The Chinese language superior persistent risk (APT) often known as Salt Storm has focused greater than a thousand Cisco units positioned throughout the infrastructures of telecommunications corporations, web service suppliers (ISPs), and universities.
Salt Storm (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its title final fall, with explosive experiences about its focusing on main US telecommunications suppliers like T-Cellular, AT&T, and Verizon. Within the course of, it managed to snoop on US legislation enforcement wiretaps, and even the Democratic and Republican presidential campaigns.
Apparently, all that new media consideration did little to sluggish it down. In line with Recorded Future’s Insikt Group, Salt Storm — which Insikt tracks as “RedMike” — attacked communications suppliers and analysis universities worldwide on six events in December and January. The group exploited previous bugs in Cisco community units to infiltrate its targets, and this will likely not truly be the primary time it tried this tactic.
Salt Storm’s Newest Assaults on Elecom, Unis
Again in October 2023, Cisco urged all of its clients to instantly pull all their routers, switches, and many others., off the Net — at the least these working the IOS XE working system. An attacker had been actively exploiting a beforehand unknown vulnerability within the person interface (UI) which, with out prior authorization, allowed them to create new native accounts with administrative privileges. The difficulty was assigned CVE-2023-20198, with the very best doable rating of 10 out of 10 on the Widespread Vulnerability Scoring System (CVSS).
Just some days later, Cisco revealed a second IOS XE net UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the primary vulnerability a step additional, permitting attackers to run malicious instructions on compromised units utilizing root privileges. It earned a “excessive” 7.2 CVSS rating.
Evidently, Cisco’s warnings weren’t heard loudly and broadly sufficient, as Salt Storm adopted this precise path to simply just lately compromise giant organizations on six continents. With the whole energy afforded by CVE-2023-20198 and CVE-2023-20273, the risk actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised units with its personal infrastructure. It used this in any other case authentic function to ascertain persistence and allow information exfiltration, with much less threat of detection by firewalls or community monitoring software program.
Although Insikt tracks this marketing campaign solely again by way of December, it is doable that this is not the primary time Salt Storm has used Cisco units to focus on main telcos.
“Little or no element is at present publicly obtainable in regards to the Salt Storm-linked intrusions towards US telecommunications suppliers uncovered in September 2024, together with whether or not or not Cisco units have been concerned,” explains Jon Condra, senior director of strategic intelligence at Recorded Future. “Notably, CISA in December 2024 put out defensive steering for communications suppliers that means that Cisco units have been exploited, linked to the Salt Storm intrusions, with out offering specifics. We do know that Cisco units have been focused by Chinese language APT teams on many events previously, as with quite a lot of different edge units.”
Salt Storm’s Newest Cyberattack Victims
Organizations affected by this marketing campaign embrace a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, considered one of Myanmar’s premier telcos.
“Salt Storm targets telecommunications methods that are among the most complex Frankenstein-esque examples of architectures that exist,” explains Zach Edwards, senior risk researcher for Silent Push. That even previous vulnerabilities may nonetheless be exploited towards telcos, he suggests, is not such a thriller: “They possess some applied sciences in sure methods relationship again many years that, in lots of instances, can’t be changed, and with different modernized elements that stay weak to classy assaults.”
And in addition to telcos and ISPs themselves, Salt Storm additionally attacked 13 universities, together with the College of California, Los Angeles (UCLA) and three extra US establishments, plus extra in Argentina, Indonesia, the Netherlands, and many others. As Insikt famous, many of those universities carry out important analysis in telecommunications, engineering, and different areas of know-how.
General, whereas greater than 100 international locations have been touched by this marketing campaign, greater than half of the units compromised have been in South America, India, and, most frequently, the US.
Recorded Future’s Condra emphasizes that whereas prior Salt Storm protection has been US-centric, he says, “The group’s focusing on extends far past US borders and is really international in scope. This speaks to strategic Chinese language intelligence necessities to achieve entry to delicate networks for the needs of espionage, gaining the flexibility to disrupt or manipulate information flows, or pre-position themselves for disruptive or harmful motion within the occasion of an escalation of geopolitical tensions or kinetic battle.”