Inside Salt Typhoon: How Chinese APTs breached US telecoms (and stayed hidden for years)

Call recordings from US presidential campaigns. Wiretaps hijacked. No less than nine telecoms infiltrated—completely undetected—for years. Salt Typhoon didn’t just spy, they became part of the furniture. 

Salt Typhoon is an advanced persistent threat (APT) group associated with the People’s Republic of China (PRC). The group is known by several names, such as FamousSparrow, Earth Estries, GhostEmperor, and UNC2286, and was first detected in the wild in 2019.

In September 2024, the group became famous due to a report that it had breached several US telecom companies. Over the next few months, investigations by CISA, the FBI, and private sector partners determined that nine companies were impacted by the attack.

These included AT&T, Consolidated Communications, Lumen, Spectrum, T-Mobile, Verizon, and Windstream. Salt Typhoon compromised telecoms outside of the US as well, including those in Europe and the Indo-Pacific.

In this Attack Anatomy blog, we’ll be running through the various tactics and techniques used by Salt Typhoon in this attack campaign. We’ll also use the MITRE ATT&CK framework to clearly identify the techniques in question, signposting Hack The Box resources that can be used for hands-on training where available.

A closer look at the Salt Typhoon attack on US telecoms

APTs like Salt Typhoon are known for their patience, maintaining access to compromised networks for months or years before their presence is revealed. 

In this case, Salt Typhoon didn’t just breach telecoms—they lived in their networks, totally undetected, for over two years. That’s plenty of time to expand their access and collect sensitive data worth its weight in gold.

Initial access

Salt Typhoon initially gained access to the telecom’s environments by exploiting various N-day vulnerabilities in firewalls, virtual private networks (VPNs), and exchange servers (MITRE ATT&CK Exploit Public-Facing Application). Vulnerabilities known to be exploited in this attack include:

• CVE-2021-26855 (Microsoft Exchange – ProxyLogon)

• CVE-2022-3236 (Sophos Firewall)

• CVE-2023-48788 (Fortinet FortiClient EMS)

• CVE-2023-46805 (Ivanti Connect VPN)

• CVE-2024-21887 (Ivanti Connect VPN)

Salt Typhoon gained access to core network infrastructure, using it as a platform to collect data from impacted telecoms. Cisco routers and other devices were compromised via various methods, including exploiting CVE-2018-0171 and the use of compromised credentials (MITRE ATT&CK Valid Accounts: Local Accounts).

🟥 APT defense starts with hygiene. Salt Typhoon didn’t need zero-days — just unpatched firewalls and reused passwords. Are you leaving the front door open?

Lateral Movement

After gaining initial access to core network infrastructure, Salt Typhoon used these devices to move laterally both within a telecom’s network and to connected telecom networks. The nature of these devices allowed the threat group to access other systems with a lower risk of detection since connections from a router to another device are commonplace.

One key element of the group’s strategy was the collection of configuration files from compromised devices (MITRE ATT&CK: Data from Configuration Repository: Network Device Configuration Dump), which were exfiltrated via FTP and TFTP (MITRE ATT&CK: Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol). 

🟦 Config files ≠ harmless. Salt Typhoon treated device configs like loot drops—full of crackable passwords and maps of your network.

These often contained SNMP Read/Write (R/W) community strings, which stored credentials in an insecure and easily crackable format (MITRE ATT&CK: Brute Force: Password Cracking). Additionally, configuration files include information such as named interfaces, which could be used to guess the purpose of other devices on the network (MITRE ATT&CK: Gather Victim Network Information: Network Topology).

In addition to dumping credentials from configuration files, Salt Typhoon also sniffed network traffic (MITRE ATT&CK: Network Sniffing), including SNMP, TACACS, and RADIUS traffic, to collect additional credentials. 

How? JumbledPath, a custom malware variant designed to remotely perform packet capture via an attacker-selected jump-host (MITRE ATT&CK: Develop Capabilities: Malware). Packet capture files were compressed and encrypted before being returned to an attacker-controlled system via a series of hops in an attempt to cover the attacker’s tracks.

