Full Report
The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation issued a new warning about... The post Chinese state linked Salt Typhoon suspected in cyberattacks on Canadian telecom networks appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Attributed to Chinese state-sponsored operations (People's Republic of China - PRC).
## Activity Summary
Salt Typhoon is currently suspected in ongoing cyberattacks targeting Canadian telecommunications companies, as confirmed by a joint warning from the Canadian Centre for Cyber Security and the U.S. FBI. In mid-February 2025, at least three network devices belonging to one telecom provider were compromised. Investigations suggest the campaign targeting may be broader than just the telecommunications sector. The activity appears to be focused on espionage, including collecting information from internal victim networks or using compromised devices to pivot to further victims, though some activity was limited to network reconnaissance.
## Tactics, Techniques & Procedures
- Exploiting known vulnerabilities: Specifically leveraging **CVE-2023-20198** to gain access.
- Data exfiltration/reconnaissance: Used the exploitation to **extract running configuration files** from target devices.
- Establishing persistent access/tunneling: Altered configuration files to **establish a GRE tunnel** to siphon network traffic.
- Objective: Network reconnaissance and potential information gathering.
## Targeting
- Sectors: Telecommunications service providers and their clients. The warning suggests targeting extends beyond this sector (implied critical infrastructure, given the source publication context).
- Geography: Canada (confirmed ongoing targeting).
- Victims: At least one Canadian telecom provider (at least three network devices compromised).
## Tools & Infrastructure
- Malware families used: Not explicitly detailed in the summary provided.
- Infrastructure (C2, domains, IPs): Not explicitly detailed/defanged in the summary provided.
## Implications
PRC cyber actors will "almost certainly continue to target Canadian organizations" as part of this ongoing espionage campaign. The compromise of telecom infrastructure poses a significant risk, allowing actors to conduct deeper network reconnaissance or potentially pivot to downstream clients.
## Mitigations
- Organizations operating in the targeted sectors (especially telecommunications) should be on high alert for activity associated with Salt Typhoon.
- Specific defense recommendations would revolve around patching and mitigating CVE-2023-20198 immediately.
- Increased monitoring for unexpected GRE tunnel establishment or configuration file manipulation on network devices.