In a concerning development for global cybersecurity, recent reports have revealed that the China-backed hacker group Salt Typhoon, also known as RedMike, carried out a series of cyberattacks targeting telecommunications companies and universities. Between December 2024 and January 2025, this sophisticated group managed to compromise five additional telecom providers worldwide, including two based in the United States. The attacks exploited unpatched vulnerabilities in Cisco edge devices, specifically leveraging CVE-2023-20198 and CVE-2023-20273, which allowed the hackers to escalate privileges and gain root access. As a result, over 1,000 devices across the globe, including several in the U.S., were infiltrated, highlighting the pervasive threat posed by state-sponsored cyber espionage.
Exploiting Vulnerabilities in Telecom Providers
Salt Typhoon’s campaign meticulously targeted network devices that had not received essential security patches. The vulnerabilities in the Cisco devices, known as zero-day flaws, were disclosed in October 2023, but many organizations had not yet patched their systems. The hackers took advantage of this lapse to infiltrate these critical devices, gaining a foothold in the target networks. The Insikt Group from Recorded Future, which closely monitors such threat activities, identified more than 12,000 Cisco devices worldwide with exposed web interfaces. This shift underscores the evolving tactics of Chinese threat groups that now focus on compromising public-facing network devices to establish long-term espionage capabilities.
Despite robust cybersecurity measures, the affected telecom providers did not detect the breaches until significant damage had been done. The Insikt Group confirmed that half of the compromised devices were located in the United States, South America, and India. The remaining devices were spread across various countries, marking a coordinated and extensive campaign. The senior director of strategic intelligence at Recorded Future, Jon Condra, highlighted the inherent challenges large enterprises face in maintaining effective patch management. Testing patches, planning downtime for updates, and ensuring that workflows remain unaffected are formidable tasks, contributing to such vulnerabilities being left unaddressed.
Targeting Academic Institutions
In addition to telecom companies, Salt Typhoon extended their cyberattacks to several American universities, including UCLA and Loyola Marymount University. The focus on academic institutions is presumed to be driven by the universities’ robust research programs in telecommunications and technology. By infiltrating these universities, the hackers aimed to gain access to cutting-edge research and potentially classified or sensitive information that could benefit Chinese state interests. The persistence and audacity of these attacks highlight the broad scope of targets vulnerable to state-sponsored espionage and reinforce the need for enhanced cybersecurity measures across all sectors.
Recorded Future has called on organizations to prioritize patching vulnerabilities and closely monitor configuration changes. Additionally, the cybersecurity firm advised against exposing administration interfaces and nonessential services to the internet. The recent campaign is reminiscent of previous breaches involving major U.S. telecommunications giants such as AT&T and Verizon. These incidents, which resulted in unauthorized access to the private communications of political figures and government officials, have prompted heightened concern within the U.S. government and the broader tech sector.
Implications and Future Considerations
In a troubling development for global cybersecurity, recent reports have unveiled that a China-backed hacker group known as Salt Typhoon, or RedMike, executed a series of cyberattacks on telecommunications companies and universities. Between December 2024 and January 2025, this highly skilled group successfully breached five more telecom providers worldwide, including two in the United States. The hackers exploited unpatched vulnerabilities in Cisco edge devices, specifically CVE-2023-20198 and CVE-2023-20273, to escalate privileges and gain root access. As a result, over 1,000 devices globally, including several in the U.S., were compromised. This underscores the significant threat posed by state-sponsored cyber espionage. The breaches serve as a stark reminder of the critical importance of maintaining robust cybersecurity measures and regularly updating software to patch vulnerabilities. The affected entities are now grappling with the fallout, assessing the extent of the breaches, and implementing measures to prevent future incidents.