The Chinese hacking group Salt Typhoon, also known as Earth Estries and GhostEmperor, has successfully breached major U.S. telecommunication providers using sophisticated cyber tactics and custom malware. The group, active since 2019, has compromised networks at Verizon, AT&T, Lumen Technologies, and T-Mobile, accessing sensitive data including court-authorized wiretapping requests.

Recent Attacks and Methodology
Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco network devices, primarily in the U.S., South America, and India. According to Cisco Talos, the hackers mainly utilized stolen credentials rather than exploiting vulnerabilities, with only one instance involving a known Cisco flaw (CVE-2018-0171).

JumbledPath: A Custom Surveillance Tool
The group’s primary weapon is JumbledPath, a sophisticated Go-based malware designed for Linux systems. This tool enables:
– Stealthy network traffic monitoring
– Packet capture through trusted device impersonation
– Log manipulation and deletion
– Operation across various edge networking devices

Attack Infrastructure
The hackers demonstrated advanced persistence by:
– Extracting credentials from network configurations
– Intercepting authentication traffic
– Exfiltrating device configurations
– Modifying network settings
– Creating hidden accounts
– Using compromised devices to access partner networks

Impact and Prevention
The breaches, some lasting over three years, highlight the growing threat to edge networking devices. Security recommendations include:
– Monitoring unauthorized SSH activity
– Tracking log anomalies
– Regular security patch implementation
– Inspecting configuration changes
– Strengthening access controls

The attacks underscore the critical need for enhanced security measures in telecommunications infrastructure and prompt patch management for edge networking devices.