China-Backed Salt Typhoon Hackers Target Telecoms Globally Through Cisco Vulnerabilities

Salt Typhoon, a China-backed hacker group, has continued its cyber espionage campaign, targeting telecom companies across the globe. Leveraging critical vulnerabilities in Cisco devices, the group has compromised several organizations, including key U.S. telecoms and universities, highlighting an ongoing threat to global telecommunications infrastructure.

Salt Typhoon, also known as RedMike, has been actively exploiting two significant privilege escalation vulnerabilities in Cisco IOS XE software to compromise telecom networks globally. The two flaws, CVE-2023-20198 and CVE-2023-20273, were disclosed in 2023 as zero-day vulnerabilities, and despite Cisco’s issuance of patches, many devices remain unprotected. Between December 2024 and January 2025, the group successfully infiltrated at least seven devices linked to global telecom providers, including U.S.-based internet and telecom services, a U.S. affiliate of a British telecom provider, an Italian ISP, and companies in South Africa and Thailand.

The hackers exploited CVE-2023-20198 through a web user interface vulnerability, allowing initial access to the devices. They then escalated their privileges using CVE-2023-20273, gaining root access and establishing persistent entry through GRE tunnels. More than half of the targeted devices were located in the U.S., South America, and India, with the rest spread across more than 100 countries. Notably, Salt Typhoon also targeted universities, including those in the U.S. (UCLA, Loyola Marymount, Utah Tech, and California State University), and several others worldwide, possibly to gain access to research in telecommunications and engineering.

The campaign follows Salt Typhoon’s previous high-profile breaches of major U.S. telecom providers like AT&T, Verizon, and T-Mobile, which exposed the private communications of political figures and government officials. The group’s actions have raised concerns over China’s access to sensitive data, including real-time communications and location tracking of millions of people.

As Salt Typhoon continues to exploit these vulnerabilities, industry experts have emphasized the importance of patching and securing vulnerable devices. Jon Condra, senior director of strategic intelligence at Recorded Future, remarked that despite ongoing media coverage and U.S. sanctions, the group is expected to persist in its cyberattacks due to the high value of telecommunications data.

Salt Typhoon’s sustained cyberattacks demonstrate the persistent risks posed by state-backed hacking groups targeting global telecom networks. The exploitation of unpatched vulnerabilities underscores the critical need for timely patching and network security practices. As this threat continues to evolve, it remains essential for organizations worldwide to remain vigilant and secure their systems against such attacks.