Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major U.S. telecommunications providers, including AT&T, Verizon, and Lumen Technologies. Now, new research from Recorded Future's Insikt Group reveals that Salt Typhoon remains active and has expanded its campaign, compromising additional telecom networks across the globe between December 2024 and January 2025.
Ongoing espionage: more networks under attack
According to Recorded Future, Salt Typhoon (also tracked as RedMike) infiltrated five additional telecom networks, including two unnamed providers in the United States.
"Recorded Future's Insikt Group observed seven compromised Cisco network devices communicating with Salt Typhoon infrastructure on five telecom networks between early December and late January," states the report.
The impacted companies include a U.S. internet service provider, a U.K.-affiliated telecom provider, an Italian ISP, a large Thailand telecom company, and a South African telecom provider. This growing list of victims signals an escalation in Chinese cyber operations.
The attack playbook: exploiting Cisco router vulnerabilities
Salt Typhoon primarily targeted internet-exposed Cisco network routers, exploiting two of the most routinely abused vulnerabilities in 2023:
-
CVE-2023-20198 – A privilege escalation vulnerability in Cisco IOS XE Web UI, rated 10 (critical) on the CVSS scale
-
CVE-2023-20273 – Used after initial access to escalate privileges and gain root access
By chaining these vulnerabilities together, Salt Typhoon created new privileged user accounts, modified device configurations, and established persistent access via Generic Routing Encapsulation (GRE) tunnels.
"We have not observed other initial access vectors related to this campaign at this time," said Jon Condra, Senior Director of Strategic Intelligence at Recorded Future.
While authorities have not pinpointed Salt Typhoon's primary initial access method, guidance from U.S. CISA and global cybersecurity agencies urges organizations to harden Cisco devices against these attacks.
Geopolitical impact: why U.S. telecoms are a prime target
For suspected Chinese nation-state hackers, U.S. telecom providers remain a high-value espionage target. Salt Typhoon's objectives reportedly include:
-
Intercepting sensitive communications from government officials and corporate executives
-
Tracking political activists and dissidents through geolocation metadata
-
Stealing research from academic institutions focused on telecom, engineering, and emerging technologies
[RELATED: 8 Steps Huawei Took to Steal IP from T-Mobile and Cover It Up]
"Salt Typhoon's attack spree targeting global telecom networks began up to two years before it was discovered by U.S. officials in late spring of last year," the report says.
This long-term persistence underscores the difficulty in fully removing the advanced persistent threat (APT) from breached networks, a challenge U.S. authorities have openly acknowledged.
Mitigation strategies: how to defend against Salt Typhoon
Given the ongoing attacks, network defenders must take immediate action:
-
Apply security patches: Ensure all Cisco routers are updated to prevent exploitation of CVE-2023-20198 and CVE-2023-20273.
-
Limit exposure: Disable unnecessary web UI access and restrict administrative interfaces from internet exposure.
-
Monitor network traffic: Investigate unexpected configuration changes and unusual GRE tunnel activity.
-
Increase endpoint security: Deploy behavioral analytics to detect unauthorized PowerShell and WMI execution.
-
Collaborate with authorities: Work with CISA, the FBI, and international cyber agencies to strengthen defensive measures.
The outlook: a persistent and growing threat
Despite U.S. sanctions on China-based hacking entities, Salt Typhoon's activities remain a serious concern.
"Despite significant media coverage and U.S. sanctions, Insikt Group expects Salt Typhoon to continue targeting telecommunications providers in the U.S. and globally due to the amount and high value of communications data that traverses these networks," warns the report.
As tensions escalate between the U.S. and China over cyber warfare, cooperation between global cybersecurity agencies will be crucial to mitigating these threats. Salt Typhoon's ability to remain entrenched within critical infrastructure for years demonstrates the evolving nature of nation-state cyber operations.
The need for continuous monitoring, proactive defense strategies, and strict compliance with security best practices has never been more urgent.
[REALTED: Cyber Powers: Ranking the Top 30 Nations by Capabilities, Intent]
Follow SecureWorld News for more content related to cybersecurity.
