A new wave of Chinese state-sponsored cyber espionage, codenamed Salt Typhoon, emerged in late 2024, focusing its attacks on global telecommunications infrastructure. This sophisticated group is targeting critical network edge devices like routers, firewalls, VPN gateways, and lawful intercept systems within major telecom providers in the United States, the United Kingdom, and several European nations.
Espionage Tactics and Tools
Salt Typhoon achieves persistent access by embedding custom firmware implants and leveraging native operating system tools in a technique known as living-off-the-land. Their primary objective is signals intelligence (SIGINT) collection, supporting Chinese counterintelligence, and preparing for potential cyber disruption. The exfiltrated data is highly sensitive, including subscriber profiles, VoIP configurations, call detail records (CDRs), and lawful intercept logs.
Initial access is typically gained by exploiting publicly facing vulnerabilities in network edge devices, such as flaws in Cisco IOS XE (CVE-2023-20198) and Ivanti Connect Secure appliances (CVE-2023-35082). After breaching a device, the attackers deploy a custom firmware rootkit internally dubbed Demodex. This implant is designed to survive reboots and evade standard detection mechanisms.
The Demodex rootkit is engineered with precision, featuring a minimalistic loader that writes malicious binaries into the router’s file system and modifies startup scripts to ensure persistence. The rootkit flashes itself into flash memory and hooks low-level system calls to hide its presence, making sure it survives subsequent firmware updates.
Operational Security and Impact
Once implanted, the malware establishes encrypted command-and-control (C2) channels using HTTPS or DNS beacons. These beacons are disguised as routine firmware update checks, allowing the malicious traffic to blend seamlessly into normal network activity. Analysts noted an unusual lapse in the group's operational security, as they used fabricated U.S. personas and ProtonMail accounts for WHOIS domain registration, which may offer defenders a chance for early disruption.
The impact of these operations is twofold. First, it enables the Chinese Ministry of State Security (MSS) to harvest high-value intelligence on user communications and network topologies. Second, the long-dwell persistence in core devices grants the attackers a latent offensive capability. By maintaining backdoor access to critical routers, Salt Typhoon could sabotage or reroute communications during a geopolitical crisis, potentially degrading service or enabling further espionage against allied defense and government networks. This campaign is a prime example of China's evolving cyber espionage, blending routine intelligence collection with the potential for future offensive disruption.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
