Salt Typhoon Cyberattack: Chinese Threat Actor Exploits Cisco Vulnerability to Target U.S. Telecom Firms

Cisco has confirmed that a Chinese state-sponsored hacking group, Salt Typhoon, successfully infiltrated major U.S. telecommunications companies by exploiting a known vulnerability (CVE-2018-0171) and using stolen credentials. This sophisticated cyber-espionage campaign persisted for over three years, demonstrating the attackers' advanced capabilities and long-term strategic planning, according to Cisco Talos.

The threat actors leveraged compromised credentials to gain initial access, though the exact method of acquisition remains unclear. They further expanded their reach by capturing network traffic—specifically SNMP, TACACS, and RADIUS protocols—to extract authentication details for deeper infiltration. Additionally, Salt Typhoon manipulated network configurations, created local accounts, and enabled remote access via SSH, further solidifying their persistence within the compromised environments.

A key aspect of their operation involved leveraging compromised infrastructure as pivot points to navigate between telecom networks undetected. They also deployed a custom Go-based utility, JumbledPath, to perform packet captures, erase logs, and disable logging, making forensic analysis significantly more challenging.

Cisco noted that while Salt Typhoon primarily exploited CVE-2018-0171, there is separate, unrelated activity targeting Cisco devices via exposed Smart Install (SMI), though it does not appear to be linked to any known threat actor. The findings underscore the critical need for organizations to strengthen security measures, enforce strict credential management, and patch known vulnerabilities to defend against persistent and well-funded cyber threats.