In a significant joint advisory, the U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and cyber and intelligence agencies from over a dozen allied nations have publicly attributed the widespread “Salt Typhoon” global hacking campaigns to three technology firms based in China. The advisories specifically name Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. as the companies providing cyber products and services to entities within the Chinese government. These services, according to the report, have enabled sophisticated cyber espionage operations against networks around the globe.
The scale of the “Salt Typhoon” campaign is extensive, with threat actors actively breaching networks since at least 2021. The targets have been diverse, including government, telecommunications, transportation, lodging, and military networks across multiple countries. A primary objective of these campaigns has been the theft of sensitive data, particularly information that can be used to track the communications and movements of individuals worldwide. Over the past few years, the campaign has shown a particular focus on orchestrating concerted attacks against telecommunication firms, aiming to intercept and monitor private communications on a global scale.
A key finding of the joint advisory is that the threat actors have achieved “considerable success” not by relying on stealthy zero-day exploits, but by leveraging known and widely fixed vulnerabilities on network edge devices. These vulnerabilities include specific CVEs such as CVE-2024-21887 (Ivanti Connect Secure), CVE-2024-3400 (Palo Alto PAN-OS GlobalProtect), and several flaws in Cisco IOS XE. By exploiting these well-documented weaknesses, the attackers have been able to gain a foothold in network routing and other critical devices, establishing a persistent presence.
Once inside a compromised network, the threat actors employed a variety of techniques to maintain control and exfiltrate data. They were observed modifying access control lists, enabling SSH on non-standard ports, and creating GRE/IPsec tunnels to facilitate their operations. They also exploited Cisco Guest Shell containers to ensure persistence and deployed custom, Golang-based SFTP tools—referred to as “cmd1,” “cmd3,” “new2,” and “sft”—to collect packet captures of authentication traffic and steal data. The joint report notes that the actors often target devices regardless of the owner, using them as pivot points to access other networks via trusted connections.
To counter these widespread campaigns, the NSA and NCSC have issued urgent recommendations to organizations worldwide. Their guidance emphasizes a strategic and layered defense. First and foremost, they advise organizations to prioritize patching all devices with known vulnerabilities. This should be followed by hardening device configurations, actively monitoring for any unauthorized changes, and disabling all unused services. Furthermore, they recommend restricting management services to dedicated networks, enforcing secure protocols like SSHv2 and SNMPv3, and disabling legacy features such as Cisco Smart Install and Guest Shell where they are not required. The advisories stress that since the attacks rely on known weaknesses, organizations can effectively defend themselves by actively searching for signs of compromise and implementing robust security practices.
Reference:
