Salt Typhoon Global Cisco Device Campaign
Salt Typhoon campaign targeting over 1,000 unpatched Cisco edge devices globally between December 2024 and January 2025, compromising devices at US telecoms providers and transportation and military infrastructure networks.
Start date
1 December 2024
End date
—
Techniques
13
Indicators of compromise
32
32 ip
Attributed actors
Techniques (13)
command-and-control3
T1090.001Internal Proxy
T1105Ingress Tool Transfer
T1071.001Web Protocols
discovery3
T1018Remote System Discovery
T1082System Information Discovery
T1016System Network Configuration Discovery
execution1
T1059.004Unix Shell
initial-access3
T1078Valid Accounts
T1133External Remote Services
T1190Exploit Public-Facing Application
persistence3
T1078Valid Accounts
T1543.002Systemd Service
T1133External Remote Services
privilege-escalation2
T1078Valid Accounts
T1543.002Systemd Service
stealth3
T1078Valid Accounts
T1070.004File Deletion
T1027Obfuscated Files or Information
Indicators of compromise (32)
IP32
64.227.93.39confirmed
109.107.214.226confirmed
95.42.20.67confirmed
51.255.62.15confirmed
128.199.238.30confirmed
179.43.168.146confirmed
114.246.237.62confirmed
157.245.156.7confirmed
207.154.201.214confirmed
134.209.5.135confirmed
104.167.223.148confirmed
167.71.109.17confirmed
139.59.223.9confirmed
5.36.204.121confirmed
64.44.206.10confirmed
142.93.167.249confirmed
64.225.47.166confirmed
157.230.153.118confirmed
164.92.179.58confirmed
139.59.254.193confirmed
159.223.86.187confirmed
167.71.52.166confirmed
128.199.176.205confirmed
104.131.186.130confirmed
142.93.168.28confirmed
159.65.33.216confirmed
143.110.199.6confirmed
165.227.125.35confirmed
165.22.251.103confirmed
51.255.62.13confirmed
165.22.47.115confirmed
209.38.74.178confirmed