More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs

China's Salt Typhoon spy crew exploited vulnerabilities in Cisco devices to compromise at least seven devices linked to global telecom providers and other orgs, in addition to its previous victim count.

The intrusions happened between December 2024 and January 2025 with the Chinese government snoops attempting to exploit more than 1,000 internet-facing Cisco-made boxes before successfully breaking into at least seven that were unpatched, according to Recorded Future's Insikt Group.

Salt Typhoon previously compromised at least nine US telecommunications companies and government networks, giving President Xi's agents real-time access to people's communications and whereabouts.

In its latest espionage campaign, the crew infiltrated Cisco-supplied gear associated with a US internet service and telecommunications provider, a US affiliate of a "significant" UK-based telecom provider, an Italian ISP, and two other telecommunications firms, one in South Africa and a "large" one in Thailand, Insikt's report [PDF] states. Again, that would give China intimate access to people's internet activities, movements, and comms.

"The group likely compiled a list of target devices based on their association with telecommunications providers' networks," according to the write-up.

Additionally, the snoops "possibly targeted" more than a dozen universities including University of California, Los Angeles to access research related to telecommunications, engineering, and technology, according to the infosec house, which tracks Salt Typhoon as RedMike.

Plus, in mid-December, Salt Typhoon also conducted a reconnaissance operation involving "multiple" IP addresses owned by Mytel, a Myanmar-based telecom firm.

To compromise the targeted Cisco devices, Beijing's spies combined two critical privilege escalation vulnerabilities in Cisco's tech: CVE-2023-20198 and CVE-2023-20273. The networking giant issued patches for both in 2023, and at the time warned the bugs had already been exploited as zero-days.

CVE-2023-20198 is a privilege escalation vulnerability in Cisco IOS XE software's web user interface. The snoops exploited this one for initial access, and then issued a privilege 15 command to create a local user and password.

Then, they used the new local account to exploit another privilege escalation flaw, CVE-2023-20273, to gain root privileges on the device. This allowed Salt Typhoon to add a generic routing encapsulation (GRE) tunnel for persistent access to the victim's network.

• China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says
• Charter, Consolidated, Windstream reportedly join China's Salt Typhoon victim list
• FCC to telcos: By law you must secure your networks from foreign spies. Get on it
• Trump admin's purge of US cyber advisory boards was 'foolish,' says ex-Navy admiral

More than half of the targeted devices, in terms of attempts, were in the US, South America, and India, with the rest spanning over 100 countries. Most of these were linked to telecom providers, while 12 universities were possibly targeted to access research related to technology. Basically, China wanted to pwn the world's telecommunications networks.

These colleges included, in the US: University of California, Los Angeles (UCLA); California State University, Office of the Chancellor; Loyola Marymount University; and Utah Tech University. Plus Argentina (Universidad de La Punta) and Bangladesh (Islamic University of Technology IUT). Two were in Indonesia: Universitas Sebelas Maret and Universitas Negeri Malang.

Other attempted targets were in, at least, Malaysia (University of Malaya), Mexico (Universidad Nacional Autonoma), the Netherlands (Technische Universiteit Delft), Thailand (Sripatum University), and Vietnam (University of Medicine and Pharmacy at Ho Chi Minh City).

After it emerged last year that Salt Typhoon had struck Verizon, AT&T, Lumen Technologies, and others, and thus China was in a position to monitor millions of people's calls, texts, locations, and internet activities, Uncle Sam urged IT departments to tighten up their network security and netizens to start using strong end-to-end encryption for their online chatter.

The kicker in all of this is that, in that previous campaign, Beijing abused equipment that provides surveillance backdoors intended for US law enforcement to track suspects in American networks to pull off these intrusions.

In January, the US issued sanctions on a Salt Typhoon affiliated cyberscurity company, Sichuan Juxinhe Network Technology, which is based in Sichuan, China.

But while the sanctions "signal a more assertive and commendable stance against state-backed cyber espionage in critical infrastructure," according to the threat hunters, "robust international cooperation is crucial for effectively countering these persistent threats."

We strongly advise customers to patch known vulnerabilities that have been disclosed

A spokesperson for Cisco told us today that what it knows for certain is that the flaws highlighted by Insikt were fixed a few years ago, as we noted.

"We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE," the spinner said.

"To date, we have not been able to validate these claims but continue to review available data.

"In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols." ®