You are currently viewing Stealth in the Storm! Breaking Down Salt Typhoon’s Global Cyber Campaign

Stealth in the Storm! Breaking Down Salt Typhoon’s Global Cyber Campaign

  • Post author:
  • Reading time:6 mins read

Executive Summary

Salt Typhoon, a China-linked advanced persistent threat (APT) group, has been conducting a persistent cyber-espionage campaign since at least 2019. The group targets telecommunications providers, government agencies, transportation, lodging, and military infrastructure worldwide, exploiting vulnerabilities in network edge devices from Cisco, Ivanti, and Palo Alto Networks to gain and maintain access. By modifying router configurations, enabling persistent services, and stealing administrator credentials via TACACS+ and RADIUS traffic captures, Salt Typhoon ensures long-term footholds in compromised environments. Over 600 organizations across 80 countries, including more than 200 in the United States, have been affected.

Background on Salt Typhoon

Salt Typhoon overlaps with activity tracked as GhostEmperor, Operator Panda, RedMike, and UNC5807. The group is linked to three Chinese companies—Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.—which are believed to provide technical support and services to China’s Ministry of State Security (MSS) and People’s Liberation Army (PLA).

The APT specializes in exploiting widely deployed but often unpatched vulnerabilities in telecom and network equipment. Instead of relying on novel zero-days, Salt Typhoon leverages long-known flaws such as Cisco Smart Install (CVE-2018-0171), Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887), and Palo Alto PAN-OS (CVE-2024-3400). Stolen data enables Beijing to monitor global communications, track individuals’ movements, and expand espionage capabilities.

Vulnerability Details

CVE-ID: CVE-2018-0171

  • CVSS Score: 9.8 (Critical)
  • Vulnerability Type: Remote Code Execution (Cisco Smart Install feature)
  • Affected Software: Cisco IOS and IOS XE devices with Smart Install enabled
  • Patched in: Cisco Security Updates
  • Details: Allows unauthenticated attackers to send crafted Smart Install messages to trigger code execution or reload vulnerable devices.

CVE-ID: CVE-2023-20198

  • CVSS Score: 10.0 (Critical)
  • Vulnerability Type: Privilege Escalation / Backdoor Access
  • Affected Software: Cisco IOS XE Web UI
  • Patched in: Cisco Security Updates
  • Details: Allows attackers to gain initial access and create a local user and password combination, logging in with normal user access.

CVE-ID: CVE-2023-20273

  • CVSS Score: 7.5 (High)
  • Vulnerability Type: Privilege Escalation
  • Affected Software: Cisco IOS XE Web UI
  • Patched in: Cisco Security Updates
  • Details: Can be chained with CVE-2023-20198 to elevate user privileges to root and write the implant to the file system, achieving full compromise.

CVE-ID: CVE-2023-46805

  • CVSS Score: 9.8 (Critical)
  • Vulnerability Type: Authentication Bypass
  • Affected Software: Ivanti Connect Secure, Ivanti Policy Secure
  • Patched in: Versions listed here
  • Details: Enables remote attackers to bypass authentication control checks and access restricted features.

CVE-ID: CVE-2024-21887

  • CVSS Score: 9.1 (Critical)
  • Vulnerability Type: Command Injection
  • Affected Software: Ivanti Connect Secure, Ivanti Policy Secure
  • Patched in: Versions listed here
  • Details: Let’s have authenticated administrators run arbitrary commands on the appliance. By sending specially crafted requests to vulnerable web components, attackers can gain full control of the device. Can be chained with CVE-2023-46805 for full remote code execution.

CVE-ID: CVE-2024-3400

  • CVSS Score: 10.0 (Critical)
  • Vulnerability Type: Command Injection
  • Affected Software: Palo Alto Networks PAN-OS
  • Patched in: PAN-OS 10.2.9-h1, 11.0.4-h1, 11.1.2-h3 and later
  • Details: Can allow unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The issue stems from arbitrary file creation in certain PAN-OS versions and configurations, making it possible for attackers to fully compromise the device.

