Salt Typhoon — How a PRC APT Mapped the US Telecom Backbone (and What Indian Carriers Should Steal From It)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
May 8, 2026
7 min read
Read as
Salt Typhoon — a People’s Liberation Army-aligned APT (also tracked as GhostEmperor / FamousSparrow / UNC2286) — sat inside US and allied telecom carrier networks for at least eighteen months before disclosure. This post unpacks what was actually done (lawful-intercept system access, Cisco IOS XE compromise via CVE-2023-20198 + CVE-2023-20273, custom Demodex rootkit), why Indian telecom operators should treat themselves as priority targets, and a concrete defensive playbook for SOC teams running carrier-grade infrastructure.

Salt Typhoon is the most consequential telecom-targeted APT campaign disclosed publicly in the last decade. The reason it matters in India: every technique they used works against the Indian telecom backbone, and Reliance Jio, Airtel, and Vodafone Idea operate the same Cisco gear, the same lawful-intercept architectures, and (with Vi’s distress) often weaker patching cadence than their Western peers.

Who is Salt Typhoon — operator attribution

Tracked by Microsoft Threat Intelligence as Salt Typhoon, by Mandiant as UNC2286, by Trend Micro historically as Earth Estries, and overlapping with the older GhostEmperor activity Kaspersky reported in 2021. Attribution is consistent: PRC-state-aligned, tasked with signals-intelligence-style telecom access. The Volt Typhoon and Salt Typhoon clusters are often confused — Volt Typhoon focuses on critical infrastructure (water, energy) for living-off-the-land pre-positioning; Salt Typhoon focuses specifically on telecom carriers and their lawful-intercept (LI) systems for direct intelligence collection.

Initial access — Cisco IOS XE web UI exploitation

The primary entry point in the disclosed intrusions was the Cisco IOS XE Web Management UI, exploited through chained vulnerabilities CVE-2023-20198 (privilege escalation via undocumented HTTP endpoint, CVSS 10.0) and CVE-2023-20273 (command injection that lets the attacker drop a persistent implant). Public scanning data from Censys at the time showed 40,000+ vulnerable IOS XE devices internet-exposed — Indian carrier edge routers were heavily represented.

Mechanically the attacker hits /webui/ with a crafted request that creates a high-privilege local user, then chains the second CVE to write an implant to /usr/binos/conf/ngctop or similar persistence path. The implant is a Lua-based plugin that hooks into the IOS XE management plane and exposes a hidden backdoor.

The Demodex rootkit — how persistence actually works

Once inside, Salt Typhoon deploys Demodex, a Windows kernel-mode rootkit (signed via stolen or abused certificates from Chinese OEMs), and on network gear, a Lua-script implant that survives reboots by hooking into the device boot process. Demodex’s signature behaviors:

  • Bring-Your-Own-Vulnerable-Driver (BYOVD) — uses a legitimately signed driver with a known vulnerability to load unsigned code into the kernel.
  • Image-File-Execution-Options (IFEO) hijack — registers a fake debugger for high-frequency Windows processes so the rootkit loads before security tooling.
  • Direct kernel-object manipulation to hide processes and network connections from tasklist / netstat output.
  • Custom CnC over DNS-over-HTTPS to cloudflare-dns.com and similar privacy-preserving resolvers — defeats DNS-based detection at the perimeter.

What they actually exfiltrated — lawful-intercept system access

The most consequential disclosure: Salt Typhoon obtained access to the CALEA-compliant lawful-intercept systems that US telecoms run for law-enforcement wiretap requests. This is not a metaphor — they read the ongoing wiretaps, including FBI counterintelligence operations, in real time. They also pulled call-detail records (CDRs) and SMS metadata at scale.

India’s equivalent is the Centralised Monitoring System (CMS) operated by C-DOT for DoT, plus the carrier-side Lawful Interception and Monitoring Systems (LIMS) deployed at every ISP/telco gateway under the Indian Telegraph Act and Section 5(2) interception authority. The architecture has all the same weak points: a privileged admin plane, an audit trail that the same admin can edit, and tight integration with carrier core networks. There is no public reporting that Indian LIMS have been Salt-Typhoon-compromised — but there is also no public threat-hunting program designed to find such compromise.

Indian telecom — the threat model translation

What an Indian SOC analyst at a telco should take away:

  1. Inventory every Cisco IOS XE device with web UI exposed. Run show running-config | include ip http across all access/aggregation routers; if either ip http server or ip http secure-server is on AND not bound to a management VRF with strict ACLs, you are at the threat surface Salt Typhoon used.
  2. Audit user accounts created on edge devices in the last 24 months. The Salt Typhoon TTP creates accounts with names that look auto-generated (cisco_tac_admin, support1, etc.); diff against your IPAM-of-record.
  3. Patch level audit on IOS XE specifically. 17.6.x and earlier without the Cisco PSIRT advisory cisco-sa-iosxe-webui-privesc-j22SaA82 patch are exposed. Indian telco field deployments often lag 12-24 months behind release; assume worst case.
  4. LI/LIMS plane separation review. The interception plane should be logically isolated, with auditable access logs that flow to an out-of-band SIEM the LI admins cannot touch. If your audit logs are stored on the same boxes the privileged admins manage, you cannot detect Salt-Typhoon-class adversaries.

