[LINK] Wired: 'Typhoon Spies Hack Cisco Routers'

Roger Clarke Roger.Clarke at xamax.com.au
Fri Feb 14 08:41:56 AEDT 2025 

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting 
Cisco Routers
ANDY GREENBERG
Wired
FEB 13, 2025 12:00 AM
https://www.wired.com/story/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers/

...
 > To carry out this latest campaign of intrusions, Salt Typhoon—which 
Recorded Future tracks under its own name, RedMike, rather than the 
Typhoon handle created by Microsoft—has targeted the internet-exposed 
web interfaces of Cisco's IOS software, which runs on the networking 
giant's routers and switches. The hackers exploited two different 
vulnerabilities in those devices' code, one of which grants initial 
access, and another that provides root privileges, giving the hackers 
full control of an often powerful piece of equipment with access to a 
victim's network.
 >
 > “Any time you're embedded in communication networks on infrastructure 
like routers, you have the keys to the kingdom in what you're able to 
access and observe and exfiltrate,” Gundert says.
 >
 > Recorded Future found more than 12,000 Cisco devices whose web 
interfaces were exposed online, and says that the hackers targeted more 
than a thousand of those devices installed in networks worldwide. Of 
those, they appear to have focused on a smaller subset of telecoms and 
university networks whose Cisco devices they successfully exploited. For 
those selected targets, Salt Typhoon configured the hacked Cisco devices 
to connect to the hackers' own command-and-control servers via generic 
routing encapsulation, or GRE tunnels—a protocol used to set up private 
communications channels—then used those connections to maintain their 
access and steal data.
 >
 > When WIRED reached out to Cisco for comment, the company pointed to a 
security advisory it published about vulnerabilities in the web 
interface of its IOS software in 2023. “We continue to strongly urge 
customers to follow recommendations outlined in the advisory and upgrade 
to the available fixed software release,” a spokesperson wrote in a 
statement.

______

That range a bell.

In an interview with IEEE Spectrum, many years ago, I speculated that 
not only would Chinese-manufactured backbone routers contain trapdoors 
for the PRC to exploit, but that Cisco and Juniper would have no 
alternative but to comply with the same requirement.

I expressed concern that normal economic path-of-least-resistance would 
mean that those trapdoors would end up in the backbone routers sold 
everywhere else in the world, with or without any intent on the part of 
Cisco, Juniper or the NSA.


Ah, I archived the article.  Steven Cherry wrote on 1 Jun 2005:
http://www.rogerclarke.com/II/Cherry-2005.pdf

 > ... The issue of how China continues to censor its Internet, even as 
its infrastructure becomes vastly more sophisticated, has implications 
beyond what ideas China’s populace—almost one-fifth of humanity—will be 
allowed to tap into. For one thing, if censorship technology flourishes 
in China, it will be easier and cheaper for it to also take root 
elsewhere. “The concern I have is that this is laying the foundation for 
a much more intrusive and censorship-friendly Internet infrastructure 
for all countries,” says Roger Clarke, a consultant in Canberra, 
Australia, affiliated with the Australian National University. “The 
features that China wants installed in intermediating devices and 
software will gradually find their way into all of the suppliers’ 
products, if only because it’s cheaper that way.”

...

 > In an interview, [journalist Ethan] Gutmann reiterated a charge 
documented in his book that China “could not have controlled this 
radical new means of communication without overwhelming technical 
assistance from North American corporations.” In his book he quotes, 
among other sources, unnamed Cisco representatives and a non-Cisco 
Internet engineer, identified only as Wen, who all claim that Cisco 
modified its equipment and software at the censors’ bidding.

(I wasn't aware of Gutmann's book at the time. ]


-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA 

Visiting Professorial Fellow                          UNSW Law & Justice
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list