Salt Typhoon, a China-backed threat group, has continued its hacking spree this year, compromising five more telecom providers worldwide, including two US-based companies. According to research from Recorded Future’s Insikt Group, the group conducted a campaign between December 2024 and January 2025 targeting unpatched Cisco edge devices globally.
The attack, which exploited CVE-2023-20198 and CVE-2023-20273 vulnerabilities in Cisco IOS XE software, aimed to gain initial access and later root access. Researchers observed Salt Typhoon targeting over 1,000 devices worldwide during the two-month span.
Insikt Group discovered compromised Cisco devices at five organizations, including a US telecom and internet service provider, a British telecom affiliate, and universities across the globe, such as UCLA and California State University. The group targeted these institutions to access research in telecommunications, engineering, and technology.
The report found that over half of the targeted devices were located in the US, South America, and India, with more than 12,000 Cisco devices having web user interfaces exposed to the internet. Researchers warned that state-sponsored Chinese threat groups have shifted their focus towards exploiting vulnerable public-facing network devices.
Recorded Future recommended that organizations prioritize patching vulnerabilities and monitoring for configuration changes. They also urged users to avoid exposing administration interfaces and nonessential services on the internet. This latest campaign follows Salt Typhoon’s high-profile breaches of several major US telecom companies last year, which involved accessing private communications of targeted officials and law enforcement requests.
Source: https://www.cybersecuritydive.com/news/china-backed-hackers-continue-cyberattacks-on-telecom-companies/740066