Salt Typhoon, the Chinese threat actor, gained access to networking infrastructure in multiple cases and collected data from major United States telecommunication organizations. Recently, Cisco announced that one of those cases was likely caused by exploiting a 7-year-old vulnerability (CVE-2018-0171). In other observed cases, threat actors obtained access by utilizing legitimate target credentials. 

Security leaders weigh in

Rom Carmel, Co-Founder and CEO at Apono:

This incident serves as yet another wake-up call for the industry: Legacy security gaps are still being exploited, and traditional perimeter-based defenses are no longer enough. Time and again, we see everyone from criminal gangs to APTs using tried-and-true methods like stolen credentials and known vulnerabilities to gain footholds, escalate privileges, and access sensitive resources. As organizations expand their cloud footprint, their identity attack surface grows, offering hackers more opportunities to exploit security gaps.

Organizations must take a proactive stance in securing identities, enforcing least privilege and ensuring that known vulnerabilities from the last decade do not remain an open door for attackers to exploit. By automating access controls and enforcing least privilege, organizations can reduce team workloads and achieve the greatest impact on security.

Darren Guccione, CEO and Co-Founder at Keeper Security:

Salt Typhoon’s campaign is a clear reminder that identity security is central to cyber resilience. Stolen credentials enabled the group to persist in networks for years, highlighting the need for strong password policies, enterprise password management and multi-factor authentication. But stopping credential theft isn’t enough — organizations must also ensure that attackers can’t escalate privileges or move laterally once inside.

Beyond credential theft, the fact that Salt Typhoon exploited an unpatched vulnerability from 2018 exemplifies how outdated systems can become long-term liabilities. Effective cybersecurity isn’t just about sealing off the front door — it requires vigilance in closing known security gaps and limiting damage when defenses fail.

Telecom providers and other critical infrastructure must take a layered approach that includes zero trust, least-privilege access and Privileged Access Management (PAM). PAM helps restrict lateral movement by securing and limiting access to critical systems, making it significantly harder for attackers to persist and minimizing the impact of a breach. By securing critical accounts and restricting lateral movement, organizations can make it significantly harder for adversaries to maintain control over time.

Mr. Balazs Greksza, Threat Response Lead at Ontinue:

The Smart Install Abuse vulnerability (CVE-2018-0171) misuse is currently unattributed to any specific threat actor. Cisco Plug and Play (PnP) for zero-touch deployments has been recommended over Smart Install since around 2019 — allowing ample time for updates.

Salt Typhoon obtained legitimate login credentials from the victims, planted SSH access, and performed further credential extraction from the Cisco devices using a custom remote packet capture utility (JumbledPath). Salt Typhoon also used creative living-off-the-land (LOTL) techniques to maintain long-term access. The attack signifies the importance of secure credential practices and maintaining strong device security configurations, change management, logging and detections.