Global Salt Typhoon Hacking Campaigns Linked to Chinese Tech Firms

The U.S. National Security Agency (NSA), the UK's National Cyber Security Centre (NCSC), and partners from over a dozen countries have made a shocking discovery: the notorious Salt Typhoon global hacking campaigns are linked to three China-based technology firms.

Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have been found to provide cyber products and services to China's Ministry of State Security and the People's Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon. Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets' communications and movements globally.

In particular, over the past couple of years, Salt Typhoon has performed concerted attacks on telecommunication firms to spy on the private communications of individuals worldwide. The breach of these networks allowed the attackers to intercept sensitive information, including text messages, voicemails, and even law enforcement wiretap systems.

The Anatomy of a Cyber Attack

A joint advisory by cyber and intelligence agencies in 13 countries warns that the threat actors have had "considerable success" exploiting widely known and fixed flaws on network edge devices rather than relying on zero-days. Using these flaws, the threat actors gain access to routing and network devices, allowing them to modify access control lists, enable SSH on non-standard ports, create GRE/IPsec tunnels, and exploit Cisco Guest Shell containers to maintain persistence.

"The APT actors may target edge devices regardless of who owns a particular device," explains the joint report. "Devices owned by entities who do not align with the actors' core targets of interest still present opportunities for use in attack pathways into targets of interest." They also collected packet captures of authentication traffic, redirected TACACS+ servers, and deployed custom Golang-based SFTP tools ("cmd1," "cmd3," "new2," and "sft") to monitor traffic and steal data.

Prevention is Key

As many of these vulnerabilities have had fixes available for some time, both the NCSC and NSA urge organizations to prioritize patching devices first, then hardening device configurations, monitoring for unauthorized changes, and turning off unused services. It is also recommended that admins restrict management services to dedicated networks, enforce secure protocols such as SSHv2 and SNMPv3, and disable Cisco Smart Install and Guest Shell where not needed.

CISA has previously warned that administrators should disable the legacy Cisco Smart Install (SMI) feature after observing it being abused in attacks by both Chinese and Russian threat actors. Admins are also advised to actively search for signs of compromise, as the campaigns utilize known weaknesses rather than stealthy zero-days.

A Year of Breaches

The new advisories follow years of Salt Typhoon attacks against telecommunications providers and government entities. The group previously breached major U.S. carriers, including AT&T, Verizon, and Lumen, gaining access to sensitive communications such as text messages, voicemails, and even U.S. law enforcement's wiretap systems.

These breaches caused the FCC to order telecoms to secure their networks under the Communications Assistance for Law Enforcement Act (CALEA) and submit annual certifications confirming that they have an up-to-date cybersecurity risk management plan.

A Global Threat

Salt Typhoon also exploited unpatched Cisco IOS XE vulnerabilities to infiltrate more U.S. and Canadian telecoms, where they established GRE tunnels for persistent access and stole configuration data. The threat actors used a custom malware known as JumbledPath to monitor and capture traffic from telecom networks.

Consequences of Inaction

In addition to telecom breaches, Salt Typhoon was linked to a nine-month breach of a U.S. Army National Guard network in 2024, during which they stole configuration files and administrator credentials that could be used to compromise other government networks.

This highlights the global nature of the threat, with Salt Typhoon hackers targeting not only civilian networks but also military installations. The use of custom malware such as JumbledPath and GhostSpider further demonstrates the sophistication and reach of these hacking campaigns.

Conclusion

The discovery of Salt Typhoon's connection to Chinese tech firms serves as a stark reminder of the evolving threat landscape in cyberspace. As cyber attacks continue to escalate, it is essential for organizations to prioritize cybersecurity measures, including patching devices, hardening configurations, and monitoring for unauthorized changes.