G1045 Salt Typhoon
Salt Typhoon is a People’s Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).21
| Item | Value |
|---|---|
| ID | G1045 |
| Associated Names | |
| Version | 1.0 |
| Created | 24 February 2025 |
| Last Modified | 06 March 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.004 | SSH Authorized Keys | Salt Typhoon has added SSH authorized_keys under root or other users at the Linux level on compromised network devices.1 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.002 | Password Cracking | Salt Typhoon has cracked passwords for accounts with weak encryption obtained from the configuration files of compromised network devices.1 |
| enterprise | T1136 | Create Account | Salt Typhoon has created Linux-level users on compromised network devices through modification of /etc/shadow and /etc/passwd.1 |
| enterprise | T1602 | Data from Configuration Repository | - |
| enterprise | T1602.002 | Network Device Configuration Dump | Salt Typhoon has attempted to acquire credentials by dumping network device configurations.1 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | Salt Typhoon has used custom tooling including JumbledPath.1 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | - |
| enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Salt Typhoon has exfiltrated configuration files from exploited network devices over FTP and TFTP.1 |
| enterprise | T1190 | Exploit Public-Facing Application | Salt Typhoon has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access.1 |
| enterprise | T1590 | Gather Victim Network Information | - |
| enterprise | T1590.004 | Network Topology | Salt Typhoon has used configuration files from exploited network devices to help discover upstream and downstream network segments.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | Salt Typhoon has made changes to the Access Control List (ACL) and loopback interface address on compromised devices.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | Salt Typhoon has cleared logs including .bash_history, auth.log, lastlog, wtmp, and btmp.1 |
| enterprise | T1040 | Network Sniffing | Salt Typhoon has used a variety of tools and techniques to capture packet data between network interfaces.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Salt Typhoon has used publicly available tooling to exploit vulnerabilities.1 |
| enterprise | T1572 | Protocol Tunneling | Salt Typhoon has modified device configurations to create and use Generic Routing Encapsulation (GRE) tunnels.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.004 | SSH | Salt Typhoon has modified the loopback address on compromised switches and used them as the source of SSH connections to additional devices within the target environment, allowing them to bypass access control lists (ACLs).1 |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S1206 | JumbledPath | 1 | Archive Collected Data Hide Infrastructure Impair Defenses Clear Linux or Mac System Logs:Indicator Removal Multi-Stage Channels Network Sniffing |
References
-
Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
US Department of Treasury. (2025, January 17). Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise. Retrieved February 24, 2025. ↩