The Silent Storm: Inside Salt Typhoon's Massive Telco Cyberattack

This blog highlights the ongoing malicious cyber activity conducted by the People’s Republic of China (PRC)-affiliated cyber threat group known as Salt Typhoon against telecommunications infrastructure providers. Recent reporting suggests Salt Typhoon threat actors have compromised networks of major global telecommunications organizations, conducting broad and significant cyber espionage campaigns.

In response, the Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, issued the Enhanced Visibility and Hardening Guidance for Communications Infrastructure to assist network engineers and defenders with improving visibility and hardening practices. This guidance aims to reduce exposure to exploitation attempts and strengthen the overall security posture of network devices.

The criticality of telco attacks

Telecommunications networks are the lifelines of modern society, enabling personal communications, supporting national security operations, and sustaining global economic activities. By targeting these critical infrastructures, the PRC-affiliated threat group known as Salt Typhoon exploits the central role telcos play in government functions, commerce, and everyday life. Through direct assaults on telecommunications providers, Salt Typhoon can:

• Intercept sensitive communications: Accessing voice and data transmissions provides invaluable intelligence on government activities, corporate strategies, and personal information.
• Disrupt essential services: Compromising telco infrastructure can lead to widespread service outages, affecting economies, public safety, and emergency response capabilities.
• Establish long-term espionage platforms: Persistent access allows continuous monitoring, data exfiltration, and the potential to manipulate communications over extended periods.

These actions have serious implications, including the undermining of national security, the destabilization of economic frameworks, and the erosion of public trust in communication systems. Salt Typhoon’s operations align with objectives commonly associated with state-sponsored cyber espionage:

1. Strategic intelligence gathering: Obtaining classified information, trade secrets, and strategic communications to achieve political and economic advantages.
2. Technological leverage: Stealing intellectual property and sensitive data to boost domestic technological capabilities without incurring research and development costs.
3. Cyber warfare preparedness: Embedding within critical infrastructure to prepare for potential future conflicts, where controlling communications could confer significant strategic advantages.
4. Influence and manipulation: Monitoring or even altering communications to support misinformation campaigns, espionage efforts, or attempts to weaken public confidence in institutions.

By focusing on telecommunications, Salt Typhoon extends its reach beyond a single sector, thereby amplifying its influence and increasing the severity of its potential impact. This broad approach elevates the threat posed to critical communication systems worldwide.

Potential next moves by Salt Typhoon

Given their aggressive tactics and expanding reach, Salt Typhoon may:

• Extend attacks to other critical infrastructure sectors such as energy, finance, healthcare, and transportation.
• Develop more advanced malware, rootkits, and zero-day exploits to remain undetected and maintain long-term access.
• Exploit supply chain vulnerabilities by targeting third-party vendors and contractors to infiltrate additional networks and propagate malware.
• Leverage compromised data for strategic gains, blackmail, or to launch further targeted attacks.

Organizations must anticipate these potential moves and strengthen their cybersecurity posture accordingly.

Key recommendations from CISA

The latest CISA guidance emphasizes both preventive and detective measures. Organizations should implement recommended actions related to visibility, monitoring, configuration management, segmentation, secure protocols, access controls, and vendor-specific hardening techniques.

1. Strengthening visibility and monitoring

Salt Typhoon’s operations rely on stealthy intrusion methods and hiding in normal network traffic. Improving visibility and monitoring allows defenders to detect anomalous behavior early, identify suspicious lateral movement, and respond quickly before attackers gain a foothold.

CISA’s recommendations:

• Closely scrutinize network device configuration changes and implement comprehensive alerting to detect unauthorized modifications.
• Employ strong flow monitoring solutions, ensure centralized logging with encryption, and securely store log data.
• Integrate packet capture capabilities and baseline normal network behavior to detect anomalies.

Vectra AI alignment:

Vectra AI’s Attack Signal Intelligence applies AI-driven behavioral detection and correlation techniques across the entire attack footprint, including hosts, accounts, and workloads. By using an entity-centric approach to threat detection, Vectra AI provides security teams with comprehensive visibility into network activity and user behavior.

This aligns with the recommended practices for strengthening visibility and monitoring, as it enables operators to:

• Correlate and prioritize events: Leverage integrated analytics to tie together seemingly benign indicators from various sources—such as routers, firewalls, and endpoints—into a coherent, prioritized threat narrative.
• Enhance security operations: Integrate seamlessly with SIEM tools to enrich logs and alerts with context, reducing noise and enabling more efficient triage and investigation.
• Accelerate response times: Detect and track adversarial actions in real-time, ensuring security teams can act swiftly before attackers gain a foothold or cause significant damage. By providing deep, continuous visibility and context-driven insights, Vectra AI helps organizations align with the guidance outlined by CISA and its partners, ensuring that monitoring systems can effectively detect, investigate, and respond to the tactics and techniques employed by sophisticated threat groups like Salt Typhoon.

