Table of Contents
Are Chinese Hackers Inside Our Networks? Understanding the Salt Typhoon Threat.
A group of hackers, with connections to the Chinese government, has been identified as a significant global threat. Known as Salt Typhoon, this group is conducting widespread cyberattacks, targeting essential services and infrastructure across the world. In response, the U.S. National Security Agency (NSA) has joined forces with other American and international organizations to issue a security alert, highlighting the group’s activities and the extensive nature of their operations.
These cyber activities are not random. They are part of a calculated and persistent campaign that has been active since at least 2019, focused on espionage and breaching global telecommunications. The primary goal appears to be gathering intelligence that gives Chinese state agencies the ability to monitor people’s communications and movements on a global scale.
A Worldwide Espionage System
The reach of Salt Typhoon is vast. The group has successfully compromised networks in numerous sectors that are fundamental to a nation’s security and daily life. These include :
- Telecommunications
- Government
- Military infrastructure
- Transportation
- Hospitality
According to the FBI, this hacking campaign has impacted more than 200 companies in the United States and has extended its reach to at least 80 countries. The campaign has been described as one of the most significant breaches in U.S. history, infiltrating major telecommunications providers and potentially giving the attackers access to the phone calls, text messages, and location data of millions of people. The targets have been diverse, ranging from internet service providers to universities.
The Attackers’ Methods
Salt Typhoon does not rely on highly advanced, unknown exploits. Instead, their strategy focuses on taking advantage of known security weaknesses in the software that runs on network equipment. These pieces of equipment, often called “edge devices,” are the gateways to a network, like routers and firewalls. By targeting these, the hackers can gain a foothold inside an organization’s digital infrastructure.
Security agencies have identified several specific vulnerabilities that Salt Typhoon actively exploits to break into networks :
- CVE-2024-21887: A flaw in Ivanti Connect Secure and Ivanti Policy Secure products that allows for command injection.
- CVE-2024-3400: A vulnerability in Palo Alto Networks’ PAN-OS that enables an attacker to create files and run commands on the system.
- CVE-2023-20273 and CVE-2023-20198: A pair of vulnerabilities in Cisco’s IOS XE software that, when used together, can allow an attacker to bypass security and take full control of a device.
- CVE-2018-0171: An older vulnerability in Cisco’s Smart Install feature that can lead to remote code execution.
Once inside a network, the attackers use their access to establish a persistent presence. They have been observed modifying device configurations to create secret tunnels (known as GRE/IPsec tunnels) that allow them to siphon off network traffic without being easily detected. This stolen data can then be sent back to servers controlled by the hackers for analysis.
The People Behind the Attacks
International security agencies have linked Salt Typhoon’s activities directly to the Chinese government. The operation is supported by a network of private companies in China that provide tools, services, and expertise to the country’s intelligence services, including the Ministry of State Security.
Three companies have been explicitly named in connection with these hacking activities :
- Sichuan Juxinhe Network Technology Co. Ltd.
- Beijing Huanyu Tianqiong Information Technology Co., Ltd.
- Sichuan Zhixin Ruijie Network Technology Co., Ltd.
This use of contractors and private firms is a key part of China’s cyber espionage strategy. It allows for the rapid development of hacking tools and provides a layer of deniability for the government, while expanding the scale and sophistication of their operations.
An Ongoing Threat with Real-World Consequences
The information stolen by Salt Typhoon provides a wealth of intelligence. By targeting telecommunications and hospitality sectors, the group can build a detailed picture of individuals’ lives—who they talk to, where they are, and where they are going. This capability was reportedly used to monitor the text messages of major U.S. political campaigns.
Even after being publicly exposed, Salt Typhoon has not stopped its activities. Security experts from Google’s Mandiant division, who were involved in the effort to remove the hackers from telecommunications systems, noted that the group has a deep understanding of telecom technology, which gives them a unique advantage in avoiding detection.
Concerns remain that the threat has not been fully eliminated. In the U.S., Senator Maria Cantwell has formally requested documents from Mandiant regarding their work with major telecom providers like AT&T and Verizon to understand if vulnerabilities still exist in their networks. Experts have warned that critical infrastructure remains highly vulnerable to persistent attackers like Salt Typhoon and that the group will almost certainly continue its operations.
Protecting Against Salt Typhoon
Given that Salt Typhoon primarily exploits known vulnerabilities, the most critical defense is diligent security maintenance. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its partners urge organizations to prioritize the following mitigation measures :
- Patching: Immediately apply security updates for all network edge devices, especially for the specific vulnerabilities known to be exploited by the group.
- Security for Edge Devices: Harden the security of all devices that connect your internal network to the internet. This includes routers, firewalls, and VPNs.
- Network Monitoring: Actively monitor network traffic for unusual activity, such as data being sent to unknown locations or the creation of unauthorized tunnels.
The challenge is that these attackers can target any vulnerable device, not just those belonging to their primary targets. A compromised router at a small business could be used as a stepping stone to attack a larger, more critical organization, making widespread vigilance essential.