The US National Security Agency (NSA), alongside cybersecurity agencies from 18 nations, has issued an alert detailing a prolonged cyber-espionage campaign by Chinese state-backed hackers targeting critical global infrastructure.
The attackers, operating under overlapping identities such as “Salt Typhoon,” have compromised telecom networks, lodging providers, government agencies, and transportation systems across multiple continents.
The newly published joint advisory links the campaigns to three Chinese technology firms: Sichuan Juxinhe Network Technology Co., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. These companies provide tools and services to China’s Ministry of State Security (MSS) and People’s Liberation Army (PLA), and form part of what the UK’s NCSC calls a “commercial cyber ecosystem” supporting Beijing's intelligence ambitions.
Mandiant, part of Google Cloud’s Threat Intelligence team, confirmed via a statement Salt Typhoon’s long-term infiltration of global telecom systems. According to Chief Analyst John Hultquist, the actor’s deep familiarity with telecom infrastructure significantly enhances their stealth and ability to evade detection, allowing them to collect, monitor, and track communications across borders.
Known exploits instead of zero-days
The attackers gained access by exploiting publicly known vulnerabilities in edge networking devices such as Cisco, Ivanti, and Palo Alto firewalls. No zero-day exploits were used. Some of the most heavily targeted CVEs include:
- CVE-2023-20198 / CVE-2023-20273 (Cisco IOS XE Web UI)
- CVE-2024-21887 / CVE-2023-46805 (Ivanti Connect Secure VPN)
- CVE-2024-3400 (Palo Alto PAN-OS)
- CVE-2018-0171 (Cisco Smart Install)
Salt Typhoon has shown a preference for living-off-the-land techniques, repurposing built-in admin tools like PowerShell, SNMP, WMIC, and PSEXEC to laterally move through networks. On Cisco routers, the group abused Guest Shell containers to run custom scripts and backdoors, often using encrypted tunnels (GRE/IPSec) for stealthy data exfiltration.
In one case study, attackers captured authentication data by running native packet capture (PCAP) tools on compromised routers, extracting TACACS+ traffic and potentially accessing administrator credentials.
Targets and impact
The advisory documents confirmed intrusions in the US, UK, Canada, Australia, New Zealand, and other NATO-aligned nations. As reported previously, the group breached US broadband providers, including AT&T, Verizon, and Lumen, compromising infrastructure responsible for handling lawful intercept requests, a critical component of US surveillance capabilities.
The attackers also extended their reach into transportation and hospitality sectors, enabling them to monitor physical movements of persons of interest, collect metadata, and map communications.
Trend Micro, tracking the group as “Earth Estries,” uncovered several malware families used in these campaigns, including:
- GHOSTSPIDER – Modular malware with TLS-encrypted communication.
- SNAPPYBEE (Deed RAT) – Used for stealthy persistence and data theft via DLL hijacking.
- MASOL RAT – Linux-based RAT with encrypted payload delivery.
- DEMODEX – Rootkit focused on stealth via control flow obfuscation.
Network defenders should prioritize patching known vulnerabilities, disable unused services like Guest Shell, and audit configurations for unauthorized changes. The NSA also suggests enforcing SNMPv3, restricting management interfaces, and monitoring for signs of tunneling or packet capture activity. Finally, consider blocking high-risk ports such as TCP/57722 and non-standard HTTPS/SSH ports.
Everyday users can reduce risk by keeping all devices, especially routers and firewalls, updated with the latest firmware, disabling unused services like remote access, changing default passwords, and using strong, unique credentials.
Leave a Reply