China’s Salt Typhoon spy crew exploited vulnerabilities in Cisco devices to compromise at least seven devices linked to global telecom providers and other orgs, in addition to its previous victim count.
The intrusions happened between December 2024 and January 2025 with the Chinese government snoops attempting to exploit more than 1,000 Cisco-made boxes before successfully breaking into at least seven, according to Recorded Future’s Insikt Group.
Salt Typhoon previously compromised at least nine US telecommunications companies and government networks.
In its latest espionage campaign, the crew infiltrated Cisco-supplied gear associated with a US internet service and telecommunications provider, a US affiliate of a “significant” UK-based telecom provider, an Italian ISP, and two other telecommunications firms, one in South Africa and a “large” one in Thailand, Insikt’s report [PDF] states.
“The group likely compiled a list of target devices based on their association with telecommunications providers’ networks,” according to the write-up.
Additionally, the snoops “possibly targeted” more than a dozen universities including University of California, Los Angeles to access research related to telecommunications, engineering, and technology, according to the infosec house, which tracks Salt Typhoon as RedMike.
Plus, in mid-December, Salt Typhoon also conducted a reconnaissance operation involving “multiple” IP addresses owned by Mytel, a Myanmar-based telecom firm.
To compromise the targeted Cisco devices, Beijing’s spies combined two critical privilege escalation vulnerabilities in Cisco’s tech: CVE-2023-20198 and CVE-2023-20273. The networking giant issued patches for both in 2023, and at the time warned the bugs had already been exploited as zero-days.
CVE-2023-20198 is a privilege escalation vulnerability in Cisco IOS XE software’s web user interface. The snoops exploited this one for initial access, and then issued a privilege 15 command to create a local user and password.
Then, they used the new local account to exploit another privilege escalation flaw, CVE-2023-20273, to gain root privileges on the device. This allowed Salt Typhoon to add a generic routing encapsulation (GRE) tunnel for persistent access to the victim’s network.
More than half of the targeted devices, in terms of attempts, were in the US, South America, and India, with the rest spanning over 100 countries. Most of these were linked to telecom providers, while 12 universities were possibly targeted to access research related to technology. Basically, China wanted to pwn the world’s telecommunications networks.
These colleges included, in the US: University of California, Los Angeles (UCLA); California State University, Office of the Chancellor; Loyola Marymount University; and Utah Tech University. Plus Argentina (Universidad de La Punta) and Bangladesh (Islamic University of Technology IUT). Two were in Indonesia: Universitas Sebelas Maret and Universitas Negeri Malang.
Other attempted targets were in, at least, Malaysia (University of Malaya), Mexico (Universidad Nacional Autonoma), the Netherlands (Technische Universiteit Delft), Thailand (Sripatum University), and Vietnam (University of Medicine and Pharmacy at Ho Chi Minh City).
After it emerged last year that Salt Typhoon had struck Verizon, AT&T, Lumen Technologies, and others, and thus China was in a position to monitor millions of people’s calls, texts, locations, and internet activities, Uncle Sam urged IT departments to tighten up their network security and netizens to start using strong end-to-end encryption for their online chatter.
In January, the US issued sanctions on a Salt Typhoon affiliated cyberscurity company, Sichuan Juxinhe Network Technology, which is based in Sichuan, China.
But while the sanctions “signal a more assertive and commendable stance against state-backed cyber espionage in critical infrastructure,” according to the threat hunters, “robust international cooperation is crucial for effectively countering these persistent threats.” ®
0 Comments