China's Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

WIRED

13-02-2025

Feb 13, 2025 12:00 AM Despite high-profile attention and even US sanctions, the group hasn't stopped or even slowed its operation, including the breach of two more US telecoms. A server room at the Cisco Systems Poland headquarters in Krakow, Poland. Photograph:When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.
Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED.
'They're super active, and they continue to be super active,' says Levi Gundert, who leads Recorded Future's research team known as Insikt Group. 'I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.'
To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco's IOS software, which runs on the networking giant's routers and switches. The hackers exploited two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim's network.
'Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,' Gundert says.
Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.
When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. 'We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,' a spokesperson wrote in a statement.
Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That's in part because those network devices lack many of the security controls and monitoring software that's been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.
That Salt Typhoon continues to carry out business as usual is nonetheless notable, Recorded Future's analysts say. The group's activities have been exposed in the media, in government reports and announcements issued by the FCC, CISA, and the White House, even in sanctions issued by the US Treasury. But that hasn't caused the hackers to change course. On January 17, Treasury sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm allegedly linked to Salt Typhoon's operations. And yet, Gundert says, Recorded Future hasn't seen any cessation or slowdown of the hackers' activities even since that date.
'That's the disappointing part about this,' says Gundert. 'Even with all the attention, we haven't observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.'
After Salt Typhoon's hacking campaign targeting US telecom networks came to light last fall, then FBI director Christopher Wray described the phone company breaches as China's 'most significant cyber-espionage campaign in history.' The intrusions, which in some cases exploited the wiretap mechanisms built into telecoms for law enforcement use, prompted CISA and FBI officials to go so far as to recommend that Americans use end-to-end encrypted communication apps like Signal and WhatsApp to avoid leaving their texts and calls vulnerable to China's real-time spying.
In this latest rash of intrusions, Recorded Future says it's seen the Chinese hackers break into not only the US internet service provider and telecommunications firm and a US affiliate of a UK telecom, but also telecoms in South Africa and Thailand and an internet service provider in Italy, though it declined to name any of those victims. It's also seen the group target a broader range of universities around the world for apparent espionage, including in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US—including the University of California, California State, Utah Tech, and Loyola University.
Recorded Future says it was able to gain visibility into those intrusions by identifying command-and-control infrastructure used by Salt Typhoon, though it didn't further explain its methodology. The company's analysts note that there may well be other parts of the group's hacking campaign—and other victims—that it hasn't discovered.
'They've only gotten more bold,' says Jon Condra, another Recorded Future analyst. 'I strongly suspect it's much larger than what we've seen.'