Cyber Assaults Persist: Hackers Supported by China Target Telecom Firms Again
In a recent development, the advanced threat group known as Salt Typhoon (also referred to as RedMike) has been actively exploiting critical zero-day vulnerabilities in Cisco devices, leading to ongoing and sophisticated cyber espionage campaigns targeting global telecommunications providers.
The exploitation of these vulnerabilities, identified as CVE-2023-20198 and CVE-2023-20273, has been ongoing since their disclosure in October 2023. These vulnerabilities, both with a CVSS score of 10.0, have allowed Salt Typhoon to create arbitrary accounts with administrative privileges on target network devices and configure Generic Routing Encapsulation (GRE) tunnels for covert access and data collection.
The most recent victims of these attacks have been Canadian telecommunications companies, revealing a significant blind spot in network security for telecom providers worldwide. Salt Typhoon has also previously breached global satellite communications company Viasat. Beyond Canada, Salt Typhoon has compromised telecom and internet firms in multiple countries, indicating a broad and ongoing targeting of the global telecom sector.
The attacks have caused alarm within both the U.S. government and the technology sector, with telecom providers scrambling to investigate the breaches and ensure that Salt Typhoon actors are completely removed from their networks.
Cisco has published security advisories and patches for CVE-2023-20198 and CVE-2023-20273. For organizations unable to immediately patch, Cisco recommends disabling vulnerable features such as the HTTP Server on internet-facing systems to reduce exposure.
Researchers from Recorded Future have urged users to avoid exposing administration interfaces and nonessential services for public-facing devices on the internet. They also recommend prioritizing patching vulnerabilities in such devices and monitoring for configuration changes.
It is important to note that Salt Typhoon is a China-backed hacking group, and state-sponsored Chinese threat groups have "shifted heavily" toward exploiting vulnerable, public-facing network devices over the last five years.
Salt Typhoon's operations pose a significant risk to the security and stability of global telecommunications infrastructure, underscoring the urgent need for affected organizations to apply patches and strengthen network security controls. The group is expected to continue targeting telecommunications providers in the U.S. and globally due to the amount and high value of communications data that traverses these networks.
This is not the first time Salt Typhoon has targeted telecom companies. In the past, they have been linked to high-profile breaches of several major U.S. telecom companies, including AT&T, Verizon, T-Mobile, and Lumen Technologies. The hacking campaign by Salt Typhoon occurred between December 2024 and January 2025.
Cisco has issued a statement regarding the reported exploitation of the two zero-day vulnerabilities in Cisco devices, and researchers expect Salt Typhoon to continue its activities, targeting unpatched Cisco edge devices during the campaign.
This incident serves as a reminder for all organizations to prioritize patching known vulnerabilities and follow industry best practices for securing management protocols to protect their networks from advanced threats like Salt Typhoon.
[1] Source: Cisco Security Advisories [2] Source: Recorded Future Insight [3] Source: Insikt Group Report
- The ongoing cyber espionage campaigns targeting global telecommunications providers by Salt Typhoon (RedMike) have highlighted a critical need for vulnerability management, as the group exploits zero-day vulnerabilities such as CVE-2023-20198 and CVE-2023-20273 for covert access and data collection.
- State-sponsored Chinese threat groups, including Salt Typhoon, have been intensifying their focus on exploiting vulnerable, public-facing network devices, potentially compromising sensitive data such as communications information that traverses these networks.
- In an effort to protect their networks, telecom providers and organizations alike are advised to prioritize patching known vulnerabilities, follow industry best practices, and secure management protocols, as this incident involving Salt Typhoon underscores the ongoing risk of cybersecurity breaches and privacy infringements through technology vulnerabilities.
