Salt Typhoon cyberattack hit Cisco vulnerability in SA

Public reports show that the hackers gained access to core networking equipment using stolen login credentials, but also took advantage of a Cisco router flaw that has been publicly documented in the National Institute for Standards and Technology’s vulnerability database for seven years.

Although Cisco released a fix in 2018, unpatched systems remained exposed. The company added that no new Cisco software flaws were discovered during the hacking campaign.

The hidden dangers of the agentic era of AI assistants

Zaheer Ebrahim  4 Feb 2025

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286), gained access through a US affiliate of a UK telecoms company, an unnamed US ISP, an Italian ISP, and telcos in South Africa, Thailand and Myanmar.

The hackers manipulated authentication systems, exfiltrated configuration data, and used compromised telecom infrastructure to pivot between international networks.

"The activity, initially reported in late 2024 and later confirmed by the US government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon," cybersecurity researchers wrote in a Cisco Talos blog.

Local impact

South Africa is a hub for digital connectivity in Africa that relies heavily on stable and secure telecom services.

There is a critical need for stronger cybersecurity measures, particularly as South Africa’s 5G rollout continues.

"The threat actor then demonstrated their ability to persist in target environments across equipment from multiple vendors for extended periods, maintaining access in one instance for over three years," Cisco Talos reported.

The campaign also points to broader risks to other critical sectors, including finance and government operations, which rely on telecom networks for data transmission and secure communications.

If left unaddressed, such breaches could significantly impact national security.

Anatomy of an attack

Salt Typhoon employed a range of techniques to infiltrate and persist within networks:

Credential theft: "The use of valid, stolen credentials has been observed throughout this campaign, though it is unknown at this time exactly how the initial credentials in all cases were obtained by the threat actor."

Configuration exfiltration: "In numerous instances, the threat actor exfiltrated device configurations, often over TFTP and/or FTP."

Infrastructure pivoting: "A significant part of this campaign is marked by the actor’s continued movement, or pivoting, through compromised infrastructure."

Defensive evasion: "The threat actor routinely cleared relevant logs, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable, to obfuscate their activities."

Urgent security measures required

With the global cyberthreat landscape evolving rapidly, South Africa cannot afford to be complacent.

The Salt Typhoon incident is a reminder of the vulnerabilities within critical national infrastructure.

"There are several reasons to believe this activity is being carried out by a highly sophisticated, well-funded threat actor, including the targeted nature of this campaign, the deep levels of developed access into victim networks, and the threat actor’s extensive technical knowledge," Cisco Talos warned.

Proactive measures by telecom operators, government agencies, and enterprises will be essential in fortifying the cybersecurity posture against future threats.