Salt Typhoon's hacking spree has continued this year as the China-backed threat group recently compromised five more telecom providers across the globe, including two U.S.-based companies.
According to research from Recorded Future's Insikt Group published Thursday, Salt Typhoon (which Recorded Future calls "RedMike") conducted a campaign between December 2024 and January 2025 that targeted unpatched Cisco edge devices. Insikt Group researchers observed the threat group attempting to compromise more than 1,000 such devices across the globe in the two-month span.
Specifically, Salt Typhoon for initial access to its targets exploited CVE-2023-20198, a privilege escalation vulnerability in the web user interface of Cisco IOS XE software, and weaponized CVE-2023-20273, a related privilege escalation flaw, to gain root access. Both vulnerabilities were disclosed in October 2023 as zero-day flaws that, at the time, were under widespread exploitation and had compromised thousands of devices.
Insikt Group researchers discovered infiltrated Cisco devices at five organizations, including a U.S. telecom and internet service provider and a U.S.-based affiliate of a British telecom provider. Researchers also observed Salt Typhoon targeting Cisco devices at universities across the globe, including UCLA, Loyola Marymount University, Utah Tech University and California State University.
"RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft," the report said.
Insikt Group found that more than half of the targeted Cisco devices were located in the U.S., South America and India, and also identified more than 12,000 Cisco devices that had web user interfaces exposed to the internet. The researchers warned that state-sponsored Chinese threat groups have "shifted heavily" toward exploiting vulnerable, public-facing network devices over the last five years.
Jon Condra, senior director of strategic intelligence at Recorded Future, told Cybersecurity Dive that the five telecommunications providers described in the report are the only cases where researchers were able to confirm successful exploitation of the Cisco flaws. However, Recorded Future could not rule out that additional devices and organizations had been compromised, he noted.
Additionally, Condra said Insikt Group researchers were not surprised that some organizations still hadn’t mitigated the Cisco zero-day vulnerabilities more than a year after they were first disclosed. “Patch management and deployment, especially in large enterprises with tens of thousands of workstations and supporting network devices, is a challenging problem,” he said via email. “Effective and safe patch deployment involves testing and validation, planning downtime (which can be very expensive and disruptive for employees and customers alike), and adjusting workflows or automations that the patch may unexpectedly break.”
Cisco, meanwhile, issued a statement to Cybersecurity Dive that included a link to the company’s 2023 security advisory for the two zero-day vulnerabilities.
“We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data,” the spokesperson said. “In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."
Patch Now
Recorded Future recommended that organizations prioritize patching vulnerabilities in such devices and monitor for configuration changes. Additionally, researchers urged users to avoid exposing administration interfaces and nonessential services for public-facing devices on the internet.
This latest campaign follows Salt Typhoon's high-profile breaches of several major U.S. telecom companies last year, including AT&T, Verizon, T-Mobile and Lumen Technologies. Threat actors obtained the private communications of targeted political figures and government officials and accessed data related to law enforcement requests. The attacks caused alarm within both the U.S. government and the technology sector as the telecom providers scrambled to investigate the breaches and ensure that Salt Typhoon actors were completely removed from their networks.
"Despite significant media coverage and US sanctions, Insikt Group expects RedMike to continue targeting telecommunications providers in the US and globally due to the amount and high value of communications data that traverses these networks," the report said. "This is highlighted by RedMike’s previous targeting of US lawful intercept operations and the communications of significant US political figures via these intrusions."
Editor’s Note: This story has been updated with comments from Recorded Future and Cisco.
