The China-linked APT group Salt Typhoon has carried out widespread cyber espionage campaigns, exploiting flaws in edge network devices to infiltrate more than 600 organizations across 80 countries.
Global Targets of Salt Typhoon
According to a joint cybersecurity advisory backed by 13 nations, Salt Typhoon has been active since at least 2019, compromising telecommunications, government, transportation, hospitality, and even military infrastructure.
The group primarily targets backbone routers of major telecom providers as well as provider edge (PE) and customer edge (CE) routers. Once inside, compromised devices are used to pivot into other networks and maintain persistent, long-term access.
The advisory linked the activity to three Chinese companies:
- Sichuan Juxinhe Network Technology Co., Ltd.
- Beijing Huanyu Tianqiong Information Technology Co., Ltd.
- Sichuan Zhixin Ruijie Network Technology Co., Ltd.
These entities are believed to support Chinese intelligence operations by supplying tools and services that enable global surveillance.
Methods and Vulnerabilities Exploited
Salt Typhoon overlaps with groups such as GhostEmperor, Operator Panda, and UNC5807. Their tactics rely on known vulnerabilities in edge devices, including:
- Cisco (CVE-2018-0171, CVE-2023-20198, CVE-2023-20273)
- Ivanti (CVE-2023-46805, CVE-2024-21887)
- Palo Alto Networks (CVE-2024-3400)
Reports also warn that devices from Fortinet, Juniper, Microsoft Exchange, Nokia, Sierra Wireless, and Sonicwall could be targeted for initial access.
Persistence and Espionage Techniques
The group achieves persistence by:
- Altering Access Control Lists (ACLs) to add attacker-controlled IPs.
- Creating GRE tunnels for covert exfiltration.
- Running malicious commands in on-box Linux containers.
- Enabling sshd_operns service on Cisco IOS XR to escalate privileges.
They also exploit authentication protocols like TACACS+, capturing administrator credentials from network traffic to expand their foothold.
Google’s Mandiant highlighted Salt Typhoon’s deep knowledge of telecom systems, enabling stealthy defense evasion and widespread espionage.
Scale of Salt Typhoon Edge Device Attacks
Authorities confirmed that at least 200 U.S. organizations and hundreds more across Europe and Asia have been impacted. In total, Salt Typhoon breached over 600 organizations worldwide, making it one of the largest espionage campaigns linked to China in recent years.
These operations rely heavily on external contractors and academic collaborators, forming a scalable ecosystem that fuels rapid development and expansion of cyber espionage campaigns worldwide.
Urgent Security Measures
Salt Typhoon’s campaign demonstrates how vulnerable edge devices remain a critical weak point for global infrastructure. Organizations are urged to:
- Patch exposed Cisco, Ivanti, and Palo Alto devices immediately.
- Review ACLs and configurations for unauthorized changes.
- Monitor TACACS+ traffic for signs of credential harvesting.
The Salt Typhoon edge device attacks underscore the importance of proactive defense against state-sponsored espionage.