this is quite interesting but it has some weird stuff in there which makes me doubt some of the info. I am wondering if it's missing some links (or I am) or that the info is maybe incomplete or somehow wrong.

For example, it mentions exploits for CISCO devices being a primary entry point into tap systems. makes sense, because afaik these devices hold things like tap bridges which control stuff. (not sure ofc, but some info on it was disclosed 12 years ago.. snmp tap bridges).

Then it goes on and says suddenly: "Salt Typhoon deployed a sophisticated persistence mechanism designed to survive exactly the remediation attempts carriers would eventually undertake. The primary implant, documented by Trend Micro researchers under the name GhostSpider, operated entirely in memory without touching disk, evading traditional antivirus that scans for malicious files"

Afaik, you do not install anti-virus on a CISCO switch or router, or ASA. I've never seen it. The smart install stuff is also network devices, not some kind of app on a user device. So how would anti-virus really be able to see it even if it was on the disk.

Forensic tooling might not be able to find it if its in memory (and the device was powered off... dont do this!) but that's a completely different ballpark.

Wondering if anti-virus and forensic tooling was swapped / confused, or if there is some kind of missing piece of info about a malware that this piece pertains to.

fyi, ghostspider is a windows based malware, so hence i don't see the correlation to the mentions on CISCO popping and getting into the devices that hold taps.

https://www.trendmicro.com/en_us/research/24/k/earth-estries... (mentioned a bit down on the page)

The original article the info in this one relates to https://archive.md/CgRWt#selection-4559.0-4559.257 also doesn't seem so sure about the nature of the breach. it does not mention such specific capabilities.

They mention that us lawmakers / security folks noted: "The hackers also had the ability to “record phone calls at will”, according to Anne Neuberger, who was a deputy US national security adviser at the time." which is one of the more concrete statements. This statement is completely different from 'having access to wiretaps'

As far as I know this used to be done via things like this: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6... which would be very specific access to these cisco devices (so that part _does_ seem to align, the CVE's vs. the capabilities).

It's a very interesting read and pretty well written. Definitely tickles my curiosity, but if anyone has more information related to the specific claims of accessing tap infrastructure rather than telco general infra, this would be welcome!