Salt Typhoon Hacks Canadian Telecom Provider via Cisco IOS XE Exploit
Canada’s Centre for Cyber Security has confirmed that Salt Typhoon, a Chinese state-sponsored threat actor, successfully breached a major Canadian telecommunications provider earlier this year. The group exploited CVE-2023-20198, a critical Cisco IOS XE vulnerability, to gain unauthorized access to sensitive network infrastructure.
The confirmation came in a joint advisory issued by Canadian authorities in collaboration with the U.S. FBI, highlighting a growing cross-border cybersecurity risk targeting telecom operators and critical infrastructure.
“Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025,” the advisory stated.
The Cisco Flaw and What It Allowed Hackers to Do
The vulnerability exploited—CVE-2023-20198—was first disclosed in October 2023. It allows remote, unauthenticated attackers to create arbitrary accounts with admin-level privileges on Cisco IOS XE devices.
Despite widespread attention around the flaw and its active exploitation as a zero-day at the time, at least one Canadian telecom provider failed to apply the security patch.
Salt Typhoon used the flaw to:
- Retrieve running configuration files from all three compromised devices
- Modify one of the configurations to create a GRE tunnel, enabling traffic interception from within the network
This activity forms part of a larger espionage pattern that targets telecom systems globally, with a focus on routing-level access to siphon communications and metadata over extended periods.
Broader Reconnaissance Across Canada
This confirmed intrusion follows earlier reconnaissance activity observed in October 2024, when Canadian cybersecurity officials noticed Salt Typhoon probing dozens of sensitive networks. While no breaches were confirmed at the time, the warning was clear.
Despite that warning, not all telecom or infrastructure providers acted swiftly to patch edge-facing systems.
Salt Typhoon’s operations now appear to go beyond the telecom sector. Investigators noted that its reconnaissance campaigns likely extended into other industries—with data theft possibly serving as a staging point for future lateral movement or supply chain attacks.
What Makes Telecoms a Prime Target?
Telecommunications providers offer unique strategic value to state-sponsored hackers due to the nature of the data they handle. This includes:
- Call metadata and subscriber information
- Location data and SMS contents
- Internal communications involving political or government entities
These attackers tend to focus on edge devices, such as:
- Routers
- Firewalls
- VPN appliances
They may also leverage Managed Service Providers (MSPs) and cloud vendors as indirect entry points to access downstream customers.
The advisory included links to technical hardening guides for edge infrastructure and called on all critical service operators to audit their systems immediately.
Global Scope of Salt Typhoon Campaigns
Salt Typhoon has previously compromised telecom operators in dozens of countries, including:
- AT&T
- Verizon
- Lumen
- Charter Communications
- Consolidated Communications
- Windstream
Just last week, Viasat confirmed a breach attributed to the same threat group. Fortunately, no customer data was impacted in that case.
Future Outlook and Ongoing Risk
The Canadian Centre for Cyber Security warned that Salt Typhoon’s espionage campaigns are expected to continue aggressively for at least the next two years, especially against organizations that have not properly secured their network perimeter.
For businesses operating within or adjacent to critical infrastructure sectors, continuous patch management, edge device monitoring, and network segmentation are essential defenses against these increasingly persistent campaigns.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
