Cisco Talos, Cisco’s threat intelligence team, published a report on February 20th 2025 that there was a widespread attack from a Chinese threat actor named Salt Typhoon. This attack has been going on for a long period of time with Talos reporting that one instance has been controlled for three years. The attack was discovered late 2024 and was confirmed by the US government. Talos and other cybersecurity researchers have attributed this attack to Salt Typhoon through indicators of tactics, techniques, and scale that the threat agency was able to employ. Salt Typhoon is a state sponsored APT (Advanced Persistent Threat) and is believed to be operated by China’s Ministry of State Security. The APT gained access through a combination of methods including compromised login credentials and exploiting known vulnerabilities in unpatched devices. The telecom industry was the one impacted the most with the companies Verizon, AT&T, and Lumen being the ones who were affected.

Some people are claiming that this is the biggest attack on the US in the history of the Internet and I would agree with that assumption. There is almost no way to tell how far the sprawl of this attack has reached and how many businesses were affected. On the bright side, Salt Typhoon most likely had a goal of remaining in the networks for extended periods of time to gather information and now that they have been figured out that plan has been thwarted. There are a lot of implications that come from this attack for organizations with highly sensitive information. Anything that was sent over the network during this period is at risk of being in the hands of the Chinese government. Logs must be thoroughly audited to determine the period of time that the APT has entered their network and whether or not they have been impacted. If an organization uses one of the affected telecom companies, a clear indicator that someone auditing can look for are unexplained gaps in logging activity. Although the attack started on Cisco devices, Salt Typhoon was able to jump a lot of different networking devices through living off the land (LOTL) methods.

Compromised credentials were reported to be the largest reason for the attack. Additional credentials were gained through network device configurations by deciphering weak local passwords. Another method used was capturing network traffic related to SNMP (Monitoring), TACACS and RADIUS (Authentication), which led to them being able to gain additional credentials. Initial reports indicated unpatched Cisco devices being another reason for the attack but in smaller numbers. A vulnerability in the Smart Install (SMI) feature which has now been patched is the main documented exploit. Other methods used in the attack were LOTL, infrastructure pivoting, configuration modification, guest shell exploits, and defense evasion. A new form of custom malware was discovered from this attack called JumbledPath. JumbledPath, which was written in Go and compiled for x86-64 architecture, allows for packet capture on remote Cisco device through a jump-host. It was also capable of clearing logs and impairing logging through the path.

There are many lessons to be learned from this attack. I would argue that this shows just how important advanced end-to-end encryption, endpoint protection, multiple layer security, logging, and user training are. Just one of these things are not enough to protect yourself in a situation like this but all of them together could make a huge difference from being compromised. It is not entirely Cisco’s responsibility to ensure that you are safe. As an organization and security professional, you need to take the extra steps required to make sure that your network is always safe. A few things that you can do for preventative control are: Disabling non-encrypted web server via ‘no ip http server’, disabling telnet and confirming it’s not available via VTY ‘transport input ssh’ ‘transport output none’, disable guestshell ‘guestshell disable’, and disabling Cisco SMI ‘no vstack’. You can also use advanced IPS to profile common network admins so that when unexpected activity happens you will receive alerts. Regularly scheduled auditing will also go a long way.

-Macon Moyer 3/12/25