Cyber Threat Report: 'Weathering the storm: In the midst of a Typhoon'

Salt Typhoon is a highly sophisticated threat actor targeting the telecommunications sector, as detailed in this report from Cisco Talos. Initially reported in late 2024, the group has gained access to core networking infrastructure, predominantly through the use of legitimate credentials. Salt Typhoon demonstrate a range of living-off-the-land (LOTL) techniques, such as modifying device configurations, capturing sensitive traffic, and leveraging compromised devices for lateral movement and data exfiltration. Notably, Salt Typhoon has maintained persistence in some environments for over three years, suggesting operational patience and technical expertise. While there is evidence of the group exploiting known vulnerabilities like CVE-2018-0171, most intrusions relied on legitimate credentials, emphasizing the importance of robust credential management. The researchers suggest that Salt Typhoon is a a well-funded and coordinated actor, potentially state-sponsored, given their long-term access and focus on critical infrastructure. Their operations have primarily targeted U.S. telecommunications providers, but the techniques and tools observed are relevant to defenders across all sectors. The report suggests a number of preventative measures, including comprehensive configuration management and auditing, multi-factor authentication, and proactive monitoring of network devices.