Revealed in a fresh report: The methods used by cyber espionage group Salt Typhoon in their attacks exposed

In a joint advisory, 13 government intelligence and cybersecurity agencies have issued a warning about the techniques used by the Chinese state-sponsored Advanced Persistent Threat (APT) group known as Salt Typhoon. This group, also known by names such as Operator Panda, RedMike, UNC5807, and GhostEmperor, has been targeting telecommunications, government, transportation, lodging, and military infrastructure networks worldwide.

The advisory details that Salt Typhoon frequently targets network-edge devices, including network security appliances. Specific vulnerabilities mentioned include CVE-2024-21887, CVE-2024-3400, CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171. Attackers may exploit these flaws to gain unauthorised access to these devices.

Once inside a network, Salt Typhoon uses compromised routers and virtual private servers as proxies, setting up tunnels to move deeper into networks. They abuse authentication protocols like TACACS+ and RADIUS to authenticate and gain further access. Attackers may point the router's TACACS+ server configuration to an IP address they control to capture authentication requests.

The group also targets the Managed Information Base (MIB), various router interfaces, Resource Reservation Protocol (RSVP) sessions, Border Gateway Protocol (BGP) routes, and software installed on devices for abuse. They may search configuration files and provider-held data such as subscriber information, customer records, network diagrams, device configurations, vendor lists, passwords, etc.

To maintain persistence, Salt Typhoon modifies Access Control Lists (ACLs) on devices to add IP addresses controlled by the attackers. They also leverage existing peering connections between networks to exfiltrate data without raising suspicion.

The advisory provides indicators of compromise, TTPs, threat hunting recommendations, Yara rules for activity detection, and case studies with recorded Salt Typhoon activity and commands. It also encourages telecommunications providers to perform threat hunting and incident response activities when necessary.

Compromised routers may have various configuration changes made, including the addition of new accounts, traffic monitoring on interfaces, commands over various protocols, configuring tunnels, updating routing tables, running Guest Shell containers, etc.

In late 2024 and early 2025, Salt Typhoon was revealed to have breached major US telecommunications providers and ISPs, including AT&T, Verizon, T-Mobile, Lumen Technologies, Charter, Consolidated, and Windstream Communications. Salt Typhoon has been linked to multiple Chinese entities, including three technology companies providing cyber-related products and services to the People's Liberation Army and China's Ministry of State Security.

To protect against Salt Typhoon, the report recommends patching known vulnerabilities, regular monitoring of configuration files and logs, disabling outbound connections from management interfaces, disabling unused ports and services, changing default administrative credentials, implementing public-key authentication for admins, phasing out unsupported network devices, hardening management protocols, implementing robust loggings, and leveraging best practices for routing and virtual private networks.

Revealed in a fresh report: The methods used by cyber espionage group Salt Typhoon in their attacks exposed