The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
Salt Typhoon (aka Earth Estries, GhostEmperor, and UNC2286) is a sophisticated hacking group active since at least 2019, primarily focusing on breaching government entities and telecommunications companies.
Recently, the U.S. authorities have confirmed that Salt Typhoon was behind several successful breaches of telecommunication service providers in the U.S., including Verizon, AT&T, Lumen Technologies, and T-Mobile.
It was later revealed that Salt Typhoon managed to tap into the private communications of some U.S. government officials and stole information related to court-authorized wiretapping requests.
Last week, the Recorded Future's Insikt Group reported that Salt Typhoon targeted over 1,000 Cisco network devices, more than half from the U.S., South America, and India, between December 2024 and January 2025,
Today, Cisco Talos revealed more details about the threat actor's activity when they breached major telecommunications companies in the U.S., which in some cases spanned over three years.
Salt Typhoon's tactics
Cisco says Salt Typhoon hackers infiltrated core networking infrastructure primarily through stolen credentials. Apart from a single case involving exploitation of the Cisco CVE-2018-0171 flaw, the cybersecurity company has seen no other flaws, known or zero-days, being exploited in this campaign.
"No new Cisco vulnerabilities were discovered during this campaign," states Cisco Talos in its report. "While there have been some reports that Salt Typhoon is abusing three other known Cisco vulnerabilities, we have not identified any evidence to confirm these claims."
While Salt Typhoon primarily gained access to targeted networks using stolen credentials, the exact method of obtaining the credentials remains unclear.
... continue reading