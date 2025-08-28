A joint advisory on Salt Typhoon signed by agencies from 13 countries offers threat hunting and mitigation guidance based on the group’s tactics, techniques and procedures (TTPs).

The Chinese government-backed advanced persistent threat (APT) group, aka OPERATOR PANDA, RedMike, UNC5807 and GhostEmperor, has been targeting telecommunications, government, lodging, transportation and military networks globally to gain intelligence on targets’ communications and movements.

Acting under China-based companies, including Sichuan Juxinhe Network Technology, Huanyu Tianqiong Information Technology and Sichuan Zhixin Ruijie Network Technology, the group works with units of China’s intelligence services including the People’s Liberation Army and Ministry of State Security, according to the advisory, and has been active since at least 2021.

“Salt Typhoon is already an Avengers-level threat, having shown the ability to disrupt key systems while remaining undetected. With the backing of three notable Chinese organizations, they only get more dangerous, and their breadth for potential attacks widens dramatically,” Pete Luban, field CISO of AttackIQ, told SC Media in an email.

The joint advisory compiled by officials from more than a dozen nations, including the United States, Australia, Canada, New Zealand, the United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain, detailed how Salt Typhoon gains initial access, persists on network devices, achieves lateral movement and exfiltrates data, as well as what defenders can do to detect and combat Salt Typhoon intrusions.

Salt Typhoon guidance for cyber defenders

Authoring agencies of the advisory from the United States include the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and Department of Defense Cyber Crime Center (DC3).

Crucial for defending against Salt Typhoon is the patching of known vulnerabilities in network devices, especially those commonly targeted by the APT. The advisory notes that publicly disclosed CVEs are the main initial access vector of the group, with no known exploitation of zero-day vulnerabilities observed.

However, attacks against other products, such as Fortinet, Juniper and SonicWall firewalls, Nokia routers and switches, Sierra Wireless devices and Microsoft Exchange, are also likely, the advisory noted.

Modifying access control lists (ACLs) Opening non-standard ports and unauthorized SSH and HTTP services Capturing Terminal Access Controller Access Control System Plus (TACACS+) authentication traffic using packet capture (PCAP) functionalities Running commands in virtualized containers such as Cisco Guest Shell Abusing peering connections with weak restraints

Salt Typhoon achieves persistence, lateral movement and data exfiltration by altering, targeting and abusing network device features, such as by:

Threat hunting for Salt Typhoon activity, which is encouraged for critical infrastructure organizations — especially telcos — should thus include monitoring of configuration changes, network services and tunnels, virtualized containers, logs forwarded from network devices and firmware and software integrity.

When Salt Typhoon intrusion is suspected, the advisory emphasized that the full extent of the threat actor’s access should be identified prior to removal measures being initiated, to avoid alerting the attackers, which could prevent a complete, lasting eviction.

In general, organizations should regularly review network device logs for unusual activity, audit device configurations for unexpected changes, disable unused ports and protocols, as well as outbound connections from management interfaces, when possible, and change all default credentials for network appliances.

Hardening of device management protocols and services, robust logging, virtual private network (VPN) best practices and routing best practices, such as the use of routing authentication mechanisms and protection of peering and edge routing paths, are also recommended as mitigations measures.

Due to Salt Typhoon’s extensive targeting and abuse of Cisco devices, the advisory includes Cisco-specific mitigation measures, such as disabling Cisco Smart Install and Guest Shell when not required, storing device credentials with strong cryptography and monitoring for unexpected enablement of IOS XR services like sshd_openrns, which is disabled by default.