In a sophisticated cyber espionage campaign, the Chinese state-sponsored advanced persistent threat (APT) group known as Salt Typhoon has been actively exploiting vulnerabilities in Cisco network devices. Over the past two months, the group has successfully infiltrated telecommunications companies, internet service providers (ISPs), and universities across six continents, highlighting the persistent cybersecurity risks posed by outdated infrastructure.
Salt Typhoon’s Expanding Footprint
Salt Typhoon, also known by aliases such as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, initially gained notoriety in late 2023 for its attacks on major US telecommunications providers. Reports indicated that the group had compromised networks belonging to T-Mobile, AT&T, and Verizon, even managing to intercept law enforcement wiretaps and access sensitive communications related to the US presidential campaigns. Despite the exposure, Salt Typhoon has only expanded its operations, continuing to leverage known vulnerabilities in Cisco devices to gain unauthorized access to critical infrastructure worldwide.
A recent report from cybersecurity firm Recorded Future’s Insikt Group confirms that Salt Typhoon launched at least six major cyberattacks between December 2024 and January 2025. These attacks primarily targeted communications providers and research institutions, demonstrating the group's strategic focus on acquiring intelligence and maintaining persistence within high-value networks.
Exploiting Cisco’s Vulnerabilities
The latest wave of attacks was facilitated by Salt Typhoon’s exploitation of two known vulnerabilities in Cisco’s IOS XE operating system. These security flaws, which were disclosed by Cisco in 2023, enable attackers to gain administrative control over affected devices and execute arbitrary commands with root privileges.
The first vulnerability, designated CVE-2023-20198, carries the highest possible Common Vulnerability Scoring System (CVSS) rating of 10 out of 10. It allows attackers to create new local accounts with administrative privileges, granting them full control over compromised devices. Shortly after this flaw was identified, Cisco disclosed a second related vulnerability, CVE-2023-20273, which builds on the first by enabling attackers to execute malicious commands as root users. This secondary exploit has a CVSS rating of 7.2, indicating a high severity level.
Despite Cisco’s advisories urging organizations to patch their systems, many vulnerable devices remain exposed. Salt Typhoon has taken full advantage of this lapse, using these vulnerabilities to establish Generic Routing Encapsulation (GRE) tunnels, a legitimate networking feature that can be repurposed to maintain persistence, evade detection, and exfiltrate data from compromised environments.
Widespread Targeting Across the Globe
Salt Typhoon’s latest campaign has impacted organizations on every continent, with a significant concentration of victims in North America, South America, and Asia. Some of the most notable targets include:
A US-based affiliate of a UK telecommunications provider
A major US-based telecommunications company and ISP
An Italian ISP
A leading South African telecom provider
A prominent Thai telecommunications company
Mytel, a key telecom operator in Myanmar
In addition to attacking telecommunications infrastructure, Salt Typhoon has also targeted 13 universities worldwide. Notably, these institutions—such as the University of California, Los Angeles (UCLA)—conduct cutting-edge research in telecommunications, engineering, and cybersecurity, making them attractive targets for espionage and intellectual property theft.
Strategic Motives Behind the Attacks
The scale and precision of Salt Typhoon’s cyber operations suggest a calculated strategy aligned with China’s intelligence objectives. By infiltrating telecommunications networks, the group gains access to vast amounts of sensitive data, including corporate communications, government intelligence, and military-related research. Beyond espionage, these intrusions provide China with the capability to disrupt or manipulate data flows in the event of geopolitical tensions or conflicts.
Jon Condra, Senior Director of Strategic Intelligence at Recorded Future, underscores the global nature of Salt Typhoon’s operations:
“While prior reports have focused primarily on US-based intrusions, Salt Typhoon’s targeting extends far beyond American borders. The group’s objectives align with broader Chinese intelligence interests, enabling them to conduct espionage, establish footholds within critical infrastructure, and prepare for potential disruptive actions in the future.”
Challenges in Defending Against State-Sponsored Threats
One of the primary challenges in defending against Salt Typhoon and similar APT groups is the sheer complexity of telecommunications infrastructure. According to Zach Edwards, a senior threat researcher at Silent Push:
“Telecommunications networks are some of the most intricate and outdated systems in existence. Many still operate legacy hardware and software that can’t be easily replaced. This creates significant security gaps that sophisticated actors like Salt Typhoon can exploit.”
Despite repeated warnings and security advisories from Cisco and government agencies, many organizations have yet to implement the necessary patches and security measures. This reluctance is often due to operational challenges, as updating core networking equipment can lead to downtime and service disruptions.
Urgent Need for Proactive Security Measures
In light of Salt Typhoon’s ongoing activities, cybersecurity experts stress the importance of proactive defense measures to mitigate the risks posed by APTs. Organizations relying on Cisco devices—especially those running IOS XE—should take the following steps immediately:
Apply Security Patches: Ensure that all Cisco devices are updated with the latest firmware and security patches.
Restrict Internet Exposure: Remove all unnecessary network devices from public-facing internet access, particularly those with outdated security configurations.
Monitor for Unusual Activity: Deploy advanced network monitoring tools to detect anomalies, such as unauthorized GRE tunnels or suspicious administrative logins.
Implement Multi-Factor Authentication (MFA): Require MFA for all administrative access to prevent unauthorized users from escalating privileges.
Conduct Regular Security Audits: Assess network infrastructure for vulnerabilities and compliance with security best practices.
The Future of Cybersecurity in Telecommunications
Salt Typhoon’s recent attacks serve as a stark reminder of the ongoing cybersecurity challenges faced by the telecommunications sector. The group’s ability to exploit known vulnerabilities in widely used networking equipment underscores the need for stronger defenses, more rigorous patching protocols, and increased collaboration between governments and private entities to combat state-sponsored cyber threats.
As geopolitical tensions continue to influence the landscape of cyber warfare, it is imperative for organizations to remain vigilant. The persistent nature of Salt Typhoon’s operations suggests that this group—and others like it—will continue to evolve their tactics, making cybersecurity a top priority for critical infrastructure providers worldwide.
By taking immediate action to address vulnerabilities, organizations can reduce their exposure to these sophisticated cyber threats and safeguard their data from future exploitation.
A sophisticated cyberattack campaign, dubbed Operation Digital Eye, has targeted several IT and security companies across Southern Europe. Researchers at
