Description
[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)
Techniques Used (TTPs)
- T1590.004 — Network Topology (reconnaissance)
- T1562.004 — Disable or Modify System Firewall (defense-evasion)
- T1572 — Protocol Tunneling (command-and-control)
- T1587.001 — Malware (resource-development)
- T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
- T1098.004 — SSH Authorized Keys (persistence, privilege-escalation)
- T1040 — Network Sniffing (credential-access, discovery)
- T1602.002 — Network Device Configuration Dump (collection)
- T1110.002 — Password Cracking (credential-access)
- T1070.002 — Clear Linux or Mac System Logs (defense-evasion)
- T1021.004 — SSH (lateral-movement)
- T1588.002 — Tool (resource-development)
- T1136 — Create Account (persistence)
- T1190 — Exploit Public-Facing Application (initial-access)
Total TTPs: 14
Malware & Tools
Malware: JumbledPath