Lots of Salt

Today in the space between war and peace…

• Salt Typhoon Targets Telecom Networks Through Cisco Routers
• China-linked Espionage Tools Used in Ransomware Attacks
• New Cyber Campaign Targets Foreign Ministry of South American Country
• Countering State-Sponsored Proxies
• Cyber Espionage Targeting Drone Industry

Salt Typhoon Targets Telecom Networks Through Cisco Routers

According to a report by Recorded Future’s Insikt Group, a Chinese threat actor, commonly known as Salt Typhoon, exploited vulnerabilities in Cisco devices (CVE-2023-20198, CVE-2023-20273) to compromise telecom systems worldwide. This attack affected US, UK, and Italy providers, targeting over 1,000 devices between December 2024 and January 2025. The group gained persistent access to networks using GRE tunnels and also targeted academic telecommunications research teams.

China-linked Espionage Tools Used in Ransomware Attacks

The Symantec Threat Hunter Team reports a China-based threat actor, previously associated with espionage activities, employed RA World ransomware to target an Asian company, demanding a ransom of $2 million. Symantec has observed a connection between espionage and cybercrime in this case. As they transitioned to ransomware attacks, the actor used espionage tools, including PlugX, primarily targeting Southeast Europe and Asia regions between mid-2024 and early 2025. They exploited a vulnerability in Palo Alto systems and utilized sideloading techniques for their attacks. Symantec analysts speculate that these state-backed operatives may engage in ransomware attacks for personal financial gain.

New Cyber Campaign Targets Foreign Ministry of South American Country

Elastic Security Labs describes a cyber campaign called REF7707, which targeted the foreign ministry of a South American nation and has connections to Southeast Asia. This campaign features sophisticated yet poorly managed malware, including FINALDRAFT, GUIDLOADER, and PATHLOADER. It leverages capabilities of both Windows and Linux systems, utilizing unique Living Off the Land Binaries (LOLBins) for execution and cloud-based command and control (C2).

Countering State-Sponsored Proxies

According to a new paper by the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE), hybrid attacks that utilize non-state actors (NSAs) as proxies are increasing in frequency and severity. The paper explores how states should develop strategies to counter these attacks, which aim to destabilize European democracies and undermine the rules-based international order. To create effective policy solutions, the paper draws on previous work on deterrence developed by the Hybrid CoE as it addresses the issue of state-sponsored NSAs.

Cyber Espionage Targeting UAV and C-UAV Technologies

Cybersecurity firm Resecurity notes increased cyberattacks targeting UAV (Unmanned Aerial Vehicle) and C-UAV (Counter-Unmanned Aerial Vehicle) technologies, particularly in conflicts like the Russia-Ukraine war. The analysts attribute this activity to groups seeking military intellectual property related to drones, with notable intrusions observed from the third quarter of 2024 through the first quarter of 2025. Cybercriminals are focusing on UAV buyers, indicating potential future threats, including espionage efforts within the defense sector.