RHC Dark Lab : 12 November 2025 21:17
In recent months, the Chinese hacking group known as Salt Typhoon has continued to make headlines for its aggressive and persistent cybersecurity tactics.
Despite US sanctions and close government surveillance, Salt Typhoon has shown no signs of slowing down its activities, continuing to launch coordinated attacks against educational institutions and critical infrastructure globally.
Recent reports indicate that the group targeted several telecommunications providers and universities in various countries, primarily the United States, the United Kingdom, and South Africa . These incursions allowed hackers to compromise crucial devices, extracting sensitive information such as scientific data and proprietary technology.
According to dashboards from the intelligence platform of Recorded Future (Red Hot Cyber’s strategic partner), attacks began to increase significantly in February of this year, with peaks on the 13th and 21st of this month.
Since early December 2024, Salt Typhoon (RedMike) has attempted to exploit over 1,000 Cisco network devices exposed to the internet worldwide , primarily those associated with telecommunications providers, using a combination of two privilege escalation vulnerabilities: CVE-2023-20198 and CVE-2023-20273. Once successfully compromised, the group uses the newly created privileged user account to modify the device’s configuration and adds a GRE tunnel for persistent access and data exfiltration.
The privilege escalation vulnerability CVE-2023-20198 was found in the Web UI functionality of Cisco IOS XE Software, release 16 and earlier, published by Cisco in October 2023. Attackers exploit this vulnerability to gain initial access to the device and issue a privilege 15 command to create a local user and password. The attacker then uses the new local account to log in to the device and exploits an associated privilege escalation vulnerability, CVE-2023-20273, to gain root user privileges.
Over half of the Cisco devices targeted by RedMike were located in the United States, South America, and India. The remaining devices spanned over 100 other countries. While the targeted devices were primarily associated with telecommunications providers, thirteen were linked to universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States, and Vietnam.
This behavior highlights the ongoing threat posed by state-sponsored actors and their ability to compromise national security. Particularly concerning is Salt Typhoon’s strategy of exploiting vulnerabilities in Cisco devices.
China has developed a vast network of cyber espionage operations targeting academic institutions, companies, and foreign governments , aiming to gain strategic advantages in key areas such as artificial intelligence, cryptography, and quantum technology. State-sponsored hacker groups, such as Brass Typhoon APT41 and Violet Typhoon APT31 , have been linked to sophisticated attack campaigns that exploit vulnerabilities in the computer systems of universities and research centers to exfiltrate sensitive data. These operations are not limited to cyberspace but also involve the recruitment of foreign researchers and students through academic exchange programs and scientific collaborations , which often serve as a cover for the illicit transfer of knowledge.
At the same time, the Chinese government uses front companies and joint ventures with Western institutions to acquire emerging technologies without arousing suspicion. Through initiatives like the “Thousand Talents” program, Beijing has encouraged the return of Chinese scientists and engineers from abroad, often with illegally obtained information and patents.
Furthermore, Chinese cyber operations have targeted critical infrastructure providers, including telecommunications companies and defense contractors, with the intent of compromising communications security and gathering strategic intelligence. These increasingly sophisticated operations, such as those of Salt Typhoon (RedMike), have led to growing tensions between China and Western powers, with sanctions and retaliatory measures from the United States and Europe to counter China’s aggressive expansion of cyber espionage.
On February 15, 2025, Salt Typhoon launched a massive attack targeting 13 universities and five internet service providers, including those in Italy. These attacks marked a significant escalation in the Salt Typhoon campaign, considered one of the largest cyberespionage operations conducted by China against the United States. The consequences of these attacks are not limited to immediate data breaches, but raise questions about the long-term impact on academic research and technological innovation.
A U.S. affiliate of a UK telecommunications company, several Internet service providers (ISPs), and 13 universities, including major institutions such as UCLA, were successfully breached. In February, Cisco confirmed that this flaw was used to target U.S. telecommunications networks, demonstrating the group’s persistence in leveraging both established and newer vulnerabilities to maintain access to compromised systems.
The attacks were not limited to the United States but also spread to international entities, including ISPs in Italy, South Africa, and Thailand. The scale of these attacks raised significant concerns regarding the security of sensitive data and the integrity of telecommunications infrastructures globally.
Salt Typhoon (Red Mike)’s malicious activities generally exploited vulnerabilities identified as CVE-2023-20198 and CVE-2023-20273, which facilitated unauthorized access to Cisco IOS XE routers . This allowed attackers to manipulate network devices and potentially exfiltrate sensitive data.
Salt Typhoon (RedMike) after gaining access to and compromising CISCO routers, employs a variety of sophisticated malware to infiltrate and compromise networks across various industries.
One of the main tools in their arsenal is a customized version of the MASOL RAT (Remote Access Trojan), which allows attackers to gain remote control over infected systems.
This malware is particularly effective at exfiltrating sensitive data, monitoring user activity, and executing commands on compromised machines. The use of the MASOL RAT highlights Salt Typhoon’s strategic focus on stealth and persistence, allowing it to maintain long-term access to targeted networks undetected.
