Chinese state-sponsored hacking group Salt Typhoon has intensified its cyber-espionage activities, targeting telecommunications providers worldwide by exploiting known vulnerabilities in Cisco network devices. Despite previous exposure and sanctions, the group continues to infiltrate critical infrastructure, compromising sensitive communications data.
Between December 2024 and January 2025, Salt Typhoon successfully breached at least five telecommunications networks, including two based in the United States. Other affected entities include a U.S.-based affiliate of a prominent U.K. telecommunications provider and a major South African telecom company. The group’s reach extends to internet service providers in Italy and Thailand, as well as several U.S. universities, potentially aiming to access cutting-edge research in telecommunications.
The attackers leveraged unpatched vulnerabilities in Cisco devices, specifically CVE-2023-20198 and CVE-2023-20273, to gain initial access and escalate privileges within the targeted networks. These flaws, present in the web user interface of Cisco IOS XE software, allowed Salt Typhoon to reconfigure devices and establish persistent access through generic routing encapsulation tunnels.
Salt Typhoon, also known as RedMike, has a history of sophisticated cyber-espionage campaigns, primarily focusing on counterintelligence targets in the United States. The group’s operations have previously compromised major U.S. telecommunications companies, including Verizon, AT&T, and T-Mobile, accessing sensitive data such as call logs, text messages, and even live call audio. These breaches have raised significant concerns about national security and the protection of sensitive communications.
In response to these ongoing threats, U.S. government agencies have issued advisories recommending the use of end-to-end encrypted communication applications to safeguard sensitive information. The Federal Bureau of Investigation has specifically urged users to avoid standard text messaging between Android and Apple devices, advocating for secure platforms like WhatsApp and Signal to mitigate interception risks.
Cisco has acknowledged the vulnerabilities and released patches to address them. However, the persistence of unpatched devices in critical networks underscores the challenges organizations face in maintaining up-to-date security measures. The exploitation of these known flaws by state-sponsored actors like Salt Typhoon highlights the necessity for continuous vigilance and proactive cybersecurity practices.
The recent intrusions have not only affected telecommunications providers but also academic institutions. Several U.S. universities, known for their advanced research in telecommunications, have reported breaches linked to Salt Typhoon. These incidents suggest a concerted effort by the group to acquire proprietary research and technological advancements, potentially to bolster China’s own capabilities in the sector.
The international community has expressed growing concern over China’s cyber-espionage activities. Despite diplomatic protests and sanctions, groups like Salt Typhoon continue to operate with impunity, posing a persistent threat to global cybersecurity. The ability of these actors to adapt and exploit existing vulnerabilities emphasizes the need for a coordinated and robust international response.
