In late 2024, it was confirmed that a cyber espionage campaign perpetrated by a highly sophisticated Chinese-based threat actor infiltrated at least eight major telecommunications companies. The attacks gained access to Call Detail Records used to identify callers. The illicit access pointed to the compromise of Cisco routers. Cisco Talos conducted research on the Salt Typhoon telecom attack to learn more about the avenue of attack, uncovering that a seven-year-old vulnerability was likely abused along with the use of stolen but legitimate victim login credentials.
Breaking Down the Attack Vectors
It has been reported that the attacks exploited multiple previously identified Cisco vulnerabilities. However, the company’s researchers reported that no new Cisco vulnerabilities were utilized, and they could only find evidence that one vulnerability (CVE-2018-0171) was likely exploited. Interestingly, Balazs Greksza, Threat Response Lead at Ontinue pointed out that “the Smart Install Abuse vulnerability (CVE-2018-0171) misuse is currently unattributed to any specific threat actor. Cisco Plug and Play (PnP) for zero-touch deployments has been recommended over Smart Install since around 2019 – allowing ample time for updates.”
Cisco Talos suggested that the campaign used living-off-the-land (LOTL) techniques. In these types of attacks legitimate tools, software, and features inherent in the target system are utilized to carry out malicious activities. These means that in order to avoid detection no external malware is used, instead the attack blends in with normal system operations. In one instance the hackers maintained access for over three years.
Evidence indicates that Salt Typhoon uses valid, stolen credentials for initial access and planted SSH access to maintain presence and move laterally. The Cisco team reported that the threat actor actively attempted to acquire additional credentials and to capture identity protocol traffic in hopes of gaining additional credential details for follow-on use. Although malware was not deployed, the attackers used a custom-built utility, dubbed JumbledPath, to execute their packet capture activities.
Identity Security in the Spotlight
The analysis of the Salt Typhoon cyber attacks concludes that the primary infiltration path into the telecommunications companies networks was through the use of stolen (or unchanged default) passwords. They did not break into the network but logged in with valid credentials. Once inside they extract additional credentials from network device configurations and intercepted authentication traffic.
Cybercriminals target identity credentials (i.e. passwords) because they are easy targets. The techniques include accessing unchanged default passwords, brute-force attacks, phishing/social engineering, password-reset services, and insider threat. The loss of credentials would be a less serious problem if identity security was stronger. Darren Guccione, CEO and Co-Founder of Keeper Security opined that “Salt Typhoon’s campaign is a clear reminder that identity security is central to cyber resilience. Stolen credentials enabled the group to persist in networks for years, highlighting the need for strong password policies, enterprise password management and multi-factor authentication. But stopping credential theft isn’t enough – organizations must also ensure that attackers can’t escalate privileges or move laterally once inside.” It is recommended that organizations ensure that default passwords are changed and deploy Multi-factor authentication (MFA) and control privileges.
Closing Vulnerabilities
These attacks rely on stolen credentials; however, Cisco has validated that at least one known vulnerability was exploited. “The fact that Salt Typhoon exploited an unpatched vulnerability from 2018 exemplifies how outdated systems can become long-term liabilities”, is how Keeper Security’s Guccione assessed the situation. He continued that “effective cybersecurity isn’t just about sealing off the front door – it requires vigilance in closing known security gaps and limiting damage when defenses fail.”
One of the most effective methods to prevent attacks is to patch systems to close vulnerabilities. Organization must employ an effective vulnerability management system that can discover and remediate all known vulnerabilities within their organization. Known vulnerabilities are constantly attacked if they are not patched. GreyNoise, in their "2025 Mass Internet Exploitation Report," states that 40% of CVE’s exploited in 2024 were at least four years old and 10% were from 2016 or earlier.
In this specific case it isn’t just about a patch but about the replacement of a vulnerable component. The Cisco Smart Install mechanism being exploited has been replaced by Cisco PnP. Cisco in their Salt Typhoon blog does recommend that Smart Install should be patched or decommissioned. They also point out that all instances need to be remediated because even for devices that are considered non-critical they can be used as an entry door.
Lessons Taught
“The attack signifies the importance of secure credential practices and maintaining strong device security configurations, change management, logging, and detections.”, is how Greksza views the Salt Typhoon campaign. This campaign conducted by a state-sponsored threat actor illustrates that there are still considerable holes in our critical infrastructure that must be closed. Vigilance and rigorous adherence to security best practices, including updating, access controls, user education, and network segmentation are required.
Organizations must do better at holistic security that can limit the ability of Advanced Persistent Threats (APT) like Salt Typhoon to wreak havoc. Given that much of this campaign involved LOTL and the continuous movement within networks, it re-enforces the need to adopt a zero trust framework. Zero trust operates on the premise that you need to assume breach and do not trust entities without verification. It relies heavily on identity components, including least privileged access enforcement and continuous verification. It also requires visibility by requiring inspection, logging, and analysis of resource requests in order to discover strange behavior and actions. These actions can limit the access and damage caused by a network breach.
We Must Do Better
The Salt Typhoon breach is another example that cybersecurity operations need to improve. “Legacy security gaps are still being exploited, and traditional perimeter-based defenses are no longer enough. Time and again, we see everyone from criminal gangs to APTs using tried-and-true methods like stolen credentials and known vulnerabilities to gain footholds, escalate privileges, and access sensitive resources”, is how Rom Carmel, Co-Founder and CEO at Apono views the situation.
Attacks should not be able to successfully be executed utilizing years old vulnerabilities. Systems should not have easy to guess passwords. Perimeter-based defenses are no longer enough. There are better cybersecurity frameworks, mechanisms, and tools that can vastly improve overall security but these must be deployed and utilized.