Infection Method

Salt Typhoon’s operations follow this chain:

  • Initial Access: Exploitation of vulnerable edge devices from Cisco, Ivanti, and Palo Alto Networks.
  • Persistence: Attackers modify Access Control Lists (ACLs), open ports, and establish GRE tunnels for ongoing access.
  • Privilege Escalation: Creation of backdoor accounts (e.g., via sshd_opens service on Cisco IOS XR devices) with sudo/root privileges.
  • Credential Theft: Collection of TACACS+ and RADIUS traffic to steal highly privileged administrator credentials.
  • Lateral Movement: Pivoting from compromised devices into connected internal networks.
  • Data Exfiltration: Capturing and exfiltrating PCAPs and other sensitive network data.

Behavior and Capabilities

Salt Typhoon’s activity is not centered around traditional malware binaries but instead involves network-level persistence and espionage techniques, including:

  • Modification of router configurations to add attacker-controlled IPs.
  • Deployment of GRE tunnels for covert persistence.
  • Packet capture (PCAP) collection for credential theft.
  • Abuse of authentication protocols (TACACS+, RADIUS).
  • Enabling services (e.g., sshd_opens) for persistent privileged access.
  • Lateral movement via trusted network connections.
  • Long-term espionage and data theft at a global scale.

Techniques Include (MITRE ATT&CK Mapping)

  • T1190 – Exploit Public-Facing Applications: Exploitation of Cisco, Ivanti, and Palo Alto devices.
  • T1078 – Valid Accounts: Creation of rogue admin users for persistence.
  • T1071 – Application Layer Protocol: Use of GRE tunnels and modified network services for C2.
  • T1557 – Adversary-in-the-Middle: Capturing TACACS+/RADIUS authentication traffic.
  • T1555 – Credentials from Password Stores: Credential theft from intercepted traffic.
  • T1562 – Impair Defenses: Modifying ACLs and port configurations.
  • T1048 – Exfiltration Over Alternative Protocol: Using GRE and PCAPs for data theft.

Visual: Salt Typhoon Attack Flow

[Exposed Edge Device (Cisco/ Ivanti / Palo Alto)]
? [Exploit Known Vulnerability (CVE-2018-0171, CVE-2023-46805, etc.)]
? [Modify Configurations / Add ACL Rules / Enable sshd_opens Service]
? [Persistent Access via GRE Tunnel + Rogue Accounts]
? [Capture TACACS+/RADIUS Traffic & Harvest Credentials]
? [Lateral Movement into Internal Networks]
? [Data Exfiltration via GRE / PCAPs]
? [Long-Term Espionage Operations Supporting Chinese Intelligence]

IOCs (Indicators of Compromise)

(Representative; not exhaustive)

  • Creation of unexpected GRE tunnels on network edge devices.
  • Presence of the sshd_opens service on Cisco IOS XR devices.
  • Unauthorized ACL modifications are adding unknown IP addresses.
  • Traffic to non-standard ports (e.g., TCP/57722).
  • Collection of TACACS+ traffic on TCP/49.

Threat Actor Attribution

Salt Typhoon has been attributed to China’s state-backed intelligence ecosystem, operating through contractors and private companies providing cyber capabilities to the MSS and PLA. Entities linked include:

  • Sichuan Juxinhe Network Technology Co., Ltd.
  • Beijing Huanyu Tianqiong Information Technology Co., Ltd.
  • Sichuan Zhixin Ruijie Network Technology Co., Ltd.

Mitigation Steps

  • Patch Software: Immediately update Cisco IOS XE, Ivanti Connect/Policy Secure, and Palo Alto PAN-OS devices to the latest versions.
  • Audit Configurations: Regularly review Access Control Lists (ACLs), port configurations, and admin accounts for unauthorized changes.
  • Strengthen Authentication: Enforce multi-factor authentication (MFA) for network devices.
  • Monitor Network Activity: Watch for GRE tunnel creation, unexpected PCAP collection, and anomalous connections on non-standard ports.
  • Segmentation & Least Privilege: Restrict device-to-device communication and limit administrative access.
  • Threat Hunting: Actively search for signs of persistence mechanisms such as sshd_opens and backdoor accounts.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.