Over the past several years, a sophisticated cyberespionage group known as Salt Typhoon, linked to China’s state-sponsored activities, has systematically infiltrated critical infrastructure networks worldwide. By exploiting known vulnerabilities in network devices, particularly routers, Salt Typhoon has maintained persistent access across telecommunications, government, and military sectors, thereby enhancing Beijing’s global surveillance capabilities.
Scope and Impact of Salt Typhoon’s Operations
Salt Typhoon, also identified by aliases such as GhostEmperor, Operator Panda, RedMike, and UNC5807, has been active in cyberespionage campaigns targeting nations including the United States, Australia, Canada, New Zealand, and the United Kingdom. Since at least 2021, the group has focused on sectors such as telecommunications, government agencies, transportation, lodging, and military infrastructure. Their operations have been linked to China-based companies like Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd., which are known for providing cyber products and services to Chinese intelligence agencies.
The data exfiltrated from these intrusions, particularly from telecommunications and Internet service providers (ISPs), as well as from the lodging and transportation sectors, equips Chinese intelligence services with the capability to monitor and track communications and movements of targets globally.
Exploitation of Known Vulnerabilities
Salt Typhoon has demonstrated a strategic approach by exploiting publicly disclosed vulnerabilities in widely used network devices. Notably, the group has targeted Cisco devices, leveraging vulnerabilities such as CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273. These exploits have enabled the group to gain initial access to networks, establish persistence, and exfiltrate sensitive information.
In addition to Cisco devices, Salt Typhoon has also targeted vulnerabilities in Ivanti products, specifically CVE-2024-3400. By exploiting these weaknesses, the group has been able to infiltrate and maintain access to critical infrastructure networks, underscoring the importance of timely patching and vulnerability management.
Notable Incidents and Targets
One significant incident attributed to Salt Typhoon involved the compromise of a U.S. state’s Army National Guard network. Between March and December 2024, the group accessed the network, exfiltrated configuration information, and intercepted communications with counterparts in other states and territories. This breach provided Salt Typhoon with administrator credentials and network diagrams, potentially facilitating further intrusions into other units’ networks and their state-level cybersecurity partners.
The Department of Defense (DoD) expressed concern that such access could hinder state-level cybersecurity partners’ ability to defend U.S. critical infrastructure against Chinese cyber campaigns during crises or conflicts. The DoD’s report highlighted that Salt Typhoon’s activities could undermine local efforts to protect critical infrastructure, as National Guard units in 14 states are integrated with centers responsible for threat intelligence, and one state’s unit provides cyber defense services.
In response to these intrusions, the National Guard Bureau confirmed awareness of the DoD report and emphasized that the attack had not prevented the National Guard from fulfilling its state or federal missions. The Bureau stated that security protocols are in place to mitigate further risks and contain potential data compromises, with ongoing coordination with the Department of Homeland Security and other federal partners.
Global Reach and Implications
Salt Typhoon’s activities are not confined to the United States. The group has also targeted telecommunications companies in Canada. In mid-February 2025, three network devices belonging to a Canadian telecommunications company were compromised. The attackers exploited CVE-2023-20198 to retrieve configuration files and modified at least one file to configure a GRE tunnel, enabling traffic collection from the network.
The Canadian Centre for Cyber Security and the FBI have issued warnings regarding these attacks, emphasizing the need for telecommunications companies to bolster their network security to prevent similar cyberespionage activities.
Recommendations and Mitigation Strategies
In light of Salt Typhoon’s persistent and sophisticated operations, federal authorities have urged telecommunications companies and other critical infrastructure entities to enhance their network security measures. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have provided guidance to help organizations identify and mitigate the risks associated with such cyberespionage campaigns.
Key recommendations include:
– Regularly updating and patching network devices: Ensuring that all network equipment is up-to-date with the latest security patches to mitigate known vulnerabilities.
– Implementing robust access controls: Restricting access to critical systems and data to authorized personnel only, and employing multi-factor authentication to enhance security.
– Conducting regular security assessments: Performing periodic security audits and vulnerability assessments to identify and address potential weaknesses in the network infrastructure.
– Monitoring network traffic: Implementing continuous monitoring solutions to detect and respond to suspicious activities promptly.
– Educating employees: Providing cybersecurity awareness training to staff to recognize and report potential threats, such as phishing attempts.
By adopting these measures, organizations can strengthen their defenses against sophisticated threat actors like Salt Typhoon and protect their critical infrastructure from potential compromises.
Conclusion
The activities of Salt Typhoon underscore the evolving and persistent nature of state-sponsored cyber threats targeting global critical infrastructure. The group’s ability to exploit known vulnerabilities and maintain long-term access to sensitive networks highlights the importance of proactive cybersecurity practices. Organizations must remain vigilant, implement robust security measures, and collaborate with governmental agencies to mitigate the risks posed by such advanced persistent threats.
