Executive Summary

This advisory report presents a comprehensive analysis of the latest research into the advanced persistent threat (APT) campaign known as Salt Typhoon, which is believed to be orchestrated by state-sponsored Chinese threat actors specifically targeting Canadian telecommunications companies. The investigation, originally published by Security Affairs, details how the threat actor exploits vulnerabilities in critical network infrastructure, leverages sophisticated spear-phishing campaigns, and deploys custom malware that uses advanced obfuscation techniques and dynamic code modifications to evade traditional detection methods. This report provides both technical and strategic insights into the malware’s architecture, the tactics, techniques, and procedures (TTPs) employed by the threat actor, and the methods of exploitation observed in the wild. The analysis also highlights the campaign’s focus on critical communications networks and emphasizes the necessity for enhanced threat detection, timely patch management, and comprehensive risk management practices. It is intended to assist cybersecurity professionals and executives alike in understanding the intricate methods employed by the threat actor, formulating stronger defense strategies, and integrating threat intelligence into their operational and strategic risk programs.

Threat Actor Profile

The threat actor behind the Salt Typhoon campaign is widely attributed to a China-linked advanced persistent threat group that is known for pursuing high-value targets within sectors critical to national infrastructure and economic interests. This group is characterized by high operational security, dynamic code modifications, and adaptive malware that is customized to exploit unpatched vulnerabilities across a variety of network systems. Observations from multiple reputable threat intelligence sources indicate that the group employs robust social engineering tactics such as meticulously crafted spear-phishing emails aimed at executives and personnel with elevated access privileges. Their attack methodology leverages techniques reminiscent of other state-sponsored cyber espionage operations in East Asia, and they have been seen to perform continuous modifications to their tools to ensure stealth and persistence throughout the target network, utilizing industry-standard frameworks and advanced obfuscation methods. Analysts have noted that the threat actor’s approach involves the deployment of two-stage malware payloads where the initial stage focuses on establishing persistence and command-and-control (C2) communication while the secondary stage is responsible for lateral movement and credential harvesting. The group also demonstrates a high level of technical proficiency by integrating capabilities such as encrypted data exchanges, GRE tunneling, and exploitation of multiple vulnerabilities, which together underpin its persistent access and evasion strategy.

Technical Analysis of Malware/TTPs

The technical sophistication of the malware used in the Salt Typhoon campaign is evident in its multi-layered design and its reliance on a series of advanced TTPs that align with the MITRE ATT&CK framework. The perpetrators primarily achieve initial access through targeted spear-phishing campaigns where carefully crafted emails containing malicious attachments and links to compromised websites are sent to high-ranking personnel in Canadian telecommunications companies. The attachment files, which are often backdoored documents, are engineered to exploit vulnerabilities in document rendering engines and viewer software, resulting in the deployment of malware that initiates its operations immediately upon execution. The malware demonstrates significant flexibility by actively scanning for unpatched vulnerabilities in network management software and utilizing dynamic code modifications to tailor its behavior to the target environment.

Specifically, the attackers have exploited well-known weaknesses, including CVE-2023-20198 and CVE-2023-20273, which affect Cisco IOS XE devices. The first vulnerability, CVE-2023-20198, allows authenticated local users to execute arbitrary code by exploiting flaws in user profile management, thereby granting the malicious payload the ability to extract sensitive configuration files and set up covert channels. The second vulnerability, CVE-2023-20273, impacts the Session Initiation Protocol (SIP) implementation in the software and permits unauthenticated remote attackers to induce a denial of service condition, further complicating detection and remediation efforts. The campaign’s malware is designed with a strong focus on evasion; it employs techniques such as code obfuscation, anti-analysis measures, and checks for virtualized environments that might otherwise hamper its execution and prolong its tenure within the compromised network.

Additionally, the malware leverages application layer protocol communication (specifically, encrypted HTTP/HTTPS traffic) to mask C2 traffic within benign network flows. The presence of encrypted tunnels, including GRE tunnels, facilitates not only the concealment of exfiltrated data but also the seamless integration of malicious communications into routine network operations. The persistence mechanism is reinforced by the use of multiple execution phases—starting with an initial payload that sets up the backdoor, followed by secondary scripts that conduct lateral movement and escalate privileges—thereby ensuring that even if one vector is discovered and neutralized, the attackers maintain continued access through alternative channels. Through these techniques, the threat actor can analyze the network in real time, adjust its attack vectors as necessary, and minimize the likelihood of triggering traditional defense alerts, blending stealth with rapid adaptability.

Exploitation in the Wild

Field observations indicate that the exploitation of the Salt Typhoon campaign involves a highly orchestrated process that begins with the infiltration of the victim’s network via spear-phishing. Once the initial compromise is successful, the threat actor deploys a two-stage malware payload where the first stage focuses on establishing persistent access and reliable C2 communication using encrypted protocols, while the second stage targets the internal network to perform lateral movement and credentials harvesting. Detected patterns of abnormal encrypted traffic and irregular GRE tunneling have been reported by network administrators in the affected Canadian telecommunications companies, suggesting that the command-and-control infrastructure is highly resilient and intentionally built to blend into normal network activity.

The attackers have shown an adept capability to modify their malware’s behavior dynamically so that it continuously scans for indicators of legacy or unpatched software vulnerabilities on network devices such as routers and switches that are integral to the telecommunications infrastructure. Furthermore, there is evidence that the malware conducts periodic reconnaissance, where it probes the network to determine which segments are most vulnerable, and then autonomously adapts its exploitation techniques based on the findings. Such versatility not only makes the exploitation process stealthy but also allows the threat actor to rapidly pivot targets within the compromised organization. Critical exfiltration tactics have been observed, with data being siphoned off through encrypted channels over carefully orchestrated intervals to minimize detection by traditional network monitoring systems. These observations underscore the need for continuous network behavior analysis, as the attackers are skilled at camouflaging their activities within the legitimate data flows of busy telecommunications environments.

