By Alfaiz Nova, Cybersecurity Expert

Home
APT

Salt Typhoon Exposed: 600 Organizations Across 80 Countries Hit by Chinese State Hackers

13‑nation advisory exposes Salt Typhoon’s router‑centric espionage—600+ orgs in 80 countries; Cisco/Ivanti/PAN‑OS exploits, GRE persistence, TACACS+
A global telecom backbone map showing router silhouettes, red GRE tunnel arcs, and a badge indicating "600 orgs - 80 countries

Breaking Intelligence

  • A 13‑nation joint advisory led by U.S. agencies (FBI, CISA, NSA, DC3) and allies details years‑long espionage by PRC‑linked APT “Salt Typhoon,” impacting at least 600 organizations across more than 80 countries, with sustained focus on telecommunications backbones, government, transportation, lodging, and military networks. The coalition explicitly calls out three PRC firms alleged to support these operations.ctvnews+1

  • Initial access hinges on edge‑device exploits and credentials across Cisco, Ivanti, and Palo Alto Networks gear, followed by stealthy persistence and routing abuse to pivot into target environments; reporting cites TACACS+ credential capture and GRE tunneling as core tradecraft.therecord+1

Attack Vectors and TTPs

  • Router‑centric footholds: Targeting PE/CE and backbone routers to modify configs, add attacker IPs to ACLs, open standard/non‑standard ports, and establish GRE tunnels for covert access and exfiltration.theregister+1

  • Credential operations: Native PCAP collection on compromised routers to capture TACACS+ over TCP/49 and admin credentials; use of TACACS+ to laterally move across multi‑vendor estates.cybersecuritydive+1

  • Known CVEs: Cisco IOS/IOS XE (e.g., CVE‑2018‑0171, CVE‑2023‑20198, CVE‑2023‑20273), Ivanti Connect Secure (CVE‑2023‑46805, CVE‑2024‑21887), Palo Alto PAN‑OS (CVE‑2024‑3400).thehackernews+1

Attribution and Sanctions

  • Cited companies: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology named as ecosystem enablers; Juxinhe has been sanctioned by U.S. Treasury.yahoo+1

  • Strategic aim: Bulk collection from telecoms and adjacent sectors to identify and track communications and movements of persons of interest globally.cybersecuritydive

Threat Hunting Indicators

  • Network plane

    • Unapproved GRE tunnel interfaces or new tunnel endpoints on edge routers; ACL diffs adding external IP ranges without change tickets.thehackernews

    • PCAP/traffic capture jobs on routers focused on TCP/49; unexpected egress from network devices to rare ASNs.theregister+1

  • Auth plane

    • TACACS+ spikes, new TACACS+ server entries, privilege escalations from atypical management IPs; changes to device admin accounts.cybersecuritydive+1

  • Platform anomalies

    • On Cisco IOS XR, sshd_operns enabled, high‑port SSH listeners (e.g., TCP/57722), and creation of local sudo users for host OS access.theregister

Network Hardening Measures

  • Patch and isolate edge

    • Apply vendor fixes for the cited Cisco, Ivanti, and Palo Alto CVEs; remove management interfaces from the internet; enforce VPN‑only admin with IP allowlists.thehackernews+1

    • Disable or strictly govern GRE; require approvals for tunnel changes; continuously diff and alert on config drift across routers.thehackernews

  • Protect credentials

    • Encrypt and integrity‑protect TACACS+ traffic; centralize on hardened servers; log all admin operations; monitor for PCAP enablement and high‑rate TCP/49 flows.cybersecuritydive+1

  • Telemetry and segmentation

    • Stream NetFlow/IPFIX and device syslogs to SIEM; block device‑to‑internet egress except approved endpoints; segment management planes from production paths.therecord+1

Multinational Defense Strategy

  • Coordinated SLAs: Align patch/response windows across carriers, IXPs, MSPs, and peering partners; share tunnel endpoint intel and blocklists regionally.cybersecuritydive

  • Shared intel pipelines: Automate ingestion of IOC/TTP updates from national CSIRTs tied to Salt Typhoon into EDR/NGFW controls; schedule joint hunt sprints.theregister+1

  • Procurement controls: Screen out vendors linked to sanctioned/enabled entities; require config attestation and third‑party audits for edge operations.ctvnews

FAQ

  • Why focus on routers?

    • Edge devices provide durable, covert access and a vantage point to monitor and pivot via trusted interconnects without tripping host‑based defenses.therecord+1

  • Is this limited to telecom?

    • No—telecom is the backbone, but hospitality and transportation enable person‑centric surveillance, expanding intelligence value.theregister+1

  • What should defenders do first?

    • Patch cited CVEs, audit for GRE tunnels and TACACS+ capture, lock down admin planes, and begin a cross‑partner hunt using the advisory’s indicators.thehackernews+1

more blog alfaiznova.com
Hey there! I’m Alfaiz, a 21-year-old tech enthusiast from Mumbai. With a BCA in Cybersecurity, CEH, and OSCP certifications, I’m passionate about SEO, digital marketing, and coding (mastered four languages!). When I’m not diving into Data Science or AI, you’ll find me gaming on GTA 5 or BGMI. Follow me on Instagram (@alfaiznova, 12k followers, blue-tick!) for more. I also run https://www.alfaiznova.in for gadgets comparision and latest information about the gadgets. Let’s explore tech together!"
NextGen Digital... Welcome to WhatsApp chat
Howdy! How can we help you today?
Type here...