A China-linked advanced persistent threat (APT) group known as Salt Typhoon has been quietly compromising critical infrastructure worldwide, leveraging router vulnerabilities to gain long-term access to government, telecom, military, and corporate networks.

Also tracked as GhostEmperor, Operator Panda, RedMike, and UNC5807, Salt Typhoon has conducted cyberespionage campaigns across the United States, Canada, the United Kingdom, Australia, New Zealand, and other regions for more than half a decade, according to a joint advisory from Western intelligence agencies.

Decades of Espionage Across Key Industries

The group has been tied to multiple breaches in U.S. and Canadian telecom firms, as well as the hacking of a U.S. National Guard unit. Since at least 2021, Salt Typhoon has targeted industries ranging from telecommunications and transportation to hospitality, government, and defense infrastructure.

Investigators have connected the APT to Chinese technology companies such as Sichuan Juxinhe Network Technology Co. Ltd. (sanctioned by the U.S.), Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. — all reportedly linked to Chinese state intelligence operations.

The stolen data enables Beijing’s agencies to monitor global communications and track the movements of individuals worldwide, raising major concerns about national security and surveillance.

Exploiting Known Vulnerabilities, Not Zero-Days

Salt Typhoon exploited existing flaws in widely used products, including:

• Cisco: CVE-2018-0171, CVE-2023-20198, CVE-2023-20273
• Ivanti: CVE-2024-21887
• Palo Alto Networks: CVE-2024-3400

Unlike many APTs, the group did not rely on zero-day exploits but instead leveraged well-documented vulnerabilities to infiltrate networks. Their operations focused heavily on backbone and edge routers, modifying configurations, enabling traffic mirroring, and establishing covert persistence.

Advanced Persistence and Stealth Techniques

Salt Typhoon employed a wide range of tactics to maintain access and evade detection, including:

• Manipulating Access Control Lists (ACLs)
• Opening standard and non-standard ports
• Creating protocol tunnels and multi-hop pivots
• Altering device configurations
• Deleting logs and disabling system monitoring

They also conducted lateral movement by targeting authentication protocols, router interfaces, BGP routes, and network traffic. Credentials were harvested directly from captured traffic, and in many cases, privileged user accounts were created to strengthen control.

Large-Scale Operations Backed by Contractors

Experts highlight that Salt Typhoon’s operations are fueled by a Chinese contractor ecosystem that provides infrastructure, tooling, and intrusion services at scale.

John Hultquist, Chief Analyst at Google’s Threat Intelligence Group, emphasized that Salt Typhoon operatives are “deeply familiar with the technology, enabling them to spread quickly and avoid detection.”

Similarly, Nick Tausek, Lead Security Automation Architect at Swimlane, noted that the group targeted over 100 organizations in 80 countries in 2024 alone. He warned that, despite increased awareness, Salt Typhoon remains a significant ongoing threat.

Defensive Recommendations

The advisory urges organizations to implement threat-hunting measures, apply vendor security patches, and closely follow NSA guidelines to detect and remove Salt Typhoon’s presence.

APT actors like Salt Typhoon often monitor compromised mail servers and administrator accounts to identify when defenders are responding. Therefore, experts recommend discreet incident response planning to prevent tipping off attackers before complete eviction is possible.

👉 This revelation underscores how state-backed cyberespionage campaigns are leveraging known vulnerabilities at massive scale, turning routine security gaps into powerful tools of surveillance and disruption.

Source: https://www.securityweek.com/chinas-salt-typhoon-hacked-critical-infrastructure-globally-for-years