NSA, CISA, & Partners Expose Chinese APT Groups
The U.S. National Security Agency, the U.K.’s National Cyber Security Centre, and partners from more than ten countries have attributed the global Salt Typhoon operations to three Chinese technology companies. Now, the FBI and a broad coalition of allies — ranging from the Five Eyes to Finland, the Netherlands, Poland, and the Czech Republic — have joined the effort.
A joint advisory outlined the scale of the campaign: at least 200 American organizations have been compromised, spanning 80 countries, placing the operation well beyond the bounds of traditional espionage. According to FBI cyber division leadership, the intruders sought deep access into major U.S. and international telecommunications operators, extracting connection data and even certain law enforcement directives, effectively mapping the contacts and interests of intelligence services. Among the ultimate victims were prominent figures from both political parties.
Strikingly, the adversary did not rely on rare zero-days, but instead exploited long-known and supposedly patched vulnerabilities. These included:
- CVE-2024-21887 in Ivanti Connect Secure
- CVE-2024-3400 in PAN-OS GlobalProtect
- CVE-2023-20198 and CVE-2023-20273 in Cisco IOS XE
- CVE-2018-0171 in Cisco Smart Install
Through these entry points, attackers altered ACLs, enabled SSH on non-standard ports, established GRE/IPsec tunnels, leveraged Guest Shell for persistence, rerouted TACACS+ traffic, and harvested authentication data. For lateral movement and exfiltration, they deployed custom Go-based tools — “cmd1,” “cmd3,” “new2,” and “sft.” Devices were compromised regardless of ownership, with “foreign” networks often exploited as stepping stones toward ultimate targets via trusted inter-operator links.
The breadth of compromise was further exacerbated by private contractors who, according to the agencies, were granted latitude in target selection. This resulted in an excessive number of victims across unrelated sectors such as hospitality and transportation. Telephone intrusions formed only one component of Beijing’s broader offensive posture, with parallel backdoors observed in critical utilities including energy and water infrastructure.
Previous incidents tied to Salt Typhoon included penetrations into AT&T, Verizon, and Lumen, where the group accessed SMS, voicemail, and even lawful intercept systems. These breaches forced regulators to mandate tighter CALEA compliance and annual risk management attestations. The group also exploited unpatched Cisco IOS XE deployments across the U.S. and Canada, where they established persistent tunnels and exfiltrated device configurations. Their arsenal included JumbledPath for traffic interception. In one notable episode, the actors maintained a nine-month presence inside a U.S. National Guard unit’s network, stealing administrator credentials and configuration data.
The prescribed defense is straightforward: patch border devices immediately, harden configurations, disable unnecessary services, restrict management to dedicated networks, enforce SSHv2 and SNMPv3, and decommission Smart Install and Guest Shell wherever possible. The joint advisory provides a detailed catalog of targeted equipment classes, tactics, and indicators of lateral movement within enterprise networks.
The FBI stresses that the campaign remains ongoing: adversaries are concealing re-entry points and harvesting configuration data to facilitate future returns. Requests for comment have been sent to Chinese authorities, but no response has been received.
