Chinese hackers, specifically the Salt Typhoon group (also known as RedMike), are continuing their attacks on telecom providers globally.
Their latest campaign has compromised several US telecommunications companies by exploiting vulnerabilities in unpatched Cisco IOS XE network devices. The attacks leveraged two known vulnerabilities: CVE-2023-20198 (privilege escalation) and CVE-2023-20273 (Web UI command injection). These vulnerabilities allowed the Chinese hackers breach access to networks.
Multiple US telecoms fell victim, including a major internet service provider (ISP), a US affiliate of a UK telecom, and others in South Africa, Italy, and Thailand. The hackers gained persistent access through compromised Cisco devices, using GRE tunnels to communicate with their command-and-control servers.
Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco devices, with over half located in the US, South America, and India.
“Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet,” stated Insikt Group.
“Although over 1,000 Cisco devices were targeted, Insikt Group assesses that this activity was likely focussed, given that this number only represents 8% of the exposed devices and that RedMike engaged in periodic reconnaissance activity, selecting devices linked to telecommunications providers.”
Vulnerabilities and Previous Attacks
These vulnerabilities were previously exploited in 2023 in zero-day attacks compromising over 50,000 Cisco IOS XE devices, enabling the deployment of backdoor malware. A November Five Eyes advisory listed these flaws among the top four most frequently exploited vulnerabilities that year.
The FBI and CISA confirmed a broader campaign in October 2024, involving breaches of multiple US telecom carriers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream), and telecoms in numerous other countries. Access to US telecom networks allowed the Chinese hackers breach the “private communications” of a limited number of US government officials and access to the US law enforcement’s wiretapping platform.
Insikt Group urges network administrators to immediately patch their internet-exposed Cisco IOS XE devices and avoid exposing administrative interfaces or non-essential services directly to the internet. The Salt Typhoon group’s activities, dating back to at least 2019, highlight the ongoing threat posed by Chinese state-sponsored hackers to global telecommunications infrastructure.
