Full Report
The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked Salt Typhoon actors to breach major global telecommunications providers as part of a cyber espionage campaign. The attackers exploited a critical Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to access configuration
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
* **Attribution:** China-linked threat actor.
* **Known Aliases and Groups:** Salt Typhoon (identified by security agencies).
## Activity Summary
* Salt Typhoon is engaged in a global **cyber espionage campaign** specifically targeting major global telecommunications providers.
* In mid-February 2025, the actor successfully breached a Canadian telecommunications company by exploiting a critical Cisco vulnerability.
* The activities range from pure network reconnaissance to establishing persistence for potential data exfiltration.
* A prior report noted similar activities targeting telecom and internet firms in the U.S., South Africa, and Italy.
## Tactics, Techniques & Procedures
* **Exploitation of Public-Facing Infrastructure:** Targeting edge network devices, explicitly Cisco routers/switches.
* **Vulnerability Exploitation:** Exploited **CVE-2023-20198** (Cisco IOS XE software, CVSS 10.0) to gain initial access.
* **Configuration Manipulation:** Modified configuration files on compromised devices.
* **Establishment of Persistence/C2:** Configured a **Generic Routing Encapsulation (GRE) tunnel** to enable collection of data traffic from the breached network, suggesting a method for long-term access and exfiltration.
* **Reconnaissance:** In some cases, activities were assessed to be limited to network reconnaissance.
## Targeting
* **Sectors:** Telecommunications providers, internet firms.
* **Geography:** Global; specific recent targeting mentioned includes **Canada**, and historically includes the **U.S., South Africa, and Italy**.
* **Victims:** A Canadian telecommunications company (unnamed).
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named in this context, but associated malware families (SHOE RACK and UMBRELLA STAND) targeting Fortinet devices are mentioned in a related context, suggesting the actor ecosystem is broad. *(Note: SHOE RACK and UMBRELLA STAND appear to be attributed generally to Chinese actors by the UK NCSC, not definitively to Salt Typhoon in this snippet, but are included as associated threat context).*
* **Infrastructure:** Utilized compromised network devices to establish **GRE tunnels** for communication and data staging/exfiltration.
## Implications
* Salt Typhoon focuses on sectors critical for national infrastructure and global communication (telecoms).
* The use of GRE tunnels signifies an intent for sustained access and potential high-value data theft (cyber espionage).
* Compromising devices in one network (e.g., Canadian telecom) may be used as pivot points or leverage to breach *additional* downstream devices or entities connected to that provider.
## Mitigations
* Prioritize patching critical edge network devices, specifically Cisco IOS XE software (addressing CVE-2023-20198 and CVE-2023-20273 if applicable).
* Monitor network configurations for unauthorized changes, particularly the installation of new **GRE tunnels** or unauthorized routing protocols.
* Harden edge network devices used by service providers against exploits targeting administrative interfaces.