Salt Typhoon Exploits Cisco Zero-Day to Breach Canadian Telecom

The Canadian Centre for Cyber Security (Cyber Centre) and the FBI have confirmed that the Chinese state-sponsored hacking group known as Salt Typhoon is actively targeting Canadian telecommunications firms. The campaign, which mirrors recent attacks on U.S. broadband providers, has already led to the compromise of at least one major Canadian telecom operator.

February Breach Exploited Unpatched Cisco Flaw

According to a joint advisory, Salt Typhoon breached a Canadian telecommunications provider in mid-February 2025 by exploiting CVE-2023-20198 — a critical vulnerability in Cisco IOS XE. This flaw, first disclosed in October 2023, allows unauthenticated remote attackers to create arbitrary administrative accounts and take full control of network devices.

Despite widespread warnings and the availability of patches, the affected telecom provider had not remediated the issue. This oversight provided Salt Typhoon with a straightforward path to compromise.

“Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025,” the advisory reads.
“The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network.”

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Escalating Threat After Prior Warnings

The breach follows a wave of reconnaissance activity observed in October 2024, after Salt Typhoon successfully infiltrated multiple U.S. broadband providers. At that time, Canadian authorities issued warnings and urged critical infrastructure operators to strengthen their defenses. However, this latest incident suggests that not all organizations took necessary precautions.

The Cyber Centre warns that Salt Typhoon’s targeting of Canadian entities is likely to continue over the next two years, with threat activity extending beyond telecommunications to multiple other sectors, including supply chain vendors and managed service providers (MSPs).

Espionage Motives and Attack Tactics

Telecommunication companies are prime targets for state-sponsored actors due to the high-value data they manage — including call metadata, subscriber location information, SMS content, and government or political communications.

Salt Typhoon’s operations typically focus on:

• Edge devices at the network perimeter (e.g., routers, firewalls, VPN appliances)
• Service providers (e.g., MSPs, cloud vendors) for indirect access to customer networks

Their tactics frequently start with reconnaissance, but stolen configuration data can enable lateral movement, traffic interception, and supply chain compromise.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link