Salt Typhoon hackers possibly targeted telecom research at US universities
A Chinese government cyberespionage unit that’s made headlines for its intrusions into telecom providers may have targeted U.S. universities in an effort to access research in areas related to telecommunications and other technologies, according to findings published Thursday.
Between December and January, the unit, widely known as Salt Typhoon, “possibly targeted” — based on devices that were accessed — offices in the University of California, Los Angeles, California State University, Loyola Marymount University and Utah Tech University, according to a report from cyber threat intelligence firm Recorded Future.
The hackers attempted to exploit vulnerabilities in at least 1,000 Cisco devices, allowing them to access higher-level privileges of the hardware and change their configuration settings to allow for persistent access to the networks they’re connected on.
Over half of the Cisco appliances targeted by Salt Typhoon were located in the U.S., South America and India, with the rest spread across more than 100 countries. The Cisco devices were mainly associated with telecommunications firms, but 13 of them were linked to the universities in the U.S. and some in other nations.
“The protection of the personal information and proprietary data of California State University’s students, faculty and staff is among our highest priorities,” a CSU spokesperson said. “The CSU has security measures in place to reduce the likelihood of cyber incidents, but should one occur, immediate action is taken to reduce further exposure.”
The other U.S. institutions did not return a request for comment.
Educational institutions in Argentina, Bangladesh, Thailand are among those that may also have been targeted, Recorded Future said.
“Often involved in cutting-edge research, universities are prime targets for Chinese state-sponsored threat activity groups to acquire valuable research data and intellectual property,” said the report, led by the company’s Insikt Group, which oversees its threat research.
The cyberspies also compromised Cisco platforms at a U.S.-based affiliate of a prominent United Kingdom telecom operator and a South African provider, both unnamed, the findings added. The hackers also “carried out a reconnaissance of multiple IP addresses” owned by Mytel, a telecom operator based in Myanmar.
Salt Typhoon is a moniker derived from Microsoft’s cyber threat labeling system, and has become the common name used in discussions about the group between reporters and officials since being publicly unveiled in October. Recorded Future refers to the hacking collective as “RedMike” under its own naming conventions.
The findings help illuminate the scale of the penetrations carried out by the group since it was discovered in U.S. communications systems this past summer. Details trickled out in reports indicating that, over the course of around two years, the cyberspies had accessed at least nine American telecom providers and dozens of others around the world.
In December, Nextgov/FCW reported that several hundred organizations — both communications firms and entities in other sectors — were notified that they may be at risk of compromise by the group.
Salt Typhoon also breached America’s “lawful intercept” systems that house wiretap requests used by law enforcement to surveil suspected criminals and spies. Telecom firms are required to engineer their networks for wiretapping under the Communications Assistance for Law Enforcement Act, or CALEA, which passed in 1994.
The hackers accessed the personal communications of President Donald Trump and Vice President JD Vance, as well as other high profile political officials tied to the White House. An investigatory body in the Department of Homeland Security was probing the hacks, but the Trump administration soon cleared it out after Inauguration Day. It’s unclear where that investigation stands as of now.
Last month, the Treasury Department sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., accusing the company of having “direct involvement” with China’s Ministry of State Security in the Salt Typhoon infiltrations.
Trump-appointed officials and allies have vowed to exact revenge on China for the hacks, calling for a more offensive deterrent approach in cyberspace, though a specific plan has not yet been publicly put into motion. China’s embassy in Washington, D.C. has repeatedly denied Beijing’s involvement in cyberattacks against U.S. systems, and has often flipped the blame back onto the U.S. for hacks into China-based networks.
“China doesn’t think of getting ‘small stuff,’” said a person familiar with China’s cyber activities.
“That’s where I think they’re ahead of the game from an intelligence perspective, because they have been collecting massive amounts of data,” added the person, who was granted anonymity to be candid about their understanding of the hackers.
“I think [the report] highlights that the PRC is focused not just on current capabilities, but on R&D for future capabilities,” they said.
Nextgov/FCW Staff Reporter Edward Graham contributed to this report.
