Chinese state-sponsored hacking group Salt Typhoon gained initial access to US telecommunications networks by exploiting Cisco networking devices, it has emerged. The group, also known as Earth Estries, GhostEmperor, and UNC2286, primarily used stolen credentials to infiltrate core infrastructure rather than exploiting software vulnerabilities. The cyber intrusions, which targeted major telecom providers such as Verizon, AT&T, Lumen Technologies, and T-Mobile, remained undetected in some cases for more than three years.
The threat actor has been active since at least 2019, focusing on breaching government agencies and telecommunications infrastructure. Once inside the networks, the hackers intercepted private communications, including those of US government officials, and obtained sensitive information related to court-authorised wiretap requests.
Access through Cisco devices and network expansion
Cisco Talos confirmed that Salt Typhoon’s primary method of entry was through Cisco networking equipment. In most cases, the group used valid login credentials to gain initial access, though how these credentials were obtained remains unclear. A single instance of vulnerability exploitation was identified, involving the Cisco CVE-2018-0171 flaw, but no evidence was found to suggest the use of other known or unknown software vulnerabilities in these breaches.
After establishing access, the attackers extracted additional credentials stored in network device configurations and captured authentication traffic using protocols such as SNMP, TACACS, and RADIUS. These methods enabled them to further penetrate the networks and access additional infrastructure. They also exfiltrated network configurations via TFTP and FTP, retrieving authentication details, weakly encrypted passwords, and network topology data to facilitate lateral movement across systems.
The hackers frequently moved between network devices to avoid detection and leveraged compromised edge infrastructure to pivot into partner telecom networks. Network configurations were manipulated to enable persistent access, including enabling Guest Shell for executing remote commands, modifying access control lists, and creating hidden user accounts.
To further evade detection, the hackers regularly cleared system logs, including authentication and command history logs. Network authentication settings were also altered to bypass security controls. In many cases, after executing commands, they restored system configurations to their original state to minimise suspicion. Another tactic involved modifying loopback interface addresses on compromised switches, allowing them to route SSH connections without triggering security alerts.
Salt Typhoon employed a custom-built tool, JumbledPath, to capture network traffic remotely while obscuring their presence. The utility enabled the group to execute packet captures on targeted Cisco devices through a designated jump-host. It also included features for clearing logs and disrupting logging functions along the attack path, making forensic analysis more challenging. Compiled as an ELF binary for x86-64 architecture, JumbledPath was designed to operate across multiple Linux-based environments, including various networking devices.
The tool allowed attackers to set up a chain of connections, perform packet captures on remote devices, and exfiltrate the data without revealing their actual location. Investigators discovered instances of JumbledPath within compromised Guest Shell environments on Cisco Nexus devices.
Investigators found evidence of unauthorised changes to authentication and authorisation servers, modifications to loopback interface IP addresses, the creation of GRE tunnels, and the addition of hidden local accounts. The hackers also changed SNMP community strings and reconfigured HTTP and HTTPS server settings to avoid detection.
Security researchers have advised organisations to conduct thorough audits of network configurations, monitor authentication and authorisation activity, and analyse system logs for signs of intrusion. Anomalous changes in network behaviour, unexpected modifications to device configurations, and the presence of non-standard services should be investigated. Network administrators are urged to enhance credential security, implement multi-factor authentication, and encrypt network traffic to prevent unauthorised access.
Read more: US Treasury confirms cybersecurity breach linked to Chinese hackers
