According to Cisco Talos, Salt Typhoon used stolen credentials and actively tried to steal more by targeting weak password storage, network device configurations and capturing authentication traffic.