US Telecom Networks Hacked: Chinese Cyber Spies Use Sophisticated Malware

The Chinese state-sponsored hacking group known as Salt Typhoon has been identified as using a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data. These cyberattacks have targeted major U.S. telecommunication providers, raising significant concerns about national security and data privacy.

The Rise of Salt Typhoon

Salt Typhoon, also known by various aliases such as Earth Estries, GhostEmperor, and UNC2286, has been active since at least 2019. This sophisticated hacking group primarily focuses on breaching government entities and telecommunications companies.

Recently, U.S. authorities confirmed that Salt Typhoon was behind multiple successful breaches of major telecommunications service providers in the United States, including Verizon, AT&T, Lumen Technologies, and T-Mobile. These breaches not only compromised sensitive customer data but also allowed the attackers to gain deep access into the network infrastructures of these companies.

It has since been revealed that Salt Typhoon managed to tap into private communications, including those of U.S. government officials. Even more concerning, the hackers were able to steal information related to court-authorized wiretapping requests, posing a direct threat to law enforcement operations and intelligence gathering efforts.

Salt Typhoon’s Expanding Attacks

According to the Insikt Group at Recorded Future, Salt Typhoon has recently targeted over 1,000 Cisco network devices worldwide. Between December 2024 and January 2025, more than half of these attacks occurred in the United States, South America, and India. This expansion suggests a concerted effort to infiltrate critical telecommunications infrastructure in multiple regions.

Cisco Talos, the cybersecurity research division of Cisco, has released new details about Salt Typhoon’s activities. Some breaches have persisted for over three years, indicating that the hackers were able to maintain undetected access for extended periods.

Salt Typhoon's Tactics

Cisco Talos reports that Salt Typhoon primarily infiltrated core networking infrastructure through stolen credentials. While some initial reports suggested that Salt Typhoon might be exploiting multiple known Cisco vulnerabilities, further analysis revealed that only one known vulnerability—CVE-2018-0171—was actively exploited. The attackers relied on stolen credentials rather than zero-day vulnerabilities, which demonstrates their ability to bypass security measures without exploiting software flaws.

"No new Cisco vulnerabilities were discovered during this campaign," states Cisco Talos in its official report. "While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims."

The exact method Salt Typhoon used to obtain stolen credentials remains unknown. However, once inside a targeted network, the attackers quickly escalated their privileges by extracting additional credentials from network device configurations. They also intercepted authentication traffic, including Simple Network Management Protocol (SNMP), Terminal Access Controller Access-Control System (TACACS), and Remote Authentication Dial-In User Service (RADIUS).

Additionally, they exfiltrated device configurations over TFTP and FTP, which contained weakly encrypted passwords, sensitive authentication data, and network mapping details.

Salt Typhoon displayed advanced techniques for persistence and evasion, frequently pivoting between different networking devices to avoid detection. They also used compromised edge devices as entry points to infiltrate partner telecom networks, expanding their access beyond initial targets.

Bypassing Security Measures

• The attackers were observed modifying network configurations to maintain access and evade detection. They employed several sophisticated techniques, including:
• Enabling Guest Shell access to execute arbitrary commands
• Altering access control lists (ACLs) to allow unauthorized traffic
• Creating hidden user accounts for persistent access

By manipulating these configurations, Salt Typhoon was able to maintain long-term access to compromised systems without triggering standard security alarms.

The Role of JumbledPath Malware

A key tool in Salt Typhoon’s attacks is a custom malware called JumbledPath, which is used for network monitoring and data exfiltration. JumbledPath is a Go-based ELF binary designed for x86_64 Linux-based systems. This adaptability allows it to run on various edge networking devices, including Cisco Nexus devices and others from different manufacturers.

JumbledPath enables Salt Typhoon to capture network packets covertly. It does so via a jump-host system, making the capture requests appear as if they originate from a trusted device inside the network. This obfuscation technique makes it significantly harder to trace the attackers' true location.

JumbledPath’s Capabilities

Packet Capture: The malware allows Salt Typhoon to monitor and capture network traffic in real-time.

Log Manipulation: JumbledPath can disable logging and erase existing logs, making forensic investigations more difficult.

Stealthy Data Exfiltration: The tool ensures that any data theft remains undetected for extended periods.

Detection and Mitigation Strategies

Given the sophistication of Salt Typhoon’s attacks, Cisco Talos recommends several proactive measures to detect and mitigate their activities:

Monitor Unauthorized SSH Activity: Pay close attention to SSH connections on non-standard ports, as this can indicate malicious activity.

Track Log Anomalies: Investigate missing or unusually large .bash_history files, as attackers often clear logs to cover their tracks.

Inspect Configuration Changes: Regularly review network configurations for unexpected alterations that may signal unauthorized access.

Strengthen Credential Security: Implement multi-factor authentication (MFA) and regularly rotate credentials to reduce the risk of compromise.

Patch Network Devices Promptly: Ensure that all edge networking devices are updated with the latest security patches to minimize vulnerabilities.

Chinese Threat Actors Targeting Edge Devices

Over the past few years, Chinese state-sponsored hackers have increasingly focused on targeting edge networking devices to install custom malware. These attacks allow them to monitor network communications, steal credentials, and use compromised systems as proxy servers for additional attacks.

Notably, they have targeted devices from major manufacturers, including:

• Fortinet
• Barracuda
• SonicWall
• Check Point
• D-Link
• Cisco
• Juniper
• NetGear
• Sophos

While some of these attacks exploited zero-day vulnerabilities, others relied on stolen credentials or older, unpatched vulnerabilities. This highlights the importance of proactive security measures in preventing such breaches.

Conclusion

The Salt Typhoon hacking group poses a severe and persistent threat to U.S. telecommunications providers. By leveraging stolen credentials and deploying sophisticated malware like JumbledPath, they have successfully infiltrated critical network infrastructures, stealing sensitive data and maintaining long-term access.

With the increasing focus of Chinese state-sponsored actors on edge networking devices, organizations must remain vigilant. Implementing strict security measures, keeping software updated, and continuously monitoring network activity are essential to mitigating these threats. As cybersecurity defenses evolve, so too do the tactics of nation-state hackers, making ongoing vigilance and adaptation crucial in protecting critical telecommunications infrastructure.