Having tracked reports of extensive intrusion activities targeting several U.S. telecommunications firms, researchers from Cisco Talos have investigated to date, that the initial access to Cisco devices was determined to be gained through the threat actor obtaining legitimate victim login credentials. The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years.
Since September last year, hackers linked to the Chinese government have broken into a handful of U.S. internet service providers in recent months in pursuit of sensitive information, marking the latest intrusion into core U.S. infrastructure by entities tied to Beijing. In the hacking campaign called ‘Salt Typhoon’ by investigators, these cyber adversaries allegedly linked to China burrowed into America’s broadband networks.
“A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by all infrastructure defenders,” Cisco Talos researchers wrote in a blog post last week. “No new Cisco vulnerabilities were discovered during this campaign. While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims. Threat actors regularly use publicly available malicious tooling to exploit these vulnerabilities, making patching of these vulnerabilities imperative.”
They mentioned that security patches are available for each of these CVEs.
Cisco Talos reported that the use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor. “We have observed the threat actor actively attempting to acquire additional credentials by obtaining network device configurations and deciphering local accounts with weak password types—a security configuration that allows users to store passwords using cryptographically weak methods.”
In addition, the researchers have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers. “The intent of this traffic capture is almost certainly to enumerate additional credential details for follow-on use.”
“In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP. These configurations often contained sensitive authentication material, such as SNMP Read/Write (R/W) community strings and local accounts with weak password encryption types in use. The weak encryption password type would allow an attacker to trivially decrypt the password itself offline,” according to the researchers. “In addition to the sensitive authentication material, configurations often contain named interfaces, which might allow an attacker to better understand the upstream and downstream network segments and use this information for additional reconnaissance and subsequent lateral movement within the network.”
Moreover, a significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure. This ‘machine to machine’ pivoting, or ‘jumping,’ is likely conducted for a couple of reasons. First, it allows the threat actor to move within a trusted infrastructure set where network communications might not otherwise be permitted. Additionally, connections from this type of infrastructure are less likely to be flagged as suspicious by network defenders, allowing the threat actor to remain undetected.
“The threat actor also pivoted from a compromised device operated by one telecom to target a device in another telecom,” Cisco Talos said. “We believe that the device associated with the initial telecom was merely used as a hop point and not the intended final target in several instances. Some of these hop points were also used as a first hop for outbound data exfiltration operations. Much of this pivoting included the use of network equipment from a variety of different manufacturers.”
The researchers detailed that the threat actor used a custom-built utility, dubbed JumbledPath, which allowed them to execute a packet capture on a remote Cisco device through an actor-defined jump host. “This tool also attempted to clear logs and impair logging along the jump path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps. This allowed the threat actor to create a chain of connections and perform the capture on a remote device.”
Furthermore, the use of this utility would help to obfuscate the original source and destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure. “This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely useable across Linux operating systems, which also includes a variety of multi-vendor network devices. This utility was found in actor-configured Guestshell instances on Cisco Nexus devices.”
The Salt Typhoon hackers repeatedly modified the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to additional devices within the target environment, allowing them to effectively bypass access control lists (ACLs) in place on those devices.
“The threat actor routinely cleared relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities. Shell access was restored to a normal state in many cases through the use of the ‘guestshell disable’ command,” the researchers detailed. “The threat actor modified authentication, authorization, and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.”
Cisco Talos recommends conducting comprehensive configuration management (inclusive of auditing), in line with best practices; conducting comprehensive authentication/authorization/command issuance monitoring; monitoring syslog and AAA logs for unusual activity, including a decrease in normal logging events, or a gap in logged activity; and monitor the environment for unusual changes in behavior or configuration.
The post also suggests profile (fingerprint via NetFlow and port scanning) network devices for a shift in surface view, including new ports opening/closing and traffic to/from (not traversing); where possible, develop NetFlow visibility to identify unusual volumetric changes; look for non-empty or unusually large [dot]bash_history files; and additional identification and detection can be performed using the Cisco forensic guides.
Earlier this month, Recorded Future’s Insikt Group uncovered a Chinese state-sponsored threat group identified as RedMike, which corresponds to the group named Salt Typhoon by Microsoft, targeting unpatched, internet-facing Cisco network devices, predominantly affecting global telecommunications providers between December 2024 and January 2025. Among the victim organizations were a U.S.-based affiliate of a U.K. telecommunications provider and a telecommunications provider based in South Africa.