In late 2024, a sophisticated cyber espionage campaign emerged, targeting telecommunications infrastructure worldwide. The group behind these operations, identified as Salt Typhoon, is believed to be backed by the Chinese government. Their primary focus has been on infiltrating routers, firewalls, VPN gateways, and lawful intercept systems within major telecom providers.
Tactics and Techniques
Salt Typhoon employs a combination of advanced tactics to achieve persistent access to targeted networks:
– Exploitation of Public-Facing Vulnerabilities: The group exploits known vulnerabilities in network edge devices. For instance, they have targeted the web interfaces of routers, such as CVE-2023-20198 on Cisco IOS XE and CVE-2023-35082 in Ivanti Connect Secure appliances.
– Deployment of Custom Firmware Implants: After gaining initial access, Salt Typhoon deploys bespoke firmware rootkits, internally referred to as Demodex. These implants are designed to survive device reboots and evade standard detection mechanisms, ensuring long-term persistence within the network.
– Living-off-the-Land Binaries (LOLBins): The attackers utilize legitimate system tools and binaries to execute malicious activities, reducing the likelihood of detection by security software.
Command and Control Infrastructure
The group’s command and control (C2) infrastructure is meticulously crafted to blend with normal network traffic:
– Encrypted Communication Channels: Salt Typhoon establishes encrypted C2 channels over DNS beacons or HTTPS on TCP port 443. These channels are designed to mimic routine firmware update checks, making them less likely to raise suspicion.
– Domain Registration Patterns: Analysts have observed distinctive domain registration patterns associated with Salt Typhoon’s infrastructure. The group often uses fabricated U.S. personas and ProtonMail accounts for WHOIS entries, an unusual lapse in operational security for a state-sponsored actor.
Data Exfiltration and Potential Impact
Once embedded within a network, Salt Typhoon focuses on exfiltrating high-value data:
– Harvesting Sensitive Information: The group collects lawful intercept logs, call detail records (CDRs), and configuration dumps from edge routers. This data provides insights into user communication patterns and network topologies.
– Potential for Disruption: Beyond data theft, the persistent access achieved by Salt Typhoon grants them the capability to disrupt or reroute communications during geopolitical crises. By maintaining backdoor access to core routers, they could degrade service or enable additional espionage within allied defense and government networks.
Infection Mechanism
The precision of Salt Typhoon’s exploitation and implant deployment is noteworthy:
– Minimalistic Loader Deployment: The group’s engineers have developed a minimalistic loader that leverages the router’s own command shell to write malicious binaries into system directories and modify startup scripts.
– Persistence Techniques: For example, on a Juniper device, the attackers might inject the following code into the configuration:
“`shell
# Inject persistence into startup script
echo /usr/bin/demodex_loader & >> /etc/rc.d/rc.local
chmod +x /usr/bin/demodex_loader
/usr/bin/demodex_loader –install –target=/dev/mtd0
“`
This code ensures that the malicious loader is executed during the device’s boot sequence and that the rootkit is flashed into the device’s memory.
Broader Context
Salt Typhoon’s activities are part of a larger pattern of Chinese state-sponsored cyber operations targeting critical infrastructure:
– Semiconductor Industry Attacks: Between March and June 2025, Chinese hackers targeted Taiwan’s semiconductor industry, employing weaponized Cobalt Strike beacons and advanced social engineering tactics. The attackers used employment-themed phishing emails to deliver malicious payloads, reflecting China’s strategic imperative to achieve technological self-sufficiency in this vital sector. ([cybersecuritynews.com](https://cybersecuritynews.com/chinese-state-sponsored-hackers-attacking-semiconductor-industry/?utm_source=openai))
– Exploitation of Microsoft Exchange Servers: In a separate campaign, Chinese hackers exploited vulnerabilities in Microsoft Exchange servers to steal COVID-19 research data from American universities. The attackers gained access to email accounts of virologists and immunologists, highlighting the breadth of China’s cyber espionage efforts. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-exploit-microsoft-exchange-servers/?utm_source=openai))
– Router and IoT Device Hijacking: Chinese hackers have also been reported to hijack routers and IoT devices to create massive botnets. A joint advisory by the FBI, CNMF, and NSA revealed that PRC-linked hackers compromised thousands of internet-connected devices, including small office/home office (SOHO) routers, firewalls, network-attached storage (NAS), and IoT devices, to create a botnet managed by a PRC-based company named Integrity Technology Group. ([cybersecuritynews.com](https://cybersecuritynews.com/chinese-hackers-hijacked-routers/?utm_source=openai))
Implications for Global Security
The persistent and sophisticated nature of Salt Typhoon’s operations underscores the evolving threat landscape in cyberspace. Telecommunications providers and other critical infrastructure entities must remain vigilant, implementing robust security measures to detect and mitigate such advanced threats. Collaboration between international cybersecurity agencies and private sector partners is essential to counteract these state-sponsored cyber activities effectively.
