Cisco has released expanded analysis of the wide-ranging cyber espionage campaign known as Salt Typhoon, which has compromised multiple telecommunications providers.
The actor behind Salt Typhoon, suspected to have links to Beijing, has shown advanced capabilities: prolonged persistence on victim networks, extensive collection and exfiltration of sensitive data, and sophisticated techniques for evading detection. Cisco Talos, Cisco’s threat research team, has been following the operation since it was first reported in late 2024 and later corroborated by U.S. government agencies.
Cisco Talos’ investigation indicates Salt Typhoon infiltrated the core networks of several telecom operators by exploiting vulnerabilities and abusing legitimate credentials, enabling covert access that persisted for years in some cases.
Given the campaign’s scale, level of planning, and technical depth, Cisco assesses the activity aligns with known characteristics of state-sponsored advanced persistent threat (APT) groups. The targeted nature of the intrusions and their operational sophistication point to likely nation-state involvement.
Living-off-the-land techniques enabled long-term access
A defining trait of the campaign is its extensive use of living-off-the-land (LOTL) approaches. Rather than relying primarily on bespoke malware, the attackers used native system utilities and administrative features already present in the compromised environments to blend in and reduce detection risk.
Industry sources report that state-linked personnel have been embedded in Western telecom organisations for extended periods—some allegedly for decades. These individuals range from trained intelligence officers to operatives acting on behalf of their governments for purposes that include influence, espionage, and potential sabotage.
By leveraging built-in or strategically placed tools within network devices, Salt Typhoon maintained long-term access without triggering alarms; Cisco documented at least one instance of continued access for more than three years.
While one intrusion showed evidence of exploitation of a legacy Cisco vulnerability (CVE-2018-0171), most break-ins were achieved using valid credentials stolen from victims.
Attackers expanded access by harvesting additional credentials from compromised devices, exploiting weak password encryption, and intercepting management and authentication traffic such as SNMP, TACACS, and RADIUS.
Immediate, actionable techniques and indicators
Salt Typhoon emphasised expansion and defence evasion within targeted networks. Key tactics observed include:
Credential compromise and expansion
The intruders actively gathered authentication materials stored in device configurations, including SNMP community strings and other secrets. Weak encryption schemes were abused, allowing offline decryption of stored passwords. Tools for capturing traffic—such as tcpdump—and Cisco-specific utilities like tpacap were used to harvest sensitive data and locate security keys.
Exfiltration of device configurations
Attackers frequently exfiltrated device configuration files over TFTP or FTP. These files contained authentication material and detailed network topology information, enabling further reconnaissance and lateral movement.
Infrastructure pivoting
Salt Typhoon moved laterally by “jumping” between compromised devices, minimising suspicious traffic and exploiting trust relationships. In several cases, devices compromised within one telecom operator served as staging points to target systems in other operators, illustrating the risks posed by interconnected infrastructure.
Advanced techniques: device tampering, packet capture, and evasion
The group used a varied toolkit of advanced methods to deeply embed themselves while avoiding detection.
Device and configuration tampering
Attackers modified network devices and running configurations to secure persistent access and enable movement across networks. Observed changes included:
- Altering AAA (Authentication, Authorization, and Accounting) server IP addresses.
- Changing Access Control Lists (ACLs) to facilitate access.
- Enabling or disabling Guest Shell, the Linux subsystem on some devices.
- Installing SSH keys to maintain unauthorised persistent access.
Those changes reflect a strong operational understanding of network administration and advanced technical skill.
Packet capture and covert collection
To collect and exfiltrate data surreptitiously, attackers used common packet-capture utilities like tcpdump and platform-specific features such as Embedded Packet Capture (EPC). They also deployed a proprietary tool named JumbledPath—an x86-64 binary designed to produce encrypted, obfuscated packet captures and complex jump-paths to conceal the origin and destination of captured traffic and hide unauthorised remote operations.
Defence evasion
Salt Typhoon took deliberate steps to erase traces and avoid detection. They routinely cleared logs (for example, .bash_history, auth.log, and wtmp), reset device features after use (such as disabling Guest Shell), restored SSH settings to default values to remove evidence of added keys, and altered loopback interface IPs to bypass access controls.
Recommended mitigations
To defend against sophisticated intrusions of this nature, Cisco recommends strict security controls and a combination of vendor-specific and general best practices.
Cisco-specific measures
- Disable legacy features and unused services: Turn off services such as Smart Install (no vstack) and unencrypted web servers (no ip http server).
- Use stronger password encryption: Implement stronger local password types (for example, type 8) and use type 6 for TACACS+ shared secrets.
- Restrict Guest Shell: Disable Guest Shell on devices that do not need it (guestshell disable).
General best practices
- Patch regularly: Keep device software and hardware up to date to mitigate known vulnerabilities such as CVE-2018-0171.
- Tighten access controls: Replace default credentials with complex passwords and apply multi-factor authentication wherever possible.
- Monitor comprehensively: Centralise and monitor logs and network behaviour for anomalies like SSH on unusual ports, unexpected drops in log activity, or sudden configuration changes.
- Centralise configuration management: Maintain configuration backups in a secure, external repository instead of relying solely on device-stored copies.
Cisco also published IP addresses linked to potentially malicious activity that can be used for defensive blocking and monitoring:
- 185.141.24.28
- 185.82.200.181
Salt Typhoon underscores persistent, evolving threats
The Salt Typhoon campaign highlights the ongoing and evolving risks to critical infrastructure operators. Although telecoms were the primary focus in this investigation, the techniques and vulnerabilities exposed apply to many sectors and underline the importance of robust cyber hygiene.
During its research, Cisco also observed unrelated attempts to exploit the Smart Install feature, reinforcing how neglected legacy services continue to present appealing attack surfaces.
Strong network segmentation, timely device patching, strict credential management, and detailed logging are essential to reduce the chance of similar compromises. As Cisco’s investigation continues, organisations should watch for updated guidance and proactively strengthen their defences. Telecommunications operators, in particular, should expect additional follow-up guidance in the coming weeks.
Want to learn more about cybersecurity and cloud topics from industry experts? Consider attending Cyber Security & Cloud Expo, which runs events in Amsterdam, California, and London and is co-located with related industry expos.
Explore other upcoming enterprise technology events and webinars powered by TechForge.