G1045: Salt Typhoon
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).[1][2]
Analyst context for executives and security teams
Salt Typhoon matters because ATT&CK describes it as a PRC state-backed group tied to compromises of network infrastructure at major U.S. telecommunications and ISP organizations. For defenders, the decision value is less about a single malware signature and more about whether critical network devices, SSH access paths, configuration repositories, packet-capture visibility, firewall changes, and exfiltration routes are governed and monitored well enough to investigate activity on infrastructure that often sits outside normal endpoint coverage.
Executive priority
Prioritize this as a resilience and assurance issue for organizations that operate, depend on, or connect to telecommunications, ISP, network-device, Linux, ESXi, IaaS, or SSH-managed environments. Leaders should ask whether network infrastructure is included in vulnerability management, privileged access governance, logging retention, incident response playbooks, and audit evidence. The business risk is prolonged unauthorized access to routing or network management layers, potential exposure of sensitive configuration and traffic data, and delayed detection if SOC coverage is endpoint-centric.
Technical view
ATT&CK provides no official detection text for Salt Typhoon, so validation should be relationship-driven. The supplied relationships point to SSH usage, network sniffing, unencrypted exfiltration, SSH authorized key persistence, password cracking, account creation, exploitation of public-facing applications, protocol tunneling, network topology reconnaissance, network device configuration dumps, Linux/macOS log clearing, and firewall modification. SOC and IR teams should confirm they can reconstruct administrative access to network devices and Linux/ESXi systems, detect unexpected packet capture or configuration access, review changes to SSH keys and local/cloud accounts, identify firewall rule changes, and correlate suspicious tunneling or unencrypted outbound transfers with privileged logons.
Likely telemetry
- Network device authentication and command logs, including SSH administrative access where available
- Configuration change records and backups for routers, gateways, firewalls, and other managed network devices
- SSH authorized_keys file monitoring and account creation events on Linux, macOS, ESXi, and relevant cloud/IaaS systems
- Network flow, proxy, DNS, FTP/HTTP, and other egress records that can show tunneling or unencrypted exfiltration patterns
- Packet capture process or interface mode indicators on network devices and Linux-like systems where collectible
Detection direction
- Start with coverage mapping: identify which related techniques are relevant to the local environment and which network devices or management planes lack centralized logging.
- Tune for unusual SSH access patterns, new or modified authorized keys, unexpected local or cloud account creation, and privileged logons to infrastructure assets outside approved administration windows.
- Validate visibility into network-device configuration access and dumps; these events may be logged differently from server or endpoint activity and are often a blind spot.
- Review for packet capture behavior and network sniffing indicators on network devices and Linux-like systems, while accounting for legitimate troubleshooting and monitoring tools.
- Correlate firewall rule changes, protocol tunneling, and outbound transfers over unencrypted non-C2 protocols with the initiating account, source device, and change ticket context.
Mitigation priorities
- Bring network devices and management interfaces into asset inventory, vulnerability management, configuration backup, and change-control programs.
- Restrict and monitor SSH administration, enforce least privilege, and regularly review authorized keys and privileged accounts.
- Harden public-facing applications and management services by prioritizing known exposure, patching, and misconfiguration remediation.
- Centralize and protect logs from network devices, Linux/macOS systems, ESXi, cloud/IaaS services, and firewalls so incident responders can investigate tampering or gaps.
- Control egress paths and review allowed unencrypted protocols, especially from infrastructure management networks.
Analyst notes and limits
This take is based on the official ATT&CK group description, external references, and the listed uses relationships. The relationship to JumbledPath is especially relevant because the supplied software description states it has been used for packet capture on remote Cisco devices and may be usable across Linux operating systems and network devices from multiple vendors. The broader technique set suggests emphasis on infrastructure access, credentialed administration paths, collection from network devices, and defense impairment.
ATT&CK does not provide official detection text, group-level platforms, or group-level tactics for this object. Platforms and tactics referenced here come only from the related software and technique objects supplied in the prompt. Local exposure, affected vendors, active targeting, and detection coverage cannot be inferred from this data alone and require environment-specific evidence.
Salt Typhoon
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Salt Typhoon has cleared logs including .bash_history, auth.log, lastlog, wtmp, and btmp.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1590.004 | Network Topology Sub-technique | Salt Typhoon has used configuration files from exploited network devices to help discover upstream and downstream network segments.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1572 | Protocol Tunneling | Salt Typhoon has modified device configurations to create and use Generic Routing Encapsulation (GRE) tunnels.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1587.001 | Malware Sub-technique | Salt Typhoon has used custom tooling including JumbledPath.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Salt Typhoon has exfiltrated configuration files from exploited network devices over FTP and TFTP.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | Salt Typhoon has added SSH authorized_keys under root or other users at the Linux level on compromised network devices.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1040 | Network Sniffing | Salt Typhoon has used a variety of tools and techniques to capture packet data between network interfaces.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1602.002 | Network Device Configuration Dump Sub-technique | Salt Typhoon has attempted to acquire credentials by dumping network device configurations.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1110.002 | Password Cracking Sub-technique | Salt Typhoon has cracked passwords for accounts with weak encryption obtained from the configuration files of compromised network devices.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1021.004 | SSH Sub-technique | Salt Typhoon has modified the loopback address on compromised switches and used them as the source of SSH connections to additional devices within the target environment, allowing them to bypass access control lists (ACLs).CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1686 | Disable or Modify System Firewall | Salt Typhoon has made changes to the Access Control List (ACL) and loopback interface address on compromised devices.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | Salt Typhoon has used publicly available tooling to exploit vulnerabilities.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1136 | Create Account | Salt Typhoon has created Linux-level users on compromised network devices through modification of `/etc/shadow` and `/etc/passwd`.CitationCisco Salt Typhoon FEB 2025 |
| Enterprise | T1190 | Exploit Public-Facing Application | Salt Typhoon has exploited CVE-2018-0171 in the Smart Install feature of Cisco IOS and Cisco IOS XE software for initial access.CitationCisco Salt Typhoon FEB 2025 |
Groups, software, and campaigns
S1206: JumbledPath
JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at least 2024 for packet capture on remote Cisco devices. JumbledPath is compiled as an ELF binary using x86-64 architecture which makes it potentially useable across Linux operating systems and network devices from multiple vendors.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5c05e0a01561… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US Dept. of Treasury Salt Typhoon JAN 2025
US Department of Treasury. (2025, January 17). Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise. Retrieved February 24, 2025.
Open source URL -
[2]
Cisco Salt Typhoon FEB 2025
Cisco Talos. (2025, February 20). Weathering the storm: In the midst of a Typhoon. Retrieved February 24, 2025.
Open source URL -
[3]
mitre-attack G1045Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.