Chinese Tech Firms Tied to Global Salt Typhoon Hacking Campaigns

Get Hired 3x Faster with AI- Powered CVs

A major international cybersecurity alert has identified three Chinese technology companies as key enablers of the global Salt Typhoon hacking campaigns. According to joint advisories from the U.S. National Security Agency and the UK’s National Cyber Security Centre, these firms, Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology, have supplied tools and services to Chinese state security and military bodies. Their activities support extensive cyber espionage operations targeting governments, telecommunications providers, and critical infrastructure worldwide.

Since at least 2021, these threat actors have successfully infiltrated networks across multiple sectors, including transportation, hospitality, and defense. Their operations focus on harvesting sensitive data that can be used to monitor the communications and movements of individuals on a global scale. In particular, Salt Typhoon has carried out coordinated attacks against telecom firms, enabling the surveillance of private calls and messages.

Rather than relying on undiscovered zero-day vulnerabilities, the hacking campaigns have achieved considerable success by exploiting known and already-patched flaws in widely used networking equipment. Among the vulnerabilities leveraged are CVE-2024-21887 (Ivanti Connect Secure), CVE-2024-3400 (Palo Alto PAN-OS), and several Cisco IOS XE and Smart Install weaknesses including CVE-2023-20273 and CVE-2018-0171.

By compromising routers and other network edge devices, the attackers gain the ability to modify access controls, establish covert tunnels, and deploy persistence mechanisms. They often target devices belonging to non-core entities simply to use them as stepping stones into more valuable networks. The group has also been observed capturing authentication traffic, tampering with network services, and using custom Golang tools for data exfiltration.

Authorities emphasize that many of these vulnerabilities have had fixes available for months or even years. Organizations are urged to prioritize patching, harden configurations, and closely monitor for unauthorized changes. Recommendations include restricting management interfaces to dedicated networks, enforcing modern protocols like SSHv2, and disabling unnecessary services such as Cisco Smart Install.

This advisory builds on years of documented Salt Typhoon activity. The group has previously breached major U.S. telecommunications providers, including AT&T, Verizon, and Lumen, gaining access to text messages, voicemail systems, and law enforcement wiretap infrastructure. These incidents prompted the Federal Communications Commission to mandate stricter security certifications under the Communications Assistance for Law Enforcement Act.

In addition to telecom intrusions, Salt Typhoon actors exploited unpatched Cisco flaws to infiltrate U.S. and Canadian providers, where they established persistent network tunnels and stole configuration data. The group also used custom malware called JumbledPath to monitor and capture traffic. Earlier this year, they were linked to a nine-month-long breach of a U.S. Army National Guard network, during which they exfiltrated administrative credentials and configuration files that could facilitate further government network compromises.

(Source: Bleeping Computer)