Chinese state-sponsored hackers, known as Salt Typhoon, have been using custom malware to spy on US telecom networks. The group, which has been active since at least 2019, primarily targets government entities and telecommunications companies.
Recent breaches have confirmed that Salt Typhoon accessed the private communications of some US government officials and stole information related to court-authorized wiretapping requests. A recent report by Recorded Future’s Insikt Group found that Salt Typhoon targeted over 1,000 Cisco network devices in December 2024 and January 2025.
Salt Typhoon’s tactics involve infiltrating core networking infrastructure using stolen credentials, often exploiting a single vulnerability, CVE-2018-0171, in Cisco devices. The group also uses custom malware, JumbledPath, to monitor network activity and steal sensitive data.
JumbledPath is a Go-based ELF binary that allows the attackers to initiate packet capture on targeted devices via a jump-host, making it difficult to detect their activity. The malware can also disable logging and clear existing logs to erase traces of its activity.
To detect Salt Typhoon activity, Cisco recommends monitoring for unauthorized SSH activity on non-standard ports, tracking log anomalies, and inspecting for unexpected configuration changes. The group’s attacks have targeted well-known manufacturers, including Fortinet, Barracuda, and SonicWall, often exploiting zero-day vulnerabilities or using compromised credentials.
Admins must apply patches to edge networking devices as soon as they are available to prevent similar breaches.
Source: https://www.bleepingcomputer.com/news/security/salt-typhoon-uses-jumbledpath-malware-to-spy-on-us-telecom-networks