Salt Typhoon: A Persistent Cyber Threat

In today’s digital age, cyber threats are evolving at an unprecedented pace, with groups like Salt Typhoon leading the charge. This sophisticated hacking group has been linked to numerous high-profile cyberattacks, particularly targeting telecommunications and critical infrastructure. Their operations blend traditional hacking methods with innovative techniques, such as exploiting public-facing applications and manipulating user accounts. Notably, Salt Typhoon has exploited vulnerabilities like CVE-2024-21887 and CVE-2024-3400, allowing them to infiltrate networks and steal sensitive data. Their collaboration with Chinese tech firms enhances their capabilities, providing them with advanced tools for cyber espionage. This article delves into Salt Typhoon’s tactics and the broader implications for global cybersecurity.

Tactics and Techniques of Salt Typhoon

Exploit Public-Facing Applications

Salt Typhoon is known for exploiting public-facing applications to gain initial access to target networks. This tactic, mapped to the MITRE ATT&CK framework under TA0001, involves exploiting known vulnerabilities in widely used software. For example, they have exploited vulnerabilities like CVE-2024-21887 in Ivanti Connect Secure and CVE-2024-3400 in Palo Alto PAN-OS GlobalProtect. These vulnerabilities allow attackers to execute arbitrary commands and gain unauthorized access to sensitive data.

Account Manipulation

Salt Typhoon employs advanced techniques like account manipulation, specifically through adding SSH authorized keys. This technique, identified as T1098.004, involves adding SSH keys to root or other user accounts on compromised devices. This ensures persistent access, allowing them to maintain control and continue espionage activities undetected. This method bypasses traditional authentication, making it difficult for defenders to detect unauthorized access.

Use of GRE Tunnels

Salt Typhoon uses Generic Routing Encapsulation (GRE) tunnels to establish persistent access to compromised networks. By creating GRE tunnels, they can route traffic through compromised devices, masking their activities and evading detection. This technique allows them to maintain a foothold in the network and exfiltrate data without raising suspicion. Their use of GRE tunnels demonstrates their advanced understanding of network protocols.

Brute Force Attacks

Salt Typhoon also employs brute force attacks, targeting password-protected accounts. This technique, mapped to T1110.002, involves systematically trying various username and password combinations until the correct credentials are found. They use automated tools for these attacks, quickly compromising accounts and accessing sensitive information. This highlights the importance of strong password policies and multi-factor authentication.

Exploitation of Cisco Devices

Salt Typhoon has successfully exploited vulnerabilities in Cisco devices, widely used in telecommunications and critical infrastructure. They have targeted over 1,000 Cisco network devices globally, as reported by The Record. By exploiting these devices, they gain access to network configurations, monitor communications, and exfiltrate data. Their focus on Cisco devices underscores their strategic targeting of high-value assets.

Advanced Persistent Threat (APT) Characteristics

Salt Typhoon exhibits characteristics typical of an Advanced Persistent Threat (APT), including stealth, persistence, and a focus on specific industries like telecommunications and government. Their activities align with the strategic objectives of the People’s Republic of China, targeting organizations and sectors of national interest. This alignment provides them with resources and a long-term focus, allowing prolonged campaigns with significant impact.

Targeting of Telecommunications Infrastructure

A key focus of Salt Typhoon’s operations is targeting telecommunications infrastructure. They have been linked to breaches of major U.S. carriers, including AT&T and Verizon, and other telecom firms worldwide. By compromising these networks, they access sensitive communications, including text messages and voicemails, conducting espionage and gathering intelligence on political figures and officials. This highlights the critical importance of securing these networks against sophisticated threats.

Exploitation of Known Vulnerabilities

Salt Typhoon’s success partly stems from exploiting known vulnerabilities in widely used software and hardware. Rather than relying on zero-day exploits, they target organizations that haven’t applied necessary updates, highlighting the importance of timely patch management. Their focus on known vulnerabilities underscores their ability to adapt and exploit weaknesses in network defenses.

Collaboration with Chinese Tech Firms

Salt Typhoon’s operations are supported by collaborations with Chinese technology firms, providing cyber products and services. According to a joint advisory by the NSA and NCSC, companies like Sichuan Juxinhe Network Technology Co. Ltd. and Beijing Huanyu Tianqiong Information Technology Co. are linked to Salt Typhoon’s activities. These collaborations enable access to advanced tools and resources, enhancing their capabilities in cyber espionage.

Persistent and Evolving Threat

Salt Typhoon represents a persistent and evolving threat to global cybersecurity. Despite exposure and sanctions, they continue to adapt and refine their tactics, techniques, and procedures (TTPs) to evade detection and achieve objectives. Their resilience and adaptability demonstrate their ability to maintain operations over several years. Organizations must remain vigilant and proactive in defense strategies to counter the ongoing threat posed by Salt Typhoon and similar APTs.

Final Thoughts

Salt Typhoon exemplifies the persistent and evolving nature of cyber threats today. Despite exposure and scrutiny, they continue refining their tactics to evade detection and achieve objectives. Their focus on exploiting known vulnerabilities and targeting high-value assets like telecommunications infrastructure underscores the need for robust cybersecurity measures. As organizations grapple with challenges posed by advanced persistent threats, timely patch management and strong authentication protocols are crucial. The ongoing collaboration between Salt Typhoon and Chinese tech firms, as highlighted by the NSA and NCSC, complicates the threat landscape, necessitating a coordinated global response to safeguard sensitive information and maintain network integrity.

References

• Global Salt Typhoon hacking campaigns linked to Chinese tech firms, 2024, Bleeping Computer source url
• China Salt Typhoon Cisco devices, 2024, The Record source url
• MITRE ATT&CK framework, 2024, MITRE source url
• MITRE ATT&CK technique T1098.004, 2024, MITRE source url
• MITRE ATT&CK technique T1110.002, 2024, MITRE source url