Chinese state-backed hackers, known as Salt Typhoon (also tracked as RedMike), continue to target global telecommunications networks, exploiting unpatched Cisco IOS XE devices.

According to cybersecurity firm Recorded Future, the group has successfully breached multiple telecom providers, including a U.S. internet service provider (ISP), a U.K.-affiliated telecom company, and major networks in South Africa, Italy, and Thailand.

The hackers have been leveraging CVE-2023-20198 and CVE-2023-20273, two critical vulnerabilities in Cisco’s network infrastructure. These flaws allow privilege escalation and remote command execution, enabling attackers to gain persistent access. Researchers have detected compromised Cisco devices communicating with Salt Typhoon-controlled servers using GRE tunnels, a technique for covert data transmission. Between December 2024 and January 2025, the group targeted over 1,000 Cisco devices, primarily in the U.S., South America, and India.


This campaign is part of a larger espionage effort confirmed by the FBI and CISA in October 2023. Salt Typhoon has previously breached major U.S. telecom carriers—including AT&T, Verizon, Charter, and Windstream—accessing private communications of U.S. government officials and infiltrating law enforcement wiretapping platforms. The group, which has been active since at least 2019, is also tracked under aliases like FamousSparrow, Ghost Emperor, Earth Estries, and UNC2286.

READ
zkLend Loses $9.5M in Hack, Appeals to Thief for 90% Recovery