Salt Typhoon, a Chinese nation-state threat group, continues its persistent campaign against global telecom providers by targeting Cisco network routers. The group’s ongoing activities highlight persistent vulnerabilities within telecom infrastructures, raising concerns among cybersecurity experts worldwide. Recorded Future’s latest report reveals that Salt Typhoon has compromised multiple networks across more than 100 countries, demonstrating the group’s expansive reach and sophisticated attack methods.
Salt Typhoon has a history of targeting critical infrastructure, but recent activities indicate an escalation in both scale and sophistication. Previous incidents involved attacks on major providers, but the latest wave shows a broader geographic spread and the exploitation of newly identified vulnerabilities in Cisco devices. This expansion suggests that Salt Typhoon is adapting its strategies to overcome existing security measures.
How Did Salt Typhoon Exploit Cisco Devices?
The group exploited two known privilege escalation vulnerabilities in Cisco IOS XE, namely CVE-2023-20198 and CVE-2023-20273. By first creating a local user through CVE-2023-20198, they gained initial access, which was then escalated to root privileges using CVE-2023-20273.
“We have not observed other initial access vectors related to this campaign at this time,”
stated Jon Condra, senior director of strategic intelligence at Recorded Future.
Which Telecom Networks Were Hit?
Recorded Future identified seven compromised Cisco network devices across five telecom networks, including an unnamed U.S. internet service provider and telecom company, a U.S.-based affiliate of a U.K. telecom provider, a large telecom provider in Thailand, an Italy-based ISP, and a South Africa-based telecom provider. Additionally, universities in nine countries were targeted, possibly indicating an interest in research related to telecom, engineering, and technology.
What Are the Implications for Global Cybersecurity?
The continued attacks by Salt Typhoon underline the challenges faced by global cyber authorities in securing critical infrastructure. The exploitation of widely used Cisco devices by a state-sponsored group emphasizes the need for robust security measures and timely patch management. Cisco has urged customers to upgrade to fixed software releases to mitigate these vulnerabilities.
Addressing these threats requires a coordinated international response and enhanced security protocols within telecom networks. Organizations must prioritize the implementation of Cisco’s hardening guides for NX-OS and IOS-XE devices to prevent further intrusions. Continuous monitoring and proactive vulnerability management are essential to safeguard against persistent threats like Salt Typhoon.
