#Cybersecurity, #ThreatIntel, #SaltTyphoon, #TelecomBreach, #MITREATTACK, #NetworkSecurity, #APT, #StateSponsored, #ChinaHackers, #RouterSecurity, #EdgeInfrastructure, #LivingOffTheLand, #CaseStudy, #Infosec, #LawfulIntercept, #CiscoVulnerability, #SupplyChainAttack, #ZeroTrust If 2024 was the year of the "Info-Stealer," late 2024 and 2025 have been defined by the return of the high-end state actor. The breach of major U.S. broadband providers (AT&T, Verizon, Lumen) by the Chinese state-sponsored group Salt Typhoon (G1045) is being called one of the most consequential cyberespionage campaigns in history.

Unlike "smash-and-grab" ransomware gangs, Salt Typhoon didn't lock files; they embedded themselves into the very fabric of the internet—routers and switches—to eavesdrop on lawful wiretap systems.

In this post, we dissect their operation using the MITRE ATT&CK framework, revealing how they turned network infrastructure against its owners.

The Adversary: Salt Typhoon

• Origin: China (Ministry of State Security - MSS linked)

  
  

• Motivation: Espionage, Counterintelligence (accessing U.S. court-authorized wiretap requests).

  
  

• Key Capability: "Living off the Land" in network devices (routers/firewalls) where EDR agents cannot run.

  
  

The Kill Chain: MITRE ATT&CK Mapping

Salt Typhoon's campaign was a masterclass in network device tradecraft. Below is the step-by-step kill chain.

1. Initial Access (TA0001)

Salt Typhoon did not rely on complex zero-click phishing. They hunted for the "unpatchable" edge—legacy network gear that is difficult to update without downtime.

• Exploit Public-Facing Application (T1190): They targeted known N-day vulnerabilities in edge devices.

  
  

  • Specifics: Exploitation of Cisco CVE-2018-0171 (Smart Install) and vulnerabilities in Sophos firewalls and Ivanti Connect Secure (CVE-2023-46805).

    
    

• Valid Accounts (T1078): In some instances, they utilized credentials harvested from previous breaches or default credentials left on legacy infrastructure.

  
  

2. Persistence (TA0003)

Once inside, the goal was to survive reboots and firmware updates. They didn't just drop a file; they modified the device runtime.

• Boot or Logon Initialization Scripts (T1037): Deploying custom malware like "JumbledPath" or "Demodex" (a rootkit for network devices) that loads early in the boot process.

  
  

• Account Manipulation: SSH Authorized Keys (T1098.004): They added their own SSH keys to the authorized_keys file on Linux-based network appliances, ensuring backdoor access even if passwords were reset.

• Create Account (T1136): modifying /etc/passwd and /etc/shadow on the underlying Linux OS of the routers to create "ghost" admin users.
  

3. Defense Evasion (TA0005)

This is where Salt Typhoon showed true sophistication. They knew standard network monitoring looks for "anomalous IPs."

• Impair Defenses: Disable or Modify System Firewall (T1562.004): They modified Access Control Lists (ACLs) to specifically allow their command-and-control (C2) traffic while hiding it from standard logs.

  
  

• Network Boundary Bridging: Network Address Translation (T1599):

  • The "Loopback" Trick: They assigned new IP addresses to the loopback interface of compromised switches. They then routed their SSH traffic through this loopback address.

    
    

  • Why? Most security tools monitor traffic entering/leaving physical interfaces. Traffic originating from the "loopback" (internal self) is often whitelisted or ignored by logging systems.

• Indicator Removal on Host (T1070): Aggressively wiping .bash_history and system logs (/var/log/auth.log) on the compromised routers.
  

4. Lateral Movement (TA0008)

They didn't move from server to server (Windows); they moved from router to router (Cisco/Juniper).

• Protocol Tunneling (T1572): They set up GRE (Generic Routing Encapsulation) tunnels between compromised devices. This created a hidden "overlay network" inside the ISP's own infrastructure, allowing them to move laterally without their traffic ever hitting the standard routing tables visible to admins.

  
  

• Remote Services: SSH (T1021.004): Using the compromised loopback interfaces as jump boxes to SSH into deeper, more sensitive segments of the network (like the Lawful Intercept environments).

  
  

5. Collection (TA0009)

The crown jewel of this campaign was the "Lawful Intercept" system—the infrastructure ISPs use to comply with court-ordered wiretaps.

• Adversary-in-the-Middle (T1557): By controlling the routers, they could passively mirror traffic without alerting the target.

• Data from Configuration Repository (T1602.002): Dumping router config files to map the network topology and find the "Lawful Gateway" servers.

  
  

• Automated Collection (T1119): Intercepting metadata (Call Detail Records - CDRs) and real-time audio from specific targets (U.S. government officials)."
  

6. Exfiltration (TA0010)

They avoided loud, bulky data transfers.

• Exfiltration Over Alternative Protocol (T1048.003): Using TFTP (Trivial File Transfer Protocol) or FTP—protocols native to network devices—to move data out. Because routers legitimate use TFTP for config backups, this blended in perfectly with "business as usual" traffic.

  
  

Key Takeaways for Defenders

The Salt Typhoon breach forces us to rethink "Network Security." It wasn't a failure of the endpoints (laptops/servers); it was a failure of the plumbing.

1. The "Black Box" Problem: We treat routers as "trustworthy pipes." We need to start treating them as servers. They have OSs, they have vulnerabilities, and they need File Integrity Monitoring (FIM) just like a Windows server.

2. Monitor the Loopback: Security Operations Centers (SOCs) rarely alert on traffic originating from a router's loopback interface. This logic must change.

3. Legacy Debt is Fatal: Keeping a 2018-era router vulnerability unpatched because "it's too critical to reboot" is a calculated risk that failed. Critical infrastructure requires redundancy that allows for seamless patching.

4. GRE Tunnel Detection: Hunt for unauthorized GRE tunnels or unexpected encrypted traffic flows between internal network devices.
   

Conclusion

Salt Typhoon proves that in 2026, the network is the computer. By living inside the routers, they rendered traditional EDR and antivirus useless. Dissecting this kill chain reminds us that while we were busy watching the endpoints, the adversary was busy rewriting the network.