China-linked Hackers Exploit Cisco, Ivanti, and Palo Alto Networks to Breach Hundreds of Orgs

A hacking group with ties to China, known as Salt Typhoon, is actively targeting networks around the globe. This isn't just some small-time operation; they're going after big players in telecommunications, government, transportation, hotels, and even military infrastructure.

According to a joint cybersecurity advisory released this week, these hackers aren't just looking for a quick hit. They're modifying routers to maintain long-term access, focusing on major telecom providers' routers and using compromised devices to sneak into other networks.

A bulletin from authorities in 13 countries names three Chinese companies allegedly involved: Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.

These companies reportedly provide cyber services to Chinese intelligence, using stolen data to track communications and movements worldwide, especially from telecoms and ISPs.

The advisory has the backing of a broad coalition: Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the U.K., and the U.S. are all on board.

Brett Leatherman, head of the FBI's Cyber Division, says Salt Typhoon has been at it since at least 2019, carrying out a persistent espionage campaign.

While the U.S. seems to be the primary target, Dutch intelligence agencies say that hackers have also accessed routers of smaller ISPs and hosting providers in the Netherlands. Luckily, there's no sign they went any further.

The UK's National Cyber Security Centre adds that since 2021, the group has targeted critical sectors globally, including government, telecoms, transportation, lodging, and military infrastructure, with a notable concentration of activity in the UK.

According to reports in The Wall Street Journal and The Washington Post, Salt Typhoon has hit at least 600 organizations across 80 countries, with 200 of those in the U.S.

Salt Typhoon, sometimes linked to other hacking groups like GhostEmperor and Operator Panda, often gets in by exploiting vulnerabilities in network edge devices from companies like Cisco, Ivanti and Palo Alto Networks, using vulnerabilities like CVE-2018-0171, CVE-2023-20198, CVE-2023-20273, CVE-2023-46805, CVE-2024-21887 and CVE-2024-3400.

Agencies warn that even devices owned by entities *not* directly targeted can be used as stepping stones to reach higher-value targets.

Once inside, they might modify configurations, add GRE tunnels for persistent access, and steal data.

They're also known to alter Access Control Lists (ACLs), open ports, and use Linux containers on Cisco devices to move around the network.

Protocols like TACACS+ are used for lateral movement, and they capture network traffic to steal credentials.

The attackers often collect PCAPs to capture TACACS+ traffic, which contains highly privileged credentials, enabling them to compromise more accounts.

They might also enable the sshd_operns service on Cisco IOS XR devices to create a local user with root privileges.

Mandiant, owned by Google, notes that Salt Typhoon's familiarity with telecom systems gives them a significant advantage in evading defenses.

John Hultquist from Google Threat Intelligence Group says that "an ecosystem of contractors, academics, and other facilitators is at the heart of Chinese cyber espionage...Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations."

He also points out that targeting hospitality and transportation sectors could be used to closely surveil individuals, building a complete picture of who someone is talking to, where they are, and where they are going.