Skip to content

Hide Navigation Hide TOC

Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390)

Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 1
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set 1
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set 1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Network Topology - T1590.004 (34ab90a3-05f6-4259-8f21-621081fdaba5) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 1
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set 1
Salt Typhoon - G1045 (1c3dcf91-b859-4aae-a09c-ae26dc8b6390) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 2
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109) Attack Pattern Network Topology - T1590.004 (34ab90a3-05f6-4259-8f21-621081fdaba5) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 2
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 2
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 2
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 2
Hide Infrastructure - T1665 (eb897572-8979-4242-a089-56f294f4c91d) Attack Pattern JumbledPath - S1206 (05489800-6c6f-4922-a0de-d573b333e612) Malware 2
Network Device Configuration Dump - T1602.002 (52759bf1-fe12-4052-ace6-c5b0cf7dd7fd) Attack Pattern Data from Configuration Repository - T1602 (0ad7bc5c-235a-4048-944b-3b286676cb74) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2