Salt Typhoon: edge devices in the firing line
“Salt Typhoon,” a China-linked APT, has been exploiting vulnerabilities in edge network devices (notably from Cisco, Ivanti and Palo Alto Networks) to break into organisations worldwide—around 600 victims across 80 countries, including the UK. Initial access involves known CVEs (e.g., Cisco IOS XE and Smart Install flaws, Ivanti Connect Secure, PAN-OS), after which the attackers modify router configs, open ports, add GRE tunnels for persistence/data exfiltration, and even harvest TACACS+ admin credentials from captured network traffic. A joint advisory from the U.S., UK and 11 other countries attributes the campaign to entities supporting Chinese intelligence operations; Dutch and UK agencies confirm activity in their regions. The group overlaps with clusters tracked as GhostEmperor / Operator Panda / RedMike / UNC5807.
If your routers and VPN gateways are starting to feel like Swiss cheese, you’re not imagining it. Salt Typhoon, a China-linked hacking crew, has been poking holes in internet-facing network kit—from Cisco to Ivanti and Palo Alto Networks—to slip into corporate networks around the world. Authorities say hundreds of organisations have been affected.
How they get in
They start with known bugs in edge devices—exactly the boxes we put on the perimeter to keep the bad stuff out. Once in, they tweak configs, open unusual ports, add GRE tunnels to stay hidden, and even sniff out administrator passwords by grabbing TACACS+ traffic. It’s stealthy, methodical and very effective.
Who’s at risk
Telecoms, government, transport, hospitality and even parts of the military sector have all seen interest. Realistically, anyone with an unpatched or poorly monitored edge device is a candidate. UK authorities have observed activity here at home.
What to do about it (right now)
• Patch edge devices promptly—prioritise the big-ticket CVEs called out for Cisco, Ivanti and PAN-OS.
• Audit configs for sneaky changes: unexpected ACL entries, odd listening ports, unfamiliar users.
• Hunt for tunnels (e.g., GRE) and review authentication flows (TACACS+/RADIUS).
• Collect and review logs at the network edge; don’t leave routers and VPNs as blind spots.
• Segment ruthlessly so a compromised edge box can’t see everything.
A boring but secure perimeter beats an exciting breach any day of the week.