Salt Typhoon Hacked Nine U.S. Telecoms, Tactics and Techniques Revealed

Salt Typhoon, a state-sponsored Advanced Persistent Threat (APT) group linked to the People’s Republic of China (PRC), has executed one of the most sophisticated cyber-espionage campaigns in recent history.

The group targeted at least nine U.S.-based telecommunications companies throughout 2024, exploiting known vulnerabilities to infiltrate critical infrastructure.

The breach, confirmed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), exposed sensitive data and communications, including metadata and wiretap records from U.S. government officials and political figures.

Salt Typhoon, also tracked under aliases such as Earth Estries, GhostEmperor, and UNC2286, employed a range of advanced TTPs to gain access and maintain persistence within victim networks.

The group exploited widely known but often unpatched vulnerabilities in systems such as Microsoft Exchange Server (ProxyLogon – CVE-2021-26855), Sophos Firewall (CVE-2022-3236), Fortinet FortiClient EMS (CVE-2023-48788), and Ivanti Connect Secure VPN (CVE-2024-21887).

Despite patches being available for these flaws, many systems remained unprotected, with 91% of ProxyLogon vulnerabilities still unpatched as of late.

Salt Typhoon used bespoke malware such as GhostSpider, SnappyBee, and Masol RAT to establish backdoors and maintain long-term access.

These tools were modular, allowing attackers to deploy specific capabilities as needed while evading detection.

Techniques included modifying registries, creating scheduled tasks, and leveraging rootkits like Demodex to remain hidden within compromised systems.

The group also employed “living-off-the-land” tactics by using legitimate tools like PowerShell and WMIC for malicious purposes.

Encrypted communication channels were used to exfiltrate sensitive data, including call records and wiretap information.

This data was organized into password-protected archives before being transferred to external servers controlled by the attackers.

Impact on Telecommunications Sector

The breach targeted major telecom providers such as AT&T, Verizon, T-Mobile, Lumen Technologies, and others.

The attackers accessed over 100,000 routers via compromised network management accounts lacking multi-factor authentication.

This allowed them to intercept call metadata and wiretap information tied to over a million users.

Notably, the attackers obtained records related to lawful intercept systems used by law enforcement to monitor suspects—a significant national security concern.

The campaign underscores China’s focus on cyber espionage for geopolitical leverage.

By targeting telecommunications firms globally, including in Taiwan, Southeast Asia, and Europe Salt Typhoon sought to gather intelligence on government officials and political activities.

The intrusion also highlighted vulnerabilities in U.S. critical infrastructure that could be exploited during geopolitical tensions or conflicts.

Response Measures

In response to the breaches:

1. Government Actions: CISA released guidelines emphasizing end-to-end encryption for secure communications and hardening of public-facing infrastructure. The White House issued an executive order aimed at strengthening cybersecurity across critical sectors.
2. Industry Recommendations: Security experts urged telecom companies to patch known vulnerabilities promptly, adopt out-of-band management networks, enforce strict access controls, and implement advanced monitoring solutions capable of detecting lateral movement within networks.
3. Legislative Proposals: The Federal Communications Commission (FCC) introduced measures requiring annual cybersecurity reporting from telecom providers and proposed funding for the removal of insecure Chinese-manufactured equipment from critical networks.

According to the Tenable report, the Salt Typhoon campaign serves as a stark reminder of the persistent threat posed by state-sponsored APT groups.

It highlights the urgent need for robust cybersecurity practices across industries to mitigate risks associated with unpatched vulnerabilities and sophisticated adversaries.

As geopolitical tensions rise, securing critical infrastructure remains a top priority for national security agencies worldwide.