A Chinese nation-state threat group linked to recent attacks on US and global telecom providers remains active, hitting multiple networks worldwide, including two in the United States. Recorded Future’s Insikt Group observed seven compromised Cisco network devices communicating with Salt Typhoon infrastructure on five telecom networks between early December and late January.
Salt Typhoon primarily targeted internet-exposed Cisco network routers over the past couple of months, exploiting vulnerabilities in Cisco IOS XE operating system to gain root user privileges. The group attempted to exploit more than 1,000 Cisco routers worldwide, focusing mainly on those running in telecom networks.
The attack spree underscores the challenge global cyber authorities and network defenders face in thwarting Salt Typhoon’s activities. US officials warned that they may never know if the group has been completely booted from networks.
Salt Typhoon is one of three known active threat groups affiliated with China’s government, which have been warning about Chinese hacking efforts targeting critical infrastructure since early 2024. The group’s attack on telecom networks began up to two years before it was discovered by US officials in late spring last year.
The incident highlights the need for network defenders to address the risk of Cisco device exploitation, as warned by US and global officials in December. Cisco published a security advisory disclosing multiple vulnerabilities in its web UI feature, urging customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release.
Source: https://cyberscoop.com/salt-typhoon-china-ongoing-telecom-attack-spree