The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, government, transportation, lodging, and military infrastructure sectors.
“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” according to a joint cybersecurity advisory published Wednesday. “These actors often modify routers to maintain persistent, long-term access to networks.”
The bulletin, courtesy of authorities from 13 countries, said the malicious activity has been linked to three Chinese entities, Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
These companies, the agencies said, provide cyber-related products and services to China’s intelligence services, with the data stolen from the intrusions, specifically those against telecoms and Internet service providers (ISPs), providing Beijing with the ability to identify and track their targets’ communications and movements globally.
The countries that have co-sealed the security advisory include Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the U.K., and the U.S.
Brett Leatherman, head of the U.S. Federal Bureau of Investigation’s Cyber Division, said the Salt Typhoon group has been active since at least 2019, engaging in a persistent espionage campaign aimed at “breaching global telecommunications privacy and security norms.”
In a standalone alert issued today, Dutch intelligence and security services MIVD and AIVD said while organizations in the country “did not receive the same degree of attention from the Salt Typhoon hackers as those in the U.S.,” the threat actors gained access to routers of smaller ISPs and hosting providers. However, there is no evidence the hackers penetrated these networks further.
“Since at least 2021, this activity has targeted organisations in critical sectors including government, telecommunications, transportation, lodging, and military infrastructure globally, with a cluster of activity observed in the U.K.,” the National Cyber Security Centre said.
According to The Wall Street Journal and The Washington Post, the hacking crew has expanded its targeting focus to other sectors and regions, attacking no less than 600 organizations, including 200 in the U.S., and 80 countries.
Salt Typhoon, which overlaps with activity tracked as GhostEmperor, Operator Panda, RedMike, and UNC5807, has been observed obtaining initial access through the exploitation of exposed network edge devices from Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273), Ivanti (CVE-2023-46805 and CVE-2024-21887), and Palo Alto Networks (CVE-2024-3400).
However, the agencies pointed out these vulnerabilities are not “exhaustive” and that the threat actors may also go after other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls, among others for initial access.
“The APT actors may target edge devices regardless of who owns a particular device,” the agencies noted. “Devices owned by entities that do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest.”
The compromised devices are then leveraged to pivot into other networks, in some cases even modifying the device’s configuration and adding a generic routing encapsulation (GRE) tunnel for persistent access and data exfiltration.
Persistent access to target networks is accomplished by altering Access Control Lists (ACLs) to add IP addresses under their control, opening standard and non-standard ports, and running commands in an on-box Linux container on supported Cisco networking devices to stage tools, process data locally, and move laterally within the environment.
Also put to use by the attackers are authentication protocols like Terminal Access Controller Access Control System Plus (TACACS+) to enable lateral movement across network devices, while simultaneously conducting extensive discovery actions and capturing network traffic containing credentials via compromised routers to burrow deeper into the networks.
“The APT actors collected PCAPs using native tooling on the compromised system, with the primary objective likely being to capture TACACS+ traffic over TCP port 49,” the agencies said. “TACACS+ traffic is used for authentication, often for administration of network equipment and including highly privileged network administrators’ accounts and credentials, likely enabling the actors to compromise additional accounts and perform lateral movement.”
On top of that, Salt Typhoon has been observed enabling the sshd_operns service on Cisco IOS XR devices to create a local user and grant it sudo privileges to obtain root on the host OS after logging in via TCP/57722.
Google-owned Mandiant, which was one of the many industry partners that contributed to the advisory, stated the threat actor’s familiarity with telecommunications systems offers them a unique advantage, giving them an upper hand when it comes to defense evasion.
It’s worth pointing out that UNC5807 is a threat cluster that’s distinct from UNC2286, which, in the past, has been identified as overlapping with FamousSparrow and GhostEmperor, according to Google Threat Intelligence Group (GTIG) and Mandiant.
“While some public reporting has associated both UNC5807 and UNC2286 with the ‘GhostEmperor’ alias, Google assesses these to be distinct threat clusters,” Dan Perez, China Mission Lead at GTIG, told The Hacker News. “Our analysis is based on distinctions in their operational tradecraft and motivations.”
“The toolsets used by each group are different. UNC5807 has been observed using a specific and limited set of malware families. In contrast, UNC2286 employs a much broader and more varied arsenal of malicious tools. Additionally their objectives are different. We have observed UNC2286 conducting financially motivated attacks, including ransomware deployment and extortion. The activities attributed to UNC5807, however, are consistent with espionage operations.”
“An ecosystem of contractors, academics, and other facilitators is at the heart of Chinese cyber espionage,” John Hultquist, Chief Analyst at GTIG, told the publication. Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations. They have been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale.”
“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals. Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
(The story was updated after publication to make it clear that the threat actors are targeting and may target a broad range of edge network appliances.)
