Salt Typhoon hackers exploited stolen credentials and a 7-year-old software flaw in Cisco systems
Mateusz Slodkowski/SOPA Images/LightRocket via Getty Images
The Chinese hacking collective has used vulnerabilities in communications infrastructure to breach dozens of telecom providers in the U.S. and overseas.
Internet routing giant Cisco disclosed Thursday that the Salt Typhoon hacking group predominantly made use of stolen victim credentials — and in one instance exploited a seven-year-old, known vulnerability in its software — as part of a widespread hacking campaign where the group burrowed inside troves of telecommunications systems in the U.S. and around the world.
The hackers, tied to Chinese intelligence, mostly gained access to Cisco devices by acquiring victim login information, but in a single case took advantage of a Cisco router flaw that has been publicly documented in the National Institute for Standards and Technology’s vulnerability database for seven years.
Although Cisco released a fix in 2018, unpatched systems remained exposed. The company added that no new Cisco software flaws were discovered during the hacking campaign.
“The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor,” the blog from Cisco’s Talos threat intelligence group added.
“A vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition, or to execute arbitrary code on an affected device,” NIST’s vulnerability page says of the 2018 software flaw.
Salt Typhoon’s operations involved infrastructure pivoting — the practice of moving laterally across telecom networks and using compromised devices as jump points, often masking their activities to evade detection.
So far, at least nine U.S. telecom companies have been compromised, as well as dozens of others around the world. The cyberspies compromised Cisco platforms at a U.S.-based affiliate of a prominent United Kingdom telecom operator and a South African provider, according to research disclosed last week from Record Future, another threat intelligence firm.
“Our findings do not cover the entirety of the Salt Typhoon campaign or all affected infrastructure, as these go beyond the scope of Cisco’s engagement and technology,” a company spokesperson told Nextgov/FCW. “As always, we strongly advise customers to patch known vulnerabilities and follow industry best practices for securing management protocols.”
In December, Nextgov/FCW reported that several hundred organizations — both communications firms and entities in other sectors — were notified that they may be at risk of compromise by the hacking collective.
Salt Typhoon also breached America’s “lawful intercept” systems that house wiretap requests used by law enforcement to surveil suspected criminals and spies. Telecom firms are required to engineer their networks for wiretapping under the Communications Assistance for Law Enforcement Act, which passed in 1994.
The hackers accessed the personal communications of President Donald Trump and Vice President JD Vance, as well as other high profile political officials tied to the White House. An investigatory body in the Department of Homeland Security was probing the hacks, but the Trump administration cleared it out soon after Inauguration Day. It’s unclear where that investigation stands.
Last month, the Treasury Department sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., accusing the company of having “direct involvement” with China’s Ministry of State Security in the Salt Typhoon infiltrations.
Trump-appointed officials and allies have vowed to exact revenge on China for the hacks, calling for a more offensive deterrent approach in cyberspace, though a specific plan has not yet been publicly put into motion. China’s embassy in Washington, D.C. has repeatedly denied Beijing’s involvement in cyberattacks against U.S. systems, and has often flipped the blame back onto the U.S. for hacks into China-based networks.
NEXT STORY: Building cyber resilience: A roadmap for state CIOs in 2025