials. However, the exact method used to acquire these credentials remains unknown. The group has been observed attempting to extract credentials from network device configurations and deciphering local accounts with weak passwords.
Additionally, the attackers have captured traffic related to authentication protocols, including SNMP, TACACS, and RADIUS. These methods allow them to collect secret keys used between network devices and authentication servers, potentially enabling further access into targeted networks.
Abusing Trusted Infrastructure
Salt Typhoon has employed living-off-the-land (LOTL) techniques to blend their activities within normal network operations. By exploiting trusted network infrastructure, the hackers use compromised devices as pivot points, allowing them to move between telecom networks undetected.
These compromised network devices serve multiple purposes:
Intermediate Relays: They help the attackers maintain persistence and evade detection.
Data Exfiltration Points: Compromised devices act as the first hop for outbound data theft operations.
Stepping Stones for Further Attacks: The hackers use these devices to jump to other targets while remaining concealed.
Manipulating Network Configurations for Access
Beyond exploiting vulnerabilities, Salt Typhoon has also been observed modifying network configurations to create local accounts, enable Guest Shell access, and facilitate remote connections via SSH. A custom-built tool named JumbledPath was used to execute packet captures on remote Cisco devices via predefined jump-hosts.
JumbledPath, a Go-based ELF binary, has multiple stealth features:
It clears system logs and disables logging to hinder forensic investigations.
It periodically erases logs such as
.bash_history,auth.log,lastlog,wtmp, andbtmpto remove traces of unauthorized activity.
By leveraging these tactics, the attackers successfully obfuscate their presence and maintain control over compromised networks.
Advanced Techniques
Salt Typhoon employed additional measures to evade security mechanisms. In particular, they repeatedly modified the loopback interface address of compromised switches. By using these addresses as the source of SSH connections to other devices, they effectively bypassed access control lists (ACLs) in place on those systems.
Cisco noted that the group demonstrated deep expertise in network infrastructure manipulation, which allowed them to remain undetected for an extended period.
Wider Targeting of Cisco Devices
In addition to Salt Typhoon’s operations, Cisco identified a broader pattern of attacks against Cisco devices with exposed Smart Install (SMI) functionality. These attacks also involved the exploitation of CVE-2018-0171, though they were carried out by an unknown threat actor unrelated to Salt Typhoon.
Mitigation Recommendations
Given the severity of these attacks, organizations using Cisco devices should implement robust security measures, including:
Patching Vulnerabilities: Apply security updates to mitigate CVE-2018-0171 and other known flaws.
Strengthening Authentication: Enforce multi-factor authentication (MFA) and strong password policies.
Monitoring Network Traffic: Detect unusual authentication attempts and unauthorized access.
Restricting Device Access: Limit exposure of network management interfaces and disable unnecessary services.
Conclusion
The Salt Typhoon campaign highlights the persistent threat posed by state-sponsored cyber actors targeting critical infrastructure. By exploiting known vulnerabilities and leveraging stolen credentials, the group has demonstrated remarkable persistence and stealth. Organizations must remain vigilant, prioritize patching, and enhance security controls to defend against such sophisticated threats.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Signal Users Targeted in New QR Code Phishing Attacks