New research shows that the Chinese state-sponsored hacking group known as Salt Typhoon has been actively exploiting known vulnerabilities in Cisco network devices, launching cyber intrusions across six continents.
Over the past two months, Recorded Future’s Insikt Group has tracked a series of attacks in which the group targeted more than 1,000 Cisco routers and switches across telecommunications providers, internet service providers (ISPs), and universities, exposing critical weaknesses in global communications infrastructure.
Salt Typhoon first gained notoriety last year when it infiltrated major U.S. telecom providers like T-Mobile, AT&T, and Verizon, intercepting sensitive communications, including U.S. law enforcement wiretaps and political campaign data. The group’s latest campaign exploits two previously disclosed Cisco vulnerabilities, CVE-2023-20198 and CVE-2023-20273, which allow attackers to gain unauthorized access to devices and execute malicious commands with administrative privileges.
These flaws were initially discovered in October 2023, yet Salt Typhoon was able to leverage them over a year later, suggesting widespread failure to patch these major vulnerabilities within critical infrastructure.
Among the recent victims are telecom and ISP companies in the U.S., UK, South Africa, Italy, and Thailand, along with universities in Argentina, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, and the U.S., likely targeting research in telecommunications, engineering, and technology.
Why It Matters: By leveraging known vulnerabilities, Salt Typhoon has demonstrated that even publicly disclosed security flaws can remain potent long after patches become available. The ability to infiltrate telecom networks and research institutions worldwide poses serious risks, from corporate espionage to the compromise of national security communications. Persistent access to these systems allows for surveillance of sensitive data, manipulation of network traffic, and potential cyber operations during geopolitical conflicts.
- Telecom Networks Targeted: Salt Typhoon focused its attacks on telecom providers, ISPs, and universities across six continents, with particularly high concentrations in the U.S., India, and South America. The campaign has impacted both major corporations and smaller regional providers, demonstrating a broad and adaptable attack strategy.
- Cisco Vulnerabilities Exploited: The group leveraged CVE-2023-20198 and CVE-2023-20273, two publicly disclosed flaws that allow unauthorized administrative access and remote command execution on Cisco network devices. Despite Cisco’s security advisories, many organizations failed to patch their systems, leaving critical infrastructure exposed.
- Coordinated Scanning Observed: Recorded Future tracked multiple reconnaissance efforts in December and January, with attackers scanning for vulnerable devices on six separate occasions. This suggests a systematic, persistent effort to locate unpatched systems and maximize the scope of their infiltration.
- Universities Targeted: In addition to telecom providers, Salt Typhoon compromised at least 13 universities, including those in the U.S., Argentina, Indonesia, and the Netherlands. The group likely sought access to research in telecommunications, engineering, and emerging technologies to further its cyber-espionage objectives.
Salt Typhoon Exploits Cisco Devices in Telco Infrastructure – Dark Reading
Salt Typhoon Remains Active, Hits More Telecom Networks Via Cisco Routers – Cyberscoop
