Federal networks detected Salt Typhoon activity by CISA prior to telecom intrusions
In a recent report, the Cybersecurity and Infrastructure Security Agency (CISA) and other cybersecurity authorities have highlighted the ongoing and significant threat posed by the China-sponsored cyber espionage group, Salt Typhoon. This adversary, known for its sophisticated tactics and focus on telecommunications infrastructure, remains active and persistent, as evidenced by its recent attacks on Canadian telecom providers.
### Recent Attacks on Canadian Telecoms
In mid-February 2025, Salt Typhoon exploited a critical Cisco IOS XE vulnerability (CVE-2023-20198) to compromise at least three network devices belonging to a Canadian telecom provider. The attackers obtained running configuration files and modified at least one to establish a Generic Routing Encapsulation (GRE) tunnel, enabling them to siphon network traffic for espionage purposes.
### Broader Targeting Beyond Telecom
Investigations by the Canadian Centre for Cyber Security suggest that Salt Typhoon's campaigns are not limited to telecommunications. The group collects information from compromised networks and uses them as springboards to target additional victims across multiple sectors.
### Global Reach and Persistent Access
Recorded Future reports that Salt Typhoon has exploited similar vulnerabilities against telecom and internet firms in the U.S., South Africa, and Italy, indicating a global and persistent presence. The attackers tend to maintain long-term access by setting up GRE tunnels and leveraging network infrastructure vulnerabilities.
### Strategic Profile and Threat Level
Salt Typhoon is primarily focused on cyber espionage, leveraging advanced techniques and patience to evade detection while collecting sensitive information. CISA emphasizes that Salt Typhoon exemplifies a well-resourced, highly organized, and stealthy advanced persistent threat. They are patient and methodical, aiming to avoid exposing their overall tactics and maintaining a foothold on victim networks for extended periods.
According to a 2025 advisory from CISA, Salt Typhoon represents one of the most serious and significant cyber threats to U.S. critical infrastructure, especially broadband and internet service providers, due to their capabilities and focus on network infrastructure.
### Implications and Recommendations
Organizations, particularly telecommunications and internet providers, are advised to implement heightened cybersecurity measures well beyond basic controls to protect against Salt Typhoon’s targeted and persistent intrusions. Vigilance for security patches related to network device vulnerabilities like CVE-2023-20198 is critical, as Salt Typhoon effectively weaponizes these to gain administrative access and establish persistent data exfiltration tunnels.
As the threat from Salt Typhoon continues to loom, CISA's ongoing threat hunting, intelligence gathering, and collaboration with federal partners, the FBI, the intelligence community, and the private sector are crucial in detecting, responding to, and mitigating these threats. The progress made in securing the federal civilian executive branch has been transformational and impressive, enabling the detection and response to numerous China government-sponsored intrusions into critical infrastructure across multiple sectors.
- The ongoing aggression of China-sponsored cyber espionage group Salt Typhoon extends beyond telecoms, as investigations by the Canadian Centre for Cyber Security reveal that they collect information from compromised networks and use them as stepping stones to target victims across various sectors, including politics and general news.
- In the realm of technology, Salt Typhoon's tactics involve exploiting critical vulnerabilities, such as the Cisco IOS XE vulnerability (CVE-2023-20198), to gain administrative access to network devices and establish persistent data exfiltration tunnels.
- Privacy is a significant concern in light of Salt Typhoon's activities, as their primary focus on cyber espionage enables them to gather sensitive information, threatening both individual and national security, making it imperative for organizations to enforce robust cybersecurity measures to counteract these threats.
