Salt Typhoon Affiliate Hits Telecoms in 30+ Countries With TernDoor

A threat cluster affiliated with China's Salt Typhoon operation has compromised telecommunications infrastructure across more than 30 countries, according to research published by CYFIRMA this week. The group, tracked as UAT-9244, deploys custom backdoors including TernDoor and the peer-to-peer implant PeerTime to maintain persistent access to network edge devices and internal systems.

The campaign's geographic scope is remarkable. Confirmed targets span South America, North America, the United Kingdom, Australia, India, and Japan. Telecom operators represent the primary focus, but the group has also targeted network edge devices and VoIP infrastructure—the backbone of global communications.

Toolset and Capabilities

UAT-9244 operates with a mature toolkit developed for cross-platform deployment. The group's primary implants run on both Windows and Linux, with specialized variants for network edge devices including routers and voice infrastructure.

TernDoor serves as the primary backdoor. The implant establishes encrypted command-and-control channels and supports standard remote access functions: command execution, file transfer, and system enumeration. TernDoor's modular architecture allows operators to load additional capabilities post-compromise without reinfecting targets.

PeerTime provides redundant access through peer-to-peer communications. Unlike traditional C2 architectures that rely on centralized servers, PeerTime allows compromised hosts to communicate through one another. This mesh topology complicates takedown efforts—eliminating one node doesn't sever the network.

BruteEntry handles initial access through automated vulnerability scanning and credential attacks. The tool targets a mix of legacy and recent CVEs, suggesting the group maintains an active vulnerability research capability.

Exploitation of Known Vulnerabilities

UAT-9244's initial access frequently exploits unpatched edge devices. CYFIRMA identified several CVEs in active use:

• CVE-2021-26855 — Microsoft Exchange ProxyLogon, still yielding results five years after disclosure
• CVE-2021-45461 — FreePBX remote code execution
• CVE-2025-0944 — Undisclosed network device vulnerability
• CVE-2025-12480 — Undisclosed network device vulnerability

The continued exploitation of 2021-era vulnerabilities speaks to the patching challenges facing telecommunications providers. Edge devices often run legacy software, lack centralized management, and exist outside normal patch cycles. Attackers know this and target accordingly. When legacy vulnerabilities like CVE-2026-24061 in GNU inetutils still offer root access to network infrastructure, the patching gap becomes an intelligence goldmine.

This pattern mirrors activity we documented in the CISA Binding Operational Directive 26-02 coverage, which mandated federal agencies address aging edge infrastructure. Private sector telecoms face no such requirements.

Connection to Salt Typhoon

Salt Typhoon emerged in late 2024 as a Chinese state-sponsored operation targeting U.S. telecommunications infrastructure. The group compromised multiple major carriers and allegedly maintained access to lawful intercept systems—the infrastructure used for court-authorized wiretapping.

UAT-9244 shares tooling overlaps and targeting patterns with Salt Typhoon, though CYFIRMA stops short of claiming direct organizational connection. The relationship may represent a subcontractor, parallel tasking from the same intelligence sponsor, or an independent group operating under similar directives.

Regardless of exact affiliation, the objective is clear: sustained access to telecommunications infrastructure enables signals intelligence collection at scale. Compromised telecom networks provide visibility into call metadata, text messages, and in some cases content—valuable intelligence for any nation-state.

Geographic and Sector Focus

South American telecommunications providers appear disproportionately affected. The region's less mature security posture and strategic importance as a gateway to U.S. networks likely drives this focus. Compromising South American carriers could enable upstream collection on traffic transiting between continents.

The campaign's breadth—30+ countries—suggests operational maturity and significant resourcing. Maintaining concurrent access across diverse network environments requires substantial infrastructure and personnel.

Defensive Recommendations

Telecommunications providers should assume targeting and respond accordingly:

1. Audit edge devices for indicators of compromise, particularly FreePBX and Exchange servers
2. Implement network segmentation isolating management interfaces from production traffic
3. Deploy behavioral monitoring capable of detecting lateral movement patterns
4. Review outbound connections for peer-to-peer traffic patterns inconsistent with normal operations
5. Accelerate patching for internet-facing infrastructure, prioritizing the CVEs listed above

For organizations concerned about nation-state threats to critical infrastructure, our cybersecurity resources section provides additional hardening guidance.

Why This Matters

Telecommunications infrastructure represents a high-value target for intelligence services worldwide. Persistent access to carrier networks enables bulk collection that would be impossible through individual targeting. The victims of these compromises aren't just the telecom companies—they're everyone whose communications traverse those networks.

The scale of UAT-9244's operations suggests this is no opportunistic campaign. It's a coordinated effort to position Chinese intelligence capabilities across global communications infrastructure. Defenders in the telecom sector should treat this as an ongoing, resourced threat requiring sustained defensive investment.

For continued coverage of nation-state cyber operations, follow our threat intelligence reporting.