How Scared Should CISOs Be of Salt Typhoon?

Danny Bradbury explores what organisations need to do to harden systems against a sophisticated nation-state actor

Advanced persistent threat (APT) groups have a history of daring attacks against high-profile targets. Often government-linked, they excel at sophisticated hacks, generating big payoffs. Sometimes these are financial (as with North Korea’s APT groups), but more often, they’re information-based.

Knowledge is power, and on that basis, rarely has an espionage group been as powerful as Salt Typhoon.

Many names, one group

Linked to Beijing, this group is also known under other names, such as Operator Panda, RedMike, UNC5807, and GhostEmperor. It has wreaked so much havoc that the Five Eyes nations collaborated to release a technical advisory report on its activities in August. It has been operating since at least 2021, and is highly sophisticated and determined, automating intrusions to target organisations at scale.

“These nation-state threat actors are becoming increasingly more strategic in their large-scale operations. We’re seeing more and more precision attacks that take longer for initial access, but yield higher results,” ProCircular CTO, Brandon Potter, tells Assured Intelligence. “That’s a shift from the majority of threat actors that are looking for the path of least resistance.”

In other words, Salt Typhoon isn’t rattling doorknobs so much as finding a target address, scouting out which locks are in use, and then picking them with intent, because it knows that the information it wants is inside.

How Salt Typhoon works

Taking a more targeted approach doesn’t mean that these groups need to burn zero-days to get inside their target organisations. They still gain initial access to systems by exploiting known CVEs in many cases. Ivanti, Cisco, and Palo Alto Networks are among the vendors targeted.

“Knowledge is power, and on that basis, rarely has an espionage group been as powerful as Salt Typhoon”

The group will attack routers and virtual private servers (VPS) that are vulnerable to these exploits, often opening closed ports for services including SSH, along with non-standard ports, all of which allow it to regain access.

Once in, it moves laterally with precision and expertise. It will look for internal SSH-compatible nodes to compromise, but it also often utilises Terminal Access Controller Access Control System Plus (TACACS+), a network security protocol initially developed by Cisco and now an open standard. The TACACS+ server acts as a hub for authentication and authorisation to multiple resources in the organisation.

Another favourite technique of Salt Typhoon’s is virtualised container exploitation. It will abuse Cisco Guest Shell and similar container environments. This makes it easier to prepare tooling and process data on the sly, and to move laterally through the system.

Container abuse is difficult to detect through traditional syslog monitoring because the data manipulation is cloaked. It calls for specialised detection combining authorisation and authentication logs.

For this reason, examination of container logs is a good idea. However, that might present challenges in practice.

“It’s difficult for many folks because traditional security controls, such as EDR, don’t have visibility into containerised environments,” Potter says. “So activity is frequently hidden, especially for those organisations that are not leveraging containerisation technologies as part of daily operations. It’s a blind spot you only know about after something happens.”

After infiltrating and then spreading laterally through the target organisation, the next step for Salt Typhoon is to identify the most valuable information and extract it. It utilises tunnelling for command and control and data exfiltration, enabling it to extract sensitive data discreetly.

“One example of this is their observed abuse of Generic Routing Encapsulation (GRE) to create network tunnels for command and control traffic,” says Joseph Avanzato, security operations and forensics group leader at Varonis. “That’s an advanced tactic not commonly observed in breaches we handle, where most often C2 traffic is tunnelled within HTTPS communications.” IPsec tunnelling is another favourite tactic of this group.

Everyone’s at risk

The target organisations for these attacks seem to have initially been telcos, but that is changing quickly. Telcos and ISPs are certainly a major focus, but the Five Eyes report states that Salt Typhoon will happily attack edge devices, regardless of who owns them. That enables it to use those assets in the future.

Salt Typhoon has also targeted other industries that can help enhance Chinese intelligence.

“Invest in a defence-in-depth posture with relevant security platforms and people to monitor said platforms” Joseph Avanzato

“The data stolen through this activity against foreign telecommunications and internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the report says.

Should CISOs be worried about Salt Typhoon? Absolutely. At least eight US telcos have been hit, giving the attackers access to highly sensitive targets, including the phones of senior politicians and even presidential candidates.

This focus on devices attached to telco networks but owned by sensitive third-party targets highlights a critical point. Salt Typhoon has tapped into a source that impacts thousands of potential downstream customers and partners. All modern organisations rely on telecommunications.

In an interview with the Wall Street Journal, a senior FBI official says that the campaign has affected over 600 companies across more than 80 countries. Government, military and critical infrastructure have all been targeted with multi-year persistent access. These attacks have led to the theft of metadata from over a million US mobile phone users, along with access to wiretapping systems. The attackers reportedly collected call audio in real time.

Defensive measures

Anyone using an ISP or telco is potentially at risk; yet, it’s the upstream companies themselves that typically serve as the point of ingress or information harvesting. With this in mind, what should companies do?

One thing to look at is the security of key employees, especially in large or high-risk organisations. CISA has already advised individuals to use end-to-end encrypted (E2EE) messaging rather than standard SMS to help keep their communications safe from prying eyes.

“We’re seeing more and more precision attacks that take longer for initial access, but yield higher results.” Brandon Potter

There are other measures organisations can take right now to mitigate the broader risk to their systems. Patching the CVEs in CISA’s Known Exploited Vulnerabilities (KEV) catalogue is a must, with a special focus on those devices known to be at risk, such as Cisco IOS XE, Ivanti Connect Secure, and Palo Alto GlobalProtect.

The Five Eyes group also advises disabling vulnerable services, including Cisco Smart Install, and its Guest Shell containers. It also suggests turning off all unused ports and protocols, as well as disabling unencrypted protocols like Telnet, FTP, and HTTP.

Strengthening authentication methods will help make it more difficult for Salt Typhoon to gain access. One notable piece of advice is disabling password authentication altogether where operationally feasible, in favour of public-key encryption and multifactor authentication (MFA).

Management traffic should be moved to out-of-band networks with access restricted to specific IPs and subnets, while traffic egress should also be tightly controlled. Default credentials should be changed and all authentication credentials should be rotated regularly. Login attempts should be limited with lock-out windows to avoid brute-forcing, and analysed for suspicious activity.

There are plenty of other recommendations in the report, but most of it comes down to system hardening best practice, with a little extra Salt Typhoon-specific defence thrown in. There’s a snippet about encrypting TACACS+ or RADIUS secrets, for example.

The best advice is to implement multiple protections and avoid a fire-and-forget mentality, warns Avanzato.

“Invest in a defence-in-depth posture with relevant security platforms and people to monitor said platforms,” he says. “We often see organisations purchase and implement a tool then completely ignore the alerts it generates, leaving them no better off than if they had not purchased it at all.”

Salt Typhoon has already mounted what US senators have called the worst telecommunications attack in the country’s history. No one – from the biggest telco to the smallest customer – can be too careful.