Salt Typhoon compromises telecom providers' Cisco devices

Chinese state-sponsored threat group Salt Typhoon breached five telecom companies as part of a threat campaign that targeted more than 1,000 Cisco devices globally, according to Recorded Future's Insikt Group.

Salt Typhoon, which Insikt Group tracks as "RedMike," has become one of the most prominent names in state-backed threat activity. Most notably, the group was behind high-profile breaches of U.S. telecom providers, which were disclosed last fall. Recorded Future researchers found that Salt Typhoon's attacks on telecom providers have continued beyond those initial breaches.

Recorded Future's latest research, published as a blog post Thursday, details a Salt Typhoon campaign observed between December and January in which the threat actor exploited "unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers." More than 1,000 devices were targeted globally, and five companies were compromised in the attacks, including a U.S. telecom and internet service provider and a U.S.-based affiliate of a U.K. telecom provider.

"Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges," the research said. "RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access."

Cisco disclosed CVE-2023-20198 and CVE-2023-20273 as zero-day vulnerabilities in October 2023, with the former being disclosed on Oct. 16 and the latter being discovered a few days later. Security vendor VulnCheck found at the time that threat actors had compromised thousands of exposed Cisco devices by exploiting the flaws. A patch was published Oct. 22.

In a statement from a Cisco spokesperson to Informa TechTarget, the networking vendor shared its security advisory for the aforementioned flaws and directed customers to follow recommendations.

"In 2023, Cisco published a security advisory disclosing multiple vulnerabilities in the web UI feature in Cisco IOS XE software," the spokesperson said. "We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release."

Insikt Group said it observed Salt Typhoon targeting devices in universities across multiple countries, including Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the U.S. and Vietnam. "RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft," Insikt Group said.

Additionally, Recorded Future also saw Salt Typhoon carrying out reconnaissance of IP addresses owned by Myanmar-based telecom provider Mytel. More than half of tracked devices were based in the U.S., South America and India, with the rest spanning more than 100 other countries.

Insikt Group assessed that Salt Typhoon's campaign was focused on specific targets, given the large number of Cisco devices exposed to the internet.

"Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet," the blog post read. "Although over 1,000 Cisco devices were targeted, Insikt Group assesses that this activity was likely focussed, given that this number only represents 8% of the exposed devices and that RedMike engaged in periodic reconnaissance activity, selecting devices linked to telecommunications providers."

Jon Condra, senior director of strategic intelligence at Recorded Future, told Informa TechTarget that the team found this campaign after receiving a tip from a partner that enabled them to investigate "high-confidence adversary infrastructure tied to Salt Typhoon."

"We were then able to combine that seed data with Recorded Future's Network Intelligence capabilities to identify the malicious activity and targeting described in the report linked to the command and control infrastructure," he said.

Beyond the five telecom companies listed in the report, Condra said there could have been more compromised organizations than those listed, but Recorded Future to date has only been able to confirm successful exploitation and subsequent activity from said five organizations.

"Essentially, we believe the threat actors compiled a list of potentially vulnerable devices that had their web UIs accessible and were associated with telecommunications companies, and then conducted active vulnerability scans to identify which among them were vulnerable," he said. "From our visibility, our only indication of a successful compromise would be the subsequent establishment of the GRE tunnels to the collection server. We thus cannot rule out that there are more successfully compromised routers beyond those in the report; it is possible they haven't yet actioned their access, or that we can't see the GRE tunnels based on our visibility."

Alexander Culafi is a senior information security news writer and podcast host for Informa TechTarget.