Salt Typhoon Hackers Infiltrate U.S. Telecom Networks Using Cisco Vulnerabilities and Stolen Credentials

A sophisticated hacking group known as “Salt Typhoon” has been linked to a string of cyberattacks targeting major U.S. telecommunications networks, according to a report by Cisco Talos. The campaign, which began in late 2024, involved the exploitation of known vulnerabilities in Cisco devices and the use of stolen credentials to breach critical infrastructure.

The U.S. government has confirmed the attacks, raising serious concerns over the security of national telecom networks.
 

Exploitation of Cisco Vulnerabilities

Salt Typhoon used a combination of legitimate credentials and known Cisco vulnerabilities to gain deep access to core networking systems.

One confirmed exploit involved CVE-2018-0171, a flaw in Cisco’s Smart Install feature that allows for remote code execution—a vulnerability previously linked to multiple cyber incidents.
 

Although the primary attack vector was through stolen credentials, there are reports that Salt Typhoon may have attempted to exploit additional vulnerabilities, including:

• CVE-2023-20198
• CVE-2023-20273
• CVE-2024-20399
   

However, no new vulnerabilities were discovered during the investigation. Cisco Talos emphasized the critical need for regular patching and strict adherence to security best practices to mitigate known risks.
 

Advanced Techniques and Long-Term Persistence

Salt Typhoon displayed remarkable persistence, maintaining unauthorized access to some networks for up to three years. Using “living-off-the-land” (LOTL) tactics, they avoided detection by leveraging built-in network tools.
 

Key Attack Strategies Included:

• * Credential Harvesting: Capturing SNMP, TACACS+, and RADIUS traffic to steal authentication data.
• * Configuration Exfiltration: Extracting device settings, often containing weakly encrypted passwords and network architecture details.
• * Lateral Movement: Using compromised devices to pivot within networks, expanding their reach.
• * Device Modifications: Altering configurations like access control lists (ACLs) and creating unauthorized accounts for continued access.
   

The group also utilized a custom tool named “JumbledPath” for remote packet capture, masking their movements through multi-hop connections.
 

To remain undetected, Salt Typhoon frequently:

• * Cleared logs (e.g., .bash_history, auth.log)
• * Restored device configurations post-attack
• * Modified authentication servers
• * Used high-port SSH servers for persistent access
   

Mitigation and Security Recommendations

Cisco Talos advises all organizations—especially in critical sectors—to:

• * Monitor syslogs, AAA logs, and network behavior for unusual activities.
• * Implement Multi-Factor Authentication (MFA) to reduce credential-based risks.
• * Disable unnecessary services like Smart Install.
• * Enforce strict configuration management and regularly update device firmware.
• * Segment networks to limit lateral movement in case of compromise.
   

While telecom networks were Salt Typhoon’s primary target, Cisco Talos warns that their methods could be applied to other sectors, making it vital for all industries to remain vigilant.
 

The extended timeline of these attacks highlights the growing threat posed by Advanced Persistent Threats (APTs) and reinforces the need for proactive cybersecurity strategies to safeguard critical infrastructure.