MASOL RAT, which has been tracked by TrendMicro since 2020, may be used to target government entities in Southeast Asia. Based on the backdoor’s PDB string (E:Masol_https190228x64ReleaseMasol.pdb), it is believed that the Remote Access Trojan may have been developed as early as 2019. A new Linux variant has also been observed circulating after 2021.
In a report published by Cisco Talos on February 20 , researchers confirmed that Salt Typhoon gained access to the core network infrastructure through Cisco devices and then used that infrastructure to gather a variety of information.
Salt Typhoon’s approach to gaining initial access to Cisco devices is to obtain the victim’s legitimate login credentials using living-off-the-land (LOTL) techniques on network devices.
Salt Typhoon (RedMike) used a custom utility called JumbledPath that allowed it to perform a packet capture on a remote Cisco device via an actor-defined jump host. This tool also attempted to clear logs and compromise logging along the jump path, returning the resulting compressed and encrypted capture via another unique set of connections or jumps defined by the actor.
This allowed the threat actor to create a chain of connections and perform the acquisition on a remote device . Using this utility would help obfuscate the original source and final destination of the request and would also allow its operator to move across devices or infrastructure that would potentially otherwise be publicly unreachable (or routable).
This utility was written in GO and compiled as an ELF binary using an x86-64 architecture. Compiling the utility using this architecture makes it widely usable on Linux operating systems , which also include a variety of multi-vendor network devices. This utility was found in Guestshell instances configured by the actor on Cisco Nexus devices.
The threat actor repeatedly changed the address of the loopback interface on a compromised switch and used that interface as the source of SSH connections to other devices within the target environment, effectively bypassing access control lists (ACLs) in place on those devices.
Salt Typhoon (RedMike), often involves a multi-pronged approach that exploits known vulnerabilities in widely used networking devices, particularly those from Cisco.
Another notable behavior exhibited by Salt Typhoon involves exploiting LOTL (Living-off-the-Land) techniques on network devices, abusing trusted infrastructure as a hub for switching between telecommunications companies. The following is the Salt Typhoon exploitation infrastructure:
Salt Typhoon begins with extensive reconnaissance to identify potential targets within critical infrastructure, such as telecommunications providers and educational institutions. This phase may involve scanning vulnerable devices, gathering information on network configurations, and identifying key personnel.
The group often exploits specific vulnerabilities in Cisco devices. For example, it is known to exploit vulnerabilities such as CVE-2018-0171 and CVE-2023-20198. These vulnerabilities allow attackers to gain unauthorized access to network devices by sending crafted messages or commands, causing denial-of-service conditions or arbitrary code execution.
Once initial access is gained through vulnerability exploitation, Salt Typhoon often uses malware such as the MASOL RAT (as discussed above) or custom exploit kits. These tools allow attackers to establish a foothold within the network, exfiltrate sensitive data, and harvest legitimate credentials for further access. Credential theft is crucial because it allows for increased access.
Salt Typhoon (RedMike) attempted to exploit more than 1,000 Cisco devices globally . The group likely compiled a list of target devices based on their association with telecommunications provider networks. Recorded Future’s Insikt Group also observed that RedMike was targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States (US), and Vietnam .
To protect against Salt Typhoon (RedMike) attacks, organizations must implement a comprehensive cybersecurity strategy that emphasizes vulnerability management , network security, and employee training. Here are some key measures to consider:
Salt Typhoon has gained attention for its recent infiltration of commercial telecommunications infrastructure. US senators called the attack “mind-blowing,” saying it should serve as a “wake-up call” to companies believed to have been compromised, including AT&T, Verizon, and Lumen.
RedMike likely targeted these universities to gain access to research in telecommunications, engineering, and technology-related areas , particularly at institutions such as UCLA and TU Delft. In addition to this activity, in mid-December 2024, RedMike also performed reconnaissance of multiple IP addresses owned by a Myanmar-based telecommunications provider, Mytel.
The continued exposure of vulnerabilities in Cisco devices has led to growing concern among service providers and government agencies, forcing them to rethink their security strategies. It has become clear that protecting networks and data is crucial to maintaining not only national security but also public trust in digital systems.
Faced with these evolving threats, industry experts and cybersecurity professionals emphasize the importance of robust security measures and proactive defenses . Organizations must conduct thorough assessments of their networks, focusing specifically on vulnerabilities within Cisco devices. The current situation serves as a reminder of the need for continued vigilance against sophisticated adversaries like Salt Typhoon and its affiliates.
As the group continues to launch targeted attacks against critical infrastructure and educational institutions, it is crucial that organizations around the world improve their security postures and collaborate to share information, reducing the risks posed by these cyber threats. The battle against cyber espionage is far from over, and only through a collective effort can the international community hope to safeguard its digital borders.
This article was written using the Recorded Future platform , a strategic partner of Red Hot Cyber and a global leader in cyber threat intelligence, which provides advanced analytics to identify and counter malicious activity in cyberspace.
RHC Dark Lab