Salt Typhoon Strikes Again: Chinese APT Exploits Cisco Flaws to Target Telcos and Universities

The Chinese advanced persistent threat (APT) group Salt Typhoon—also known as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286—has escalated its cyberespionage efforts, compromising over a thousand Cisco devices used by telecommunications providers, internet service providers (ISPs), and universities worldwide.

First gaining notoriety in 2023 for breaching major U.S. telecom companies like T-Mobile, AT&T, and Verizon, the group even managed to eavesdrop on law enforcement wiretaps and the Democratic and Republican presidential campaigns. Despite heightened awareness, Salt Typhoon remains highly active, executing multiple attacks between December and January, according to cybersecurity researchers at Recorded Future's Insikt Group.

How Salt Typhoon Exploited Cisco Vulnerabilities

Salt Typhoon leveraged previously disclosed vulnerabilities in Cisco’s IOS XE operating system, specifically:

• CVE-2023-20198 (CVSS Score: 10/10) – Allowed attackers to create unauthorized admin accounts via the web UI.
• CVE-2023-20273 (CVSS Score: 7.2/10) – Enabled remote command execution with root privileges on affected devices.

Cisco initially warned its customers in October 2023 to disconnect vulnerable devices from the internet and apply security patches. However, many organizations failed to take action, allowing Salt Typhoon to exploit these flaws and infiltrate global telecom networks.

Once inside, the attackers established persistence by configuring Generic Routing Encapsulation (GRE) tunnels, a legitimate networking feature. This method enabled data exfiltration while evading detection from security monitoring tools and firewalls.

Global Impact: Who Was Targeted?

Salt Typhoon’s latest cyber campaign has impacted major organizations across six continents, including:

• Telecom Providers & ISPs:

  • A U.S. affiliate of a UK telecom company
  • A U.S.-based telecommunications and internet service provider
  • ISPs in Italy, South Africa, Thailand, and Myanmar (Mytel)

• Universities & Research Institutions:

  • University of California, Los Angeles (UCLA)
  • Three additional U.S. universities
  • Institutions in Argentina, Indonesia, the Netherlands, and more

Many of these universities are key players in telecommunications, engineering, and emerging technologies, making them valuable targets for cyber espionage.

While more than 100 countries have been affected, the highest concentration of compromised devices was found in South America, India, and the United States.

Cyber Espionage and Geopolitical Strategy

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued defensive guidance for telecom providers in December 2024, suggesting that Cisco devices had been actively exploited by Chinese APT groups—though specific details were not disclosed.

According to Jon Condra, senior director of strategic intelligence at Recorded Future, Salt Typhoon’s operations extend far beyond the U.S., reflecting China’s strategic intelligence objectives:

✅ Espionage: Gaining access to sensitive networks for intelligence gathering
✅ Data Manipulation: Disrupting or altering critical communications
✅ Pre-positioning for Conflict: Establishing cyber footholds in case of geopolitical tensions or military escalation

Zach Edwards, senior threat researcher at Silent Push, highlights that telecom infrastructures are highly complex and often rely on outdated legacy systems—making them especially vulnerable to sophisticated cyberattacks.

Mitigation: How Organizations Can Defend Themselves

To protect against Salt Typhoon and similar APT threats, cybersecurity experts recommend:

???? Patching Cisco devices immediately to mitigate vulnerabilities (CVE-2023-20198 & CVE-2023-20273)
???? Removing outdated infrastructure that cannot be secured
???? Implementing advanced monitoring for anomalous network activity, especially GRE tunneling
???? Enforcing zero-trust security models to restrict unauthorized access

As Salt Typhoon continues its global attacks, organizations must prioritize cybersecurity to defend against state-sponsored cyber threats before they escalate further.