Detection — concrete IOCs and hunt queries

Network IOCs from the public reporting (Microsoft, Trend Micro, Mandiant joint advisory):

  • DNS queries to technobus.com, dnshome.de-style dynamic-DNS domains from infrastructure that should not normally do recursive DNS
  • Outbound TLS to cloudflare-dns.com on UDP/443 from network-management subnets (DoH for CnC)
  • SMB beaconing on hour boundaries from edge gear toward management hosts (lateral movement)

Cisco IOS XE hunt — log into each suspect device, run:

show platform integrity
show platform software trace message smd
show running-config | section privilege
show users
show iox-service

Anything in show iox-service running you don’t recognize, treat as suspect. Demodex’s Lua plugin lives in the IOX guestshell.

Splunk / Sentinel hunt for Demodex-on-Windows — search registry write events to HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ with a Debugger value pointing to anything outside %ProgramFiles%. IFEO hijack for non-developer-tool processes is high-fidelity.

If you are compromised — incident response priority order

The standard “isolate-investigate-eradicate-recover” cycle does not work cleanly for telecom-grade APT. Specific guidance:

  1. Do not power-cycle compromised network gear before forensics. Demodex’s persistence mechanism and CDR exfiltration logs live in volatile memory; a reboot loses the evidence chain. Mirror RAM via Cisco’s show platform integrity + serial-console capture first.
  2. Assume the LI plane is contaminated. Until proven otherwise, treat all wiretap orders active in the last 18 months as compromised and notify your DoT compliance officer in writing.
  3. Bring CERT-In in early. Under the 2022 directive, telecom intrusions of this nature are reportable within 6 hours of detection. Documentation via [email protected].
  4. Coordinate with peer carriers. Salt Typhoon hit multiple US carriers simultaneously — the threat actor reuses tooling; if you are hit, your peers likely are too. The ISAC channel at India Internet Exchange (NIXI-ISAC) is the formal route.

The strategic lesson — air-gapped is not a posture, it’s a habit

Salt Typhoon’s success against US carriers was not a vulnerability story; it was an architecture-and-operations story. The vulnerabilities they exploited were patched 12+ months before the intrusions. The carriers that fell were not patching their network gear with the same urgency they patch their customer-facing web apps. They were treating “edge router” as commodity hardware. The strategic correction for Indian operators: management-plane assets get the same patching cadence and threat-hunting attention as production application servers, because they ARE production. Anything less and the next disclosure has Indian names in it.

FAQ

Did Salt Typhoon hit Indian telecom?

No public attribution as of writing. Absence of evidence is not evidence of absence — the same group has tooling that works on Indian gear, and the Indian telecom threat-hunting maturity is generally lower than tier-1 US carriers. Plausible-but-undisclosed is the responsible default position.

How do I tell if my IOS XE device was compromised by CVE-2023-20198?

Run show platform software fed switch active acl bind sw and look for unexplained ACL bindings, plus more flash:cat9k_iosxe.SPA.bin integrity check against the Cisco-published hash. If the device boot integrity reports a mismatch and you didn’t manually upgrade firmware, treat as compromised.

Is Demodex detected by Microsoft Defender / CrowdStrike?

Modern variants — partially. The published 2023 samples are signatured; the 2025 update with new C2 obfuscation has lower coverage. Behavioral detection (IFEO hijack, BYOVD driver loading) is more reliable than signature for this family.

What about non-Cisco edge gear — Juniper, Huawei, Nokia?

Salt Typhoon’s primary documented entry was Cisco IOS XE. They have separately demonstrated capability against Juniper Junos and Fortinet FortiOS. Indian telcos running Huawei in metro aggregation should assume similar threat-actor capability exists even where public proof does not.

Is the lawful-intercept system actually exposed to the same APT vector?

If your LI plane is on the same physical infrastructure as your management plane (a common architecture choice driven by cost), then yes — compromise of management-plane access pivots to LI access. The fix is logical and physical separation: LI infrastructure should be on its own VRF with no trust relationship to general management.


⚖️ Legal: This post is threat-intelligence reporting based on publicly disclosed information. Defensive security operations described here apply only to systems you operate or have authorisation to defend. In India, lawful interception is governed by the Telegraph Act §5(2) and IT Act §69; unauthorised access to LI infrastructure is punishable under IT Act §66F (cyberterrorism) — multi-year imprisonment. Coordinate any incident-response work with CERT-In and your DoT licensing officer.

Worried about your exposure?

Get a free attack-surface review

We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.

Book exposure review Replies in 4 working hrs · India-only · Senior consultants