Headline
Salt Typhoon Targets Telecoms via Router Flaws, Warn FBI and Canada
Salt Typhoon, a China-linked group, is exploiting router flaws to spy on global telecoms, warns a joint FBI and Canadian advisory issued in June 2025.
A newly released advisory from the FBI and Canada’s Cyber Centre warns of an ongoing cyber espionage campaign by a China-linked group that is targeting telecom networks worldwide. The report, issued June 20, 2025, points to “Salt Typhoon,” a notorious Chinese APT group using known vulnerabilities in routers and other edge network devices to steal sensitive data.
The activity, tracked since at least February, involves exploiting devices at the network perimeter to gain hidden access, siphon off communications data, and maintain long-term control. In one documented incident, three network devices at a Canadian telecom were compromised, allowing attackers to intercept call records and user locations.
****How the Attack Works****
The group is using vulnerabilities like CVE-2023-20198 to extract configuration files from targeted devices. This Cisco Web UI flaw was first identified in October 2023 and was widely exploited, affecting over 40,000 devices.
As per the FBI’s advisory (PDF), While the campaign centers on telecommunications providers, the tactics used could apply to a broader range of targets. Edge devices such as routers, firewalls, and VPN appliances are especially vulnerable, particularly if they run outdated firmware or weak configurations.
Once inside, they deploy GRE (Generic Routing Encapsulation) tunnels, allowing them to silently route network traffic through systems under their control. This technique lets them observe or manipulate communications while avoiding traditional security detection.
****Long-Term Espionage, Not Quick Hits****
Unlike smash-and-grab cyberattacks that aim for fast data theft, Salt Typhoon appears focused on quiet, long-term surveillance. This approach aligns with other known state-linked campaigns that prioritize strategic intelligence gathering over monetary gain.
The attackers are not using zero-day exploits. Instead, they rely on publicly known vulnerabilities, which are often left unpatched for long periods. This allows them to build access over time without raising alarms.
****What’s at Risk****
The FBI and Cyber Centre warn that telecom networks, by their nature, carry sensitive personal and commercial data. By compromising devices that handle this traffic, attackers can gain insight into user behaviour, physical locations, and private conversations.
The advisory suggests that these campaigns are likely to continue and may expand further over the next two years.
The joint alert did not name affected companies beyond the single Canadian incident but noted that similar activity has been observed globally. Therefore, organizations are urged to secure edge devices, audit network activity for malicious activities, and apply available patches without delay.
Related news
The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
The backdoor implanted on Cisco devices by exploiting a pair of zero-day flaws in IOS XE software has been modified by the threat actor so as to escape visibility via previous fingerprinting methods. "Investigated network traffic to a compromised device has shown that the threat actor has upgraded the implant to do an extra header check," NCC Group's Fox-IT team said. "Thus, for a lot of devices
A seemingly sharp drop in the number of compromised Cisco IOS XE devices visible on the Internet led to a flurry of speculation over the weekend — but it turns out the malicious implants were just hiding.
A patch for the max severity zero-day bug tracked as CVE-2023-20198 is coming soon, but the bug has already led to the compromise of tens of thousands of Cisco devices. And now, there's a new unpatched threat.
Taking a “Security Action” of any kind — whether it be simply enabling multi-factor authentication for your online banking login or marking that weird email as spam — can go a long way toward you and any organizations you’re a part of be more security resilient.
By Waqas Another day, another critical vulnerability hits Cisco! This is a post from HackRead.com Read the original post: New Cisco Web UI Vulnerability Exploited by Attackers
No patch or workaround is currently available for the maximum severity flaw, which allows attackers to gain complete administrator privilege on affected devices remotely and without authentication.
Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks.