The US National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and cybersecurity agencies from 13 other countries have publicly linked a global cyber espionage campaign tracked as Salt Typhoon to three China-based technology companies.
In joint advisories, the agencies named Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. as suppliers of cyber tools and services to China’s Ministry of State Security and the People’s Liberation Army. The firms allegedly helped carry out wide-reaching cyberattacks targeting sensitive data worldwide.
Since at least 2021, Salt Typhoon has infiltrated government, telecom, transport, military, and hospitality networks. The hackers reportedly focused on exploiting known and patched vulnerabilities in internet-facing devices, instead of relying on new or unknown “zero-day” exploits.
The vulnerabilities exploited include:
-
CVE-2024-21887 (Ivanti Connect Secure)
-
CVE-2024-3400 (Palo Alto PAN-OS)
-
CVE-2023-20273 & CVE-2023-20198 (Cisco IOS XE)
-
CVE-2018-0171 (Cisco Smart Install)
Using the flaws, attackers gained access to networks, altered security settings, created covert tunnels, and deployed custom tools to steal communications data.
The joint report warns that even devices not directly targeted may be used as a launch pad into high-value networks, exploiting trusted connections between organizations.
Administrators are recommended to patch known vulnerabilities, restrict access to management interfaces, disable unused services, and monitor for suspicious activity.
On the same note, the Dutch authorities said that the country had been targeted by a Chinese cyber-espionage campaign known as Salt Typhoon (also called RedMike), which has been compromising critical infrastructure globally. While Dutch organizations were not as heavily targeted as those in the US, the Dutch Ministry of Defence reported that smaller internet service and hosting providers were affected. An investigation by the Dutch intelligence services (MIVD and AIVD) confirmed Chinese hackers accessed routers of Dutch targets but did not breach internal networks.