In a significant cybersecurity development, the China-linked Advanced Persistent Threat (APT) group known as Salt Typhoon has successfully breached multiple U.S. telecommunications providers. This breach was accomplished by exploiting vulnerabilities in Cisco IOS XE network devices that had not been patched. The ongoing cyber espionage campaign highlights the persistent threat posed by Salt Typhoon to telecom providers worldwide.

Exploitation of Cisco Vulnerabilities

According to a report by Recorded Future's Insikt Group, Salt Typhoon has leveraged two critical vulnerabilities in Cisco devices, identified as CVE-2023-20198 and CVE-2023-20273. These vulnerabilities have been instrumental in the group's ability to infiltrate telecom networks across the globe.

Details of the Vulnerabilities

In October 2023, Cisco issued a warning regarding the zero-day vulnerability CVE-2023-20198, which carries a CVSS score of 10. This flaw allows attackers to gain administrator privileges on affected routers. The vulnerability affects devices with the Web User Interface (Web UI) enabled, particularly those using HTTP or HTTPS Server features.

  • CVE-2023-20198: Enables remote, unauthenticated attackers to create accounts with high privilege levels.
  • CVE-2023-20273: An unspecified issue in the web UI that can be chained with CVE-2023-20198 to elevate privileges to root.

Impact on Global Telecom Networks

Salt Typhoon's campaign has breached several telecom networks, including Internet Service Providers (ISPs) in the U.S., Italy, and other countries. Insikt Group's research identified over 12,000 Cisco devices with exposed web UIs, with more than 1,000 devices targeted in this focused attack.

Persistence and Data Exfiltration Techniques

The threat actors have employed generic routing encapsulation (GRE) tunnels on compromised Cisco devices. This method helps maintain persistence, evade detection, and exfiltrate data stealthily by encapsulating it within GRE packets.

Recommendations and Mitigation Strategies

To counteract these threats, Insikt Group advises administrators to promptly patch Cisco IOS XE devices and limit the exposure of administrative interfaces and non-essential services to the internet. This proactive approach is crucial in mitigating potential breaches.

Ongoing Cyber Espionage Campaign

Salt Typhoon, also known as FamousSparrow and GhostEmperor, has been active since at least 2019, targeting government entities and telecom companies. Recent reports indicate that the group has compromised additional U.S. telecoms, including Charter Communications and Windstream, by exploiting vulnerabilities in network devices from major vendors like Cisco and Fortinet.

Global Response and Advisory

In December 2024, a joint advisory from the U.S., Australia, Canada, and New Zealand warned of cyber espionage activities linked to the People's Republic of China (PRC). The advisory provides best practices for telecom and critical infrastructure defenders to strengthen network security against such threats.

The link has been copied!