Victimology and Targeting

The targeted sector in this campaign is the telecommunications industry in Canada, which encompasses a broad array of critical communications and network infrastructure components. Canadian telecom companies are uniquely vulnerable to such sophisticated espionage campaigns due to the vital nature of the services they provide and the high-value, sensitive communications data they manage. The attackers appear to have conducted thorough reconnaissance prior to launching their campaign, targeting executives and system administrators through spear-phishing techniques that exploit the human element of cybersecurity defenses. In doing so, they gain privileged access to both internal networks and core operational systems. The strategy is not only to access sensitive configuration files and network data but also to establish long-term footholds that can facilitate continuous monitoring and data exfiltration. The selection of this sector is aligned with the strategic interests of nation-state actors, where control and acquisition of critical communications infrastructure can have far-reaching implications for both national security and economic stability. Therefore, the attack vector is multi-pronged, employing both technical exploits and social engineering to breach defenses and achieve persistent targeting of key telecom assets.

Mitigation and Countermeasures

Given the advanced nature of the Salt Typhoon campaign and its demonstrated ability to exploit vulnerabilities in critical telecommunications infrastructure, organizations impacted by or at risk of such an attack must adopt a multi-layered and dynamic defensive strategy. It is incumbent on security teams to prioritize timely patch management by ensuring that all affected devices, such as those running Cisco IOS XE software, are updated to the fixed versions recommended by Cisco, which address the vulnerabilities CVE-2023-20198 and CVE-2023-20273. Complementary to patch management is the enhancement of authentication methods, where the implementation of robust multi-factor authentication (MFA) across all points of remote access can significantly reduce the risk of unauthorized entry. Furthermore, organizations should enforce strict policies for privilege management, whereby access rights are rigorously reviewed and limited to the minimum necessary level, and all elevated access requests are carefully monitored.

To combat the sophisticated spear-phishing efforts employed by the threat actor, it is critical to deploy advanced email filtering technologies that utilize heuristic and behavioral analysis to detect malicious attachments and suspicious links. Such systems must be finely tuned to recognize the subtle cues often used by attackers, including variations in sender addresses and anomalies in email content that may indicate the presence of hidden payloads. In parallel, robust network monitoring is essential, and organizations are advised to integrate advanced anomaly detection systems that can identify unusual patterns in encrypted traffic, particularly those indicative of GRE tunneling or covert C2 communications. It is imperative to implement real-time traffic analysis and log correlation using Security Information and Event Management (SIEM) systems, which should be regularly updated with the latest threat intelligence from trusted sources.

Moreover, the installation of comprehensive Endpoint Detection and Response (EDR) solutions with behavioral monitoring capabilities is strongly recommended, as these platforms can provide detailed insights into process creation chains and alert on deviations that resemble known TTPs associated with Salt Typhoon. Enhanced network segmentation and isolation tactics should be adopted to limit lateral movement within the network; critical operational systems must be segregated from publicly accessible servers and communication gateways, thereby reducing the overall impact of a potential breach. In addition to these technical measures, organizations should establish a proactive threat intelligence integration process, ensuring that data from reputable sources such as the MITRE ATT&CK framework, NIST, and other industry-specific advisories is continuously incorporated into internal monitoring processes. This integration should enable rapid correlation of indicators of compromise (IOCs) such as suspicious domain registrations, abnormal IP address behavior, and file hashes from malware samples circulating on underground forums.

By embracing a defense-in-depth strategy that encompasses these technical, administrative, and operational measures, telecommunications companies can significantly enhance their resilience against this and similar state-sponsored APT campaigns. Ongoing security awareness training for employees, particularly those in roles associated with high-risk data access, remains a vital component of an effective cybersecurity defense, ensuring that potential spear-phishing attempts are recognized and reported promptly.

References

The content of this advisory report is based on open source investigations and technical briefings provided by Security Affairs, which originally detailed the Salt Typhoon campaign in the article “China-linked APT Salt Typhoon targets Canadian Telecom Companies.” Additional corroborative information has been derived from industry-standard threat intelligence frameworks such as the MITRE ATT&CK framework and authoritative cybersecurity advisories from Cisco, referencing vulnerabilities such as CVE-2023-20198 and CVE-2023-20273. Further technical insights have been supported by analyses published on platforms such as NIST and validation from multiple cybersecurity vendors dedicated to tracking state-sponsored cyber operations. These resources, along with ongoing internal and external OSINT collection processes, form the basis of the recommendations and technical insights presented herein, ensuring that affected organizations have the most accurate and timely information available to counter current threats.

About Rescana

Rescana is a leader in cybersecurity risk management, specializing in providing advanced third-party risk management (TPRM) solutions and actionable intelligence for high-stakes environments. Our platform integrates deep OSINT capabilities with advanced threat intelligence feeds, enabling organizations to proactively monitor, assess, and mitigate risks across critical infrastructure networks. With the rapidly evolving threat landscape and the increasing complexity of cyber attacks, Rescana is dedicated to equipping cybersecurity professionals and executives with the tools and insights necessary to address both current and future threats. We are committed to translating complex technical details into actionable strategies that enhance overall organizational resilience. For any further questions or additional assistance regarding this advisory report, please feel free to reach out to us at ops@rescana.com.