Compromised credentials and vulnerability exploits expanded Salt Typhoon’s access, and it used various methods to bypass access controls. 

For example, assigning a new IP address to the loopback interface on a compromised switch (MITRE ATT&CK: Impair Defenses: Disable or Modify System Firewall) allowed them to use it as the client for SSH connections to other systems (MITRE ATT&CK: Remote Services: SSH). 

On top of that, the group modified configuration files on authentication, authorization, and accounting (AAA) servers to include additional, attacker-controlled IP addresses that enabled them to bypass access control lists (ACLs).

Persistence and defense evasion

Salt Typhoon managed to remain undetected in various telecoms’ systems for as long as three years. The group used various techniques to cover their tracks and decrease the profile of their malicious activities.

🟦 Living off the land ≠ low risk: Just because it’s “native tooling” doesn’t mean it’s benign. APTs love subtlety, and Salt Typhoon mastered it.

The APT group is known for using living-off-the-land techniques to subtly maintain access. By using built-in utilities to achieve their goals, they can hide within legitimate activity. For example, Salt Typhoon used shell commands (MITRE ATT&CK: Command and Scripting Interpreter: Unix Shell) to:

• Add authorized SSH keys for backdoor access to compromised devices (MITRE ATT&CK: Account Manipulation: SSH Authorized Keys)

• Create local Linux accounts by modifying /etc/passwd and /etc/shadow (MITRE ATT&CK: Create Account)

• Set up GRE tunnels to conceal command and control (C2) traffic (MITRE ATT&CK: Protocol Tunneling)

Additionally, they deleted log files and disabled logging where possible to destroy any record of their activities (MITRE ATT&CK: Indicator Removal: Clear Linux or Mac System Logs).

However, the group isn’t wholly reliant on built-in tools, using various pieces of custom malware in their attacks. 

In addition to JumbledPath, Salt Typhoon used GhostSpider, a custom backdoor designed to maintain access to compromised environments. Other malware associated with the group includes SnappyBee, Masol RAT, and the Demodex rootkit.

🟥 The loopback trick: Assigning a new IP to the loopback interface let attackers use a switch like a trusted device. Sneaky, persistent, effective.

Data theft

Espionage and counterintelligence are common goals of Salt Typhoon campaigns. In this case, the intent of the attack was to target certain high-profile individuals. 

For example, the attackers accessed call recordings associated with the Harris and Trump US Presidential campaigns, which were occurring at that time. That alone is major. 

🟥 This isn’t theoretical. Salt Typhoon accessed wiretaps and campaign calls. This is national-security-grade surveillance in your infrastructure.

With far-reaching access within telecom environments, the APT group was able to collect a variety of sensitive information for users in the Washington DC area, including:

• Call metadata

• Text messages

• Source and destination IP addresses

• Phone numbers

• Call recordings

The group is also reported to have accessed the system used to support court-authorized wiretaps. This provided access to highly sensitive data regarding active legal cases.

The attackers exfiltrated collected metadata, phone recordings, and other information via FTP and TFTP. These protocols are unencrypted and may allow anonymous access to the hosted data.

Defend against Salt Typhoon attacks with HTB

The cyberattacks against nine US-based telecoms is part of a global espionage operation by Salt Typhoon. The attackers targeted telecom providers in multiple companies, and analysis indicates that they will likely be able to maintain access to these environments indefinitely.

This attack campaign exploited common shortcomings in basic cybersecurity hygiene, such as failing to patch known vulnerabilities, use of insecure configurations, and failing to adequately monitor network traffic. 

To prepare for these threats, security teams need a clear understanding of these issues, the associated risks, and how they can be exploited by an attacker.

Salt Typhoon isn’t alone. Groups like Volt Typhoon (also PRC-linked), APT41, and Charming Kitten (Iran) are all increasingly targeting critical infrastructure—from telecoms to power grids. And these attacks aren’t just about data theft; they’re laying the groundwork for geopolitical leverage.

Hack The Box provides hands-on training for security teams that includes many of the techniques employed by Salt Typhoon and other APT groups. Is your team attack-ready?

Explore APT training modules on HTB Academy