Salt Typhoon Exposed: 600 Organizations Across 80 Countries Hit by Chinese State Hackers

• A 13‑country joint advisory led by the FBI and allied cyber agencies details years‑long espionage by China‑linked APT “Salt Typhoon,” breaching at least 600 organizations across 80 countries, with sustained focus on telecommunications backbones, government, transportation, lodging, and military networks. The advisory attributes operations to a contractor ecosystem tied to three Chinese companies providing cyber services to state intelligence.cybersecuritydive+1

• Initial access relies on edge device exploitation and credentials to compromise Cisco, Ivanti, and Palo Alto gear, then pivoting through trusted interconnects. Tactics include GRE tunnels for stealth persistence and PCAP collection of TACACS+ on TCP/49 to harvest admin credentials, enabling lateral movement across network devices.therecord+1

Exploitation Techniques

• Router and edge focus: Targeting PE/CE and backbone routers of major telecoms and smaller ISPs/hosters, modifying configs to add attacker IPs, open non‑standard ports, and persist via GRE tunnels for data exfiltration and covert access.therecord+1

• Credential capture: Capturing TACACS+ traffic (TCP/49) via on‑device packet capture to obtain highly privileged network admin accounts; using TACACS+ for lateral movement across multi‑vendor network estates.theregister+1

• Known CVEs leveraged: Cisco IOS/IOS XE, including CVE‑2018‑0171, CVE‑2023‑20198, CVE‑2023‑20273; Ivanti Connect Secure (CVE‑2023‑46805, CVE‑2024‑21887); Palo Alto PAN‑OS command injection (CVE‑2024‑3400).thehackernews+1

Targets and Impact

• Telecommunications: Long‑term router persistence allows call detail record access, lawful intercept (LI) metadata exposure, and subscriber geo‑location; reports indicate U.S. senior leadership communications metadata among affected sets.nextgov+1

• Broader sectors: Hospitality and transportation targeting supports physical tracking and person‑centric surveillance across borders.cybersecuritydive+1

Named Chinese Companies

• The advisory and parallel reporting cite Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology as supporting entities, with sanctions already applied in some cases.ctvnews+1

Threat Hunting Indicators

• Network plane

  • Unexplained GRE tunnel interfaces and new tunnel destinations on edge routers; anomalous ACL entries adding external IPs.thehackernews

  • PCAP jobs or native capture tooling enabled on routers, especially targeting TCP/49 (TACACS+); unusual egress to rare ASNs from network devices.theregister+1

• Auth plane

  • TACACS+ authentication spikes, privilege escalations, or admin account use from atypical management IPs; new TACACS+ servers configured without change tickets.thehackernews

• Config integrity

  • Unauthorized on‑box Linux container processes on Cisco platforms, sshd_operns enabled, and listening on high ports like TCP/57722 with a new local sudo user.theregister

Network Hardening Measures

• Edge upgrades and lock‑down

  • Patch/upgrade Cisco IOS/IOS XE/IOS XR, Ivanti Connect Secure, and PAN‑OS per vendor advisories for the specified CVEs; remove management interfaces from public exposure and enforce out‑of‑band admin via VPN and allowlists.cybersecuritydive+1

  • Disable or strictly control GRE; implement explicit approvals for new tunnels; continuously diff configs and alert on GRE/ACL changes.thehackernews

• Auth and monitoring

  • Enforce TACACS+ over encrypted channels with integrity; centralize TACACS+ to hardened servers; monitor for PCAP enablement on routers and high‑rate TCP/49 flows.thehackernews

  • NetFlow/IPFIX from network devices into SIEM; alert on device‑to‑internet egress except to approved update/telemetry endpoints.therecord

• Supply‑chain posture

  • Validate carrier interconnects and MSP‑managed CE routers; require config attestation and periodic third‑party audits; segment management planes from production traffic.cybersecuritydive

Multinational Defense Strategy

• Coordinated patch SLAs: Align remediation windows across carriers, IXPs, and peering partners; share tunnel endpoint intel and blocklists regionally.cybersecuritydive

• Shared intel pipelines: Subscribe to national CSIRTs’ indicator feeds tied to Salt Typhoon; automate ingestion to edge firewalls and router telemetry analytics.theregister+1

• Legal and sanctions leverage: Track sanctions against enabling firms (e.g., Sichuan Juxinhe) and restrict procurement/engagement with associated contractors.ctvnews

FAQ

• Why routers and edge devices?

  • They provide covert, durable access, deep visibility into communications, and an ideal launchpad into downstream networks via trusted links.therecord+1

• Is this only telecom?

  • No—telecom is the backbone, but hospitality, transportation, and government targets enable person‑centric surveillance and broader espionage objectives.theregister+1

• Which exploits matter now?

• Prioritize patching Cisco CVE‑2023‑20198/20273, Ivanti CVE‑2023‑46805/2024‑21887, and PAN‑OS CVE‑2024‑3400; audit for GRE, TACACS+ capture, and rogue SSH services.theregister+1