The Salt Typhoon Hack: The Failure of Legacy Cybersecurity Approaches

The Salt Typhoon hack is a significant cyberespionage campaign conducted by a Chinese hacking group that has been going on for as long as two years. The attack has compromised the networks of several major US telecommunications companies, showing staggering growth in the scale and sophistication of the cyber threats that today’s enterprises must face. 

Failure of Legacy Cybersecurity Approaches 

The Salt Typhoon attack has targeted the telecommunications sector, a backbone of critical infrastructure, exposing vulnerabilities in complex distributed systems. The attack’s reach and precision underscore the growing reality that traditional approaches to security are no longer sufficient to combat these advanced persistent threats (APT). 

An APT is a complex cyberattack in which an unauthorized user gains access to a network and remains undetected for an extended period. 

For governance, risk, and compliance (GRC) teams, this is a pivotal moment. Protecting sensitive data, meeting regulatory mandates, and ensuring uninterrupted operations require a modern, scalable approach to security. 

What Went Wrong? 

Salt Typhoon used sophisticated techniques to infiltrate its targets, focusing on vulnerabilities in cybersecurity products and standing permissions.  

In late 2024 U.S. officials announced that hackers affiliated with Salt Typhoon had accessed the computer systems of nine U.S. telecommunication companies. The attack targeted core network components, including routers manufactured by Cisco, which route large portions of the Internet. 

One of the techniques used involved weaknesses in user authorization within the telecommunications companies’ networks and equipment. The attackers performed meticulous pre-exploitation reconnaissance and periodic credential extraction to maintain long-term, persistent access.  

Compromised Privileged Accounts 

Hackers likely targeted and compromised privileged accounts within the companies' systems. Once initial access was gained, hackers likely used stolen credentials to move laterally within the network, gaining access to more sensitive systems and data. 

Standing Permissions 

Hackers likely exploited standing access across both human and non-human accounts to gain access. Service accounts used to perform critical, ongoing management tasks on routers or other devices likely had sufficient permission to allow them to move through the environment undetected. 

By maintaining seemingly legitimate access to these systems, attackers were able to continue undetected for an extended period of time. 

Two Key Lessons Learned 

#1: Identity is the New Security Perimeter 

Network segmentation, micro-segmentation, firewalling, encryption, etc. are all necessary measures to secure the assets, but the most critical step organizations can take is to limit and control the access associated with human and non-human identities. 

Many recent major hacks, including Salt Typhoon, compromised sensitive systems exploiting weak identity and access management (IAM) controls. 

Beyond the traditional network firewall, there needs to be an “identity firewall” to limit the access that all identities have to critical resources. The identity firewall should also provide ephemeral, micro-segmented, and granular access based on specific attributes such as time-of-day, source network, roles, responsibilities, etc. 

#2: Modern, Time-Bound and Zero Trust Privilege Access Management is a Must 

One of the more head-turning details about the Salt Typhoon attack is that, at one point, the threat group gained access to one compromised administrator account that opened their access to 100,000 routers within the network. After the attackers compromised this account, they gained nearly unfettered entry across the whole infrastructure. 

Rob Hughes, CISO at RSA told Dice.com:

Modern PAM to Protect Against Identity-Based Threats 

A modern, cloud-forward privileged access management (PAM) solution like Britive could have prevented or significantly limited the impact of an identity-based attack. 

1. Meet Compliance Standards and Industry Best Practices 
For compliance teams, Britive simplifies compliance with security standards set by authorities such as CISA, NIST, and others. 

• Audit-ready reporting aligns with key frameworks like NIST, PCI DSS, HIPAA, GDPR, and others. 
• Seamless SIEM integration strengthens incident response capabilities and supports additional federal reporting requirements. 
• Clear, actionable insights into security posture make compliance both manageable and meaningful. 

2. Adherence to the Principle of Zero Standing Access 

Britive’s approach to zero standing access, as well as the principle least privileges not only aligns with federal and international compliance standards, but it also mitigates risk and strengthens data protection. 

Granular access management allows for users to gain only the appropriate levels of access needed to complete a given task. Dynamic, temporary access ensures that this access is automatically revoked after a set period of time, reducing the potential for exploitation by eliminating static access. 

3. Zero Trust Cloud PAM (CPAM) 
Britive’s CPAM solution is designed to address complex threats across cloud, multi-cloud, and traditional on-premises environments. 

In the Salt Typhoon breach, a compromised non-human identity within critical infrastructure was likely the vector of the breach, exploiting insufficiently protected routing and firewall devices. 

With dynamic, just-in-time (JIT) access, the credentials granting access to the systems tied to these devices would have given little to no significant standing access to critical systems. 

4. Scalability Without Compromise 
As cloud environments evolve rapidly, teams expect solutions that scale without compromising security or compliance. Britive eliminates this trade-off. 

As an API-first and integration-ready, cloud-native platform, Britive deploys and scales rapidly with any new or existing technology in your environment, ensuring seamless workflows for end-users. This enables both security and innovation on a scale. 

5. Identity as the New Security Perimeter 

An integrated “Identity Enforcement Firewall” as part of PAM solution is essential to address evolving sophisticated threats, while aligning with the collective guidance of leading cybersecurity authorities, including the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and other international agencies.  

With the rapid changes happening in network configurations, cloud infrastructure, containerized workloads, and hybrid on-premises enterprise environments, securing all human and machine identities is necessary. 

Organizations need to prioritize identity governance, granular access control policies, and simple, comprehensive visibility into user and machine permissions to mitigate risks and address breaches quickly. 

Cloud-first PAM allows organizations to strengthen defenses and maintain regulatory compliance across single, hybrid, and multi-cloud environments by combining advanced security, compliance, and frictionless usability. Ready to see Britive in action? Reach out to the team to see how to defend your network against ever-evolving threats. 

This blog was originally published on NetJoints.