Salt Typhoon Hacked Nine U.S. Telecoms, Tactics and Techniques Revealed

Salt Typhoon, a state-sponsored Advanced Persistent Threat (APT) group linked to the People’s Republic of China (PRC), has executed one of the most sophisticated cyber-espionage campaigns in recent history.

The group targeted at least nine U.S.-based telecommunications companies throughout 2024, exploiting known vulnerabilities to infiltrate critical infrastructure.

The breach, confirmed by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), exposed sensitive data and communications, including metadata and wiretap records from U.S. government officials and political figures.

Salt Typhoon, also tracked under aliases such as Earth Estries, GhostEmperor, and UNC2286, employed a range of advanced TTPs to gain access and maintain persistence within victim networks.

The group exploited widely known but often unpatched vulnerabilities in systems such as Microsoft Exchange Server (ProxyLogon – CVE-2021-26855), Sophos Firewall (CVE-2022-3236), Fortinet FortiClient EMS (CVE-2023-48788), and Ivanti Connect Secure VPN (CVE-2024-21887).

Despite patches being available for ...