China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
Recorded Future's Insikt Group threat research division states that the Chinese hacking group (tracked Salt Typhoon and RedMike) has exploited the
CVE-2023-20198 privilege escalation and
CVE-2023-20273 Web UI command injection vulnerabilities.
These ongoing attacks have already resulted in network breaches at multiple telecommunications providers, including a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, a South African telecom provider, an Italian ISP, and a large Thailand telecommunications provider.
The threat researchers said they've spotted compromised and reconfigured Cisco devices on their networks, communicating with Salt Typhoon-controlled servers via generic routing encapsulation (GRE) tunnels for persistent access.
Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco network devices, more than half from the U.S., South America, and India.
"Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet,"
Insikt Group said.