2. Hardening systems and devices

Salt Typhoon capitalizes on unpatched vulnerabilities, weak configurations, and insecure management networks. By hardening systems and devices, organizations reduce the attacker’s ability to exploit known weaknesses and limit the impact of any successful intrusion.

CISA’s recommendations:

• Implement out-of-band management networks physically separate from the data flow network.
• Enforce default-deny Access Control Lists (ACLs) and strict segmentation using VLANs, DMZs, and layered defensive constructs.
• Utilize trusted cryptographic methods for VPNs and disable unnecessary services.
• Regularly apply vendor patches, follow a robust change management process, and adhere to secure password policies.

Vectra AI alignment:

As organizations apply hardened configurations, Vectra AI provides continuous visibility into network segments and detects lateral movement attempts that may bypass traditional defenses. The solution’s advanced analytics help identify deviations in behavior caused by malicious access and privilege escalation, supporting operators as they maintain strong segmentation and enforce strict access policies.

3. Protocols and management processes

Salt Typhoon leverages insecure protocols, weak authentication, and mismanaged administrative credentials to pivot within networks. Strengthening protocols and management processes restricts adversaries’ ability to gain elevated privileges and move through critical infrastructure.

CISA’s recommendations:

• Restrict device management to trusted, dedicated administrative workstations.
• Disable or limit exposure of management traffic to the internet.
• Use strong encryption and modern cryptographic algorithms for management protocols.
• Employ Role-Based Access Control (RBAC) and authentication, authorization, and accounting (AAA) frameworks.

Vectra AI alignment:

The Vectra AI platform detects suspicious authentication events and can alert operators to anomalies in management protocols or unexpected account activity. This complements strong access controls and ensures that any malicious attempt to manage network devices is flagged for timely investigation.

4. Cisco-specific guidance

Salt Typhoon has been observed exploiting Cisco-specific features and defaults. Applying Cisco-targeted hardening recommendations reduces the adversary’s opportunities to abuse vendor-specific capabilities and gain persistent network access.

CISA’s recommendations:

• Disable Cisco-specific features (e.g., Smart Install) if not required.
• Enforce secure web management settings or disable unnecessary web services.
• Adopt secure password storage mechanisms (e.g., Type-8) and ensure TACACS+ keys are encrypted.

Vectra AI alignment:

As network defenders harden Cisco environments, Vectra AI continuously monitors for the introduction of malicious patterns indicative of previously observed People’s Republic of China-affiliated threat behaviors. This technology complements the vendor-specific best practices, assisting in the detection of suspicious activity that may surface after hardening efforts have been applied.

5. Incident reporting and secure by design

Salt Typhoon’s attacks benefit from delayed responses and unsecure products. Prompt reporting helps government agencies track and respond to evolving threats, while secure-by-design principles reduce the complexity and risk of intrusion at the outset.

• Report suspicious activity to appropriate authorities (e.g., FBI, CISA, foreign counterparts).
• Adopt secure-by-design principles and demand secure-by-default settings from vendors and suppliers.

By providing enhanced visibility and robust detection capabilities, Vectra AI supports organizations’ broader incident response processes. Early detection aligns with secure-by-design principles by minimizing dwell time and mitigating the impact of adversary activities. Additionally, the solution’s insights can support evidence collection and facilitate timely reporting to authorities.

Salt Typhoon’s targeting of telecommunications infrastructure underscores the importance of adopting the comprehensive measures outlined in the Enhanced Visibility and Hardening Guidance for Communications Infrastructure. Network engineers and defenders should implement these recommendations to improve their security posture and reduce opportunities for adversarial intrusion.

Integrating security solutions that align with these recommendations further strengthens defenses. Vectra AI’s capabilities complement CISA’s guidance by enhancing visibility, streamlining event correlation, and detecting behavioral anomalies indicative of malicious activity. Through a combination of rigorous hardening practices, adherence to secure-by-design principles, and advanced technologies like Vectra AI, organizations can better protect their critical infrastructure against evolving threats posed by PRC-affiliated and other malicious threat groups.

Want to see the Vectra AI Platform in action? Take our self-guided tour or request a custom demo today.