A Chinese state-sponsored hacking group named Salt Typhoon has been linked to a cyberattack on a Canadian telecommunications company. This group used a serious vulnerability in Cisco networking equipment to carry out the attack. The incident was confirmed by the Canadian Centre for Cyber Security (CCCS) and the FBI.

The hackers targeted Cisco IOS XE devices, which are used in routers and network controllers. The vulnerability they used is known as CVE-2023-20198, a critical bug with a CVSS score of 10, meaning it’s one of the most dangerous types of security flaws. This bug allows attackers to gain full control of the device remotely, without needing a username or password.

The attack happened in mid-February 2025, when Salt Typhoon gained unauthorized access to three different Cisco devices used by the Canadian telecom company. Once inside, the hackers downloaded the configuration files of those devices and made changes to one of them.

One major change they made was the creation of a GRE (Generic Routing Encapsulation) tunnel. This tunnel allows traffic to be secretly routed through another path, giving the attackers the ability to monitor, intercept, or even manipulate the network traffic flowing through the device. In simple terms, they were able to quietly watch what was happening inside the telecom’s network.

What’s alarming is that GRE tunnels are usually used for legitimate network functions, but in this case, it was created without any approval and for spying purposes. This makes it difficult to detect such attacks unless network traffic is closely monitored.

The CCCS and FBI didn’t name the affected telecom company but confirmed that the attack was part of a broader cyber-espionage campaign. Salt Typhoon has previously been linked to similar attacks on telecom operators in the United States, Italy, South Africa, and even satellite communications provider Viasat. Their main goal seems to be surveillance and information gathering, rather than data destruction or financial gain.

 

What makes this attack more concerning is that the Cisco vulnerability they used had already been made public in October 2023, and patches were available. But the fact that it was still exploitable in February 2025 shows that not all organizations had updated their systems in time.

The CCCS has issued a clear warning: any organization using Cisco IOS XE devices needs to update their systems immediately to avoid similar risks. They also recommend disabling unnecessary services like GRE tunnels unless they’re essential. Regularly reviewing device configurations and monitoring network traffic can help detect such hidden changes early.

According to the report, some of the compromised devices were used only to gather network data, while others were configured to act as gateways for future attacks. This shows that Salt Typhoon is preparing for long-term access to critical infrastructure.

Security agencies believe that Salt Typhoon is backed by China’s Ministry of State Security, and the campaign is likely part of a larger plan to monitor global communications and gather intelligence. They warn that these kinds of attacks will likely continue for the next 12 to 24 months, especially targeting telecom, internet infrastructure, and government-related systems.

This attack is a reminder of how important it is to keep critical systems updated and secured. Telecom networks are essential for communication, business, and national security. If attackers gain control of them, they can cause serious damage, not just in terms of data loss, but also by secretly collecting sensitive information.

In conclusion, this incident shows how cyber-espionage groups like Salt Typhoon are taking advantage of known vulnerabilities to target critical sectors. It also highlights the importance of quick patching, strong network monitoring, and staying informed about ongoing threats. With more and more state-sponsored attacks surfacing globally, organizations need to take cybersecurity more seriously than ever before.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news