The Chinese language superior persistent menace (APT) often called Salt Hurricane has focused greater than a thousand Cisco units positioned inside the infrastructures of telecommunications corporations, web service suppliers (ISPs), and universities.
Salt Hurricane (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its identify final fall, with explosive experiences about its focusing on main US telecommunications suppliers like T-Cellular, AT&T, and Verizon. Within the course of, it managed to listen in on US legislation enforcement wiretaps, and even the Democratic and Republican presidential campaigns.
Apparently, all that new media consideration did little to gradual it down. In keeping with Recorded Future’s Insikt Group, Salt Hurricane — which Insikt tracks as “RedMike” — attacked communications suppliers and analysis universities worldwide on six events in December and January. The group exploited previous bugs in Cisco community units to infiltrate its targets, and this will likely not really be the primary time it tried this tactic.
Salt Hurricane’s Newest Assaults on Elecom, Unis
Again in October 2023, Cisco urged all of its clients to instantly pull all their routers, switches, and so on., off the Net — a minimum of these working the IOS XE working system. An attacker had been actively exploiting a beforehand unknown vulnerability within the person interface (UI) which, with out prior authorization, allowed them to create new native accounts with administrative privileges. The difficulty was assigned CVE-2023-20198, with the very best potential rating of 10 out of 10 on the Widespread Vulnerability Scoring System (CVSS).
Only a few days later, Cisco revealed a second IOS XE internet UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the primary vulnerability a step additional, permitting attackers to run malicious instructions on compromised units utilizing root privileges. It earned a “excessive” 7.2 CVSS rating.
Evidently, Cisco’s warnings weren’t heard loudly and extensively sufficient, as Salt Hurricane adopted this actual path to simply lately compromise massive organizations on six continents. With the whole energy afforded by CVE-2023-20198 and CVE-2023-20273, the menace actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised units with its personal infrastructure. It used this in any other case official function to ascertain persistence and allow information exfiltration, with much less danger of detection by firewalls or community monitoring software program.
Although Insikt tracks this marketing campaign solely again by way of December, it is potential that this is not the primary time Salt Hurricane has used Cisco units to focus on main telcos.
“Little or no element is at the moment publicly obtainable in regards to the Salt Hurricane-linked intrusions in opposition to US telecommunications suppliers uncovered in September 2024, together with whether or not or not Cisco units have been concerned,” explains Jon Condra, senior director of strategic intelligence at Recorded Future. “Notably, CISA in December 2024 put out defensive steering for communications suppliers that means that Cisco units have been exploited, linked to the Salt Hurricane intrusions, with out offering specifics. We do know that Cisco units have been focused by Chinese language APT teams on many events up to now, as with a wide range of different edge units.”
Salt Hurricane’s Newest Cyberattack Victims
Organizations affected by this marketing campaign embrace a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one in all Myanmar’s premier telcos.
“Salt Hurricane targets telecommunications methods that are a number of the most complex Frankenstein-esque examples of architectures that exist,” explains Zach Edwards, senior menace researcher for Silent Push. That even previous vulnerabilities would possibly nonetheless be exploited in opposition to telcos, he suggests, is not such a thriller: “They possess some applied sciences in sure methods courting again many years that, in lots of circumstances, can’t be changed, and with different modernized points that stay susceptible to stylish assaults.”
And moreover telcos and ISPs themselves, Salt Hurricane additionally attacked 13 universities, together with the College of California, Los Angeles (UCLA) and three extra US establishments, plus extra in Argentina, Indonesia, the Netherlands, and so on. As Insikt famous, many of those universities carry out important analysis in telecommunications, engineering, and different areas of know-how.
Total, whereas greater than 100 international locations have been touched by this marketing campaign, greater than half of the units compromised have been in South America, India, and, most frequently, the US.
Recorded Future’s Condra emphasizes that whereas prior Salt Hurricane protection has been US-centric, he says, “The group’s focusing on extends far past US borders and is actually international in scope. This speaks to strategic Chinese language intelligence necessities to realize entry to delicate networks for the needs of espionage, gaining the power to disrupt or manipulate information flows, or pre-position themselves for disruptive or damaging motion within the occasion of an escalation of geopolitical tensions or kinetic battle.”
