In a sophisticated cyber espionage campaign, the Chinese state-sponsored group “Salt Typhoon,” also known as “RedMike,” targeted unpatched Cisco network devices, exposing critical infrastructure vulnerabilities. The group compromised over 1,000 Cisco devices worldwide between December 2024 and January 2025, focusing on telecommunications providers and universities. This event brings to light the dire need for improved cybersecurity measures to protect vital systems from state-backed cyber actors.
Privilege Escalation Vulnerabilities
Exploitation of CVE-2023-20198 and CVE-2023-20273
Salt Typhoon leveraged two significant privilege escalation vulnerabilities, CVE-2023-20198 and CVE-2023-20273, in Cisco IOS XE software, enabling them to gain unauthorized access through the web user interface. These vulnerabilities allowed the attackers to escalate their privileges to root-level access, giving them full control over the compromised devices. Once they had infiltrated the systems, Salt Typhoon reconfigured the devices to establish GRE (Generic Routing Encapsulation) tunnels, facilitating persistent access and covert data exfiltration. By bypassing firewalls and intrusion detection systems, the attackers effectively maintained a foothold within the targeted networks.
The strategic choice to exploit these vulnerabilities highlights the sophistication and resourcefulness of Salt Typhoon. Their ability to locate and manipulate such specific weaknesses in Cisco’s widely used network devices underscores the necessity for organizations to stay vigilant in patching and securing their hardware. The dangers posed by these vulnerabilities extend beyond the immediate data breaches, as compromised devices can serve as entry points for further attacks or be used to manipulate data flows within the network. By focusing on privilege escalation, Salt Typhoon ensured they had comprehensive access to the targeted systems, allowing them to carry out sustained cyber-espionage activities.
Establishing Persistent Access
Once compromised, the attackers’ reconfiguration of devices to set up GRE tunnels enabled them to maintain persistent access to the affected networks. This method allowed them to continue their operations even as some defensive measures might be implemented. The use of GRE tunnels was particularly insidious because it masked their data exfiltration activities, making it more challenging for network defenders to detect and respond to the intrusion. This approach demonstrated a thorough understanding of network security mechanisms and how to circumvent them effectively.
The persistence of Salt Typhoon’s presence within these networks not only facilitated continuous data theft but also allowed for potential manipulation of data flows. By controlling the network traffic, the attackers could insert false information, disrupt communications, or even disable critical systems. This capability provided them with a powerful tool for both espionage and potential sabotage. The establishment of persistent access via GRE tunnels was a testament to the group’s technical proficiency and their ability to leverage advanced tactics to achieve their objectives.
Targeted Institutions
Focus on Telecommunications Providers
Salt Typhoon’s campaign primarily targeted telecommunications providers, emphasizing the value of such networks in their espionage efforts. The group infiltrated a U.S. affiliate of a U.K. telecom provider, a South African telecom company, and ISPs in Italy and Thailand. These targets were likely chosen due to their central roles in facilitating communication and data transfer, making them rich sources of intelligence. By compromising these providers, Salt Typhoon could monitor, disrupt, and manipulate data flows, gaining insights into sensitive communications and potentially influencing them.
The targeted telecommunications providers’ strategic importance cannot be overstated, as they form the backbone of modern communication infrastructure. The attackers’ focus on these entities highlights their intent to gather valuable information and potentially exert influence over communication channels. By leveraging the compromised devices, Salt Typhoon could extract confidential data, eavesdrop on conversations, and even intercept sensitive information. This level of access and control underscored the critical need for robust security measures within the telecommunications sector to safeguard against such sophisticated threats.
Attacks on Universities
In addition to telecommunications providers, Salt Typhoon also targeted universities across multiple countries, including Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, Vietnam, and the U.S. Institutions such as UCLA and TU Delft were specifically targeted, likely due to their involvement in cutting-edge research in fields like telecommunications, engineering, and technology. These universities attracted attention because their research outputs could provide valuable insights and technological advancements that state-backed actors were keen to exploit.
The universities’ contributions to their respective fields made them prime targets for espionage. By infiltrating these academic institutions, Salt Typhoon aimed to access proprietary research, development projects, and intellectual property. This not only endangered the integrity of the research but also posed a threat to the competitive advantage of these universities. The persistent presence of Salt Typhoon within these networks threatened to undermine the foundational principles of academic collaboration and innovation. The attacks on universities underscored the necessity for academic institutions to bolster their cybersecurity defenses to protect their valuable intellectual assets and ensure the continued integrity of their research environments.
Broader Implications and Mitigation Strategies
### Strategic Intelligence Threats
By maintaining persistent access to compromised telecommunications networks, Salt Typhoon enabled state-backed actors to monitor communications, disrupt services, and manipulate data flows for intelligence or propaganda purposes. The group’s focus on lawful intercept systems and high-profile U.S. political figures suggested an intent to use these vulnerabilities for national security threats. The attack demonstrated the lengths to which state-backed actors would go to infiltrate and exploit critical infrastructure for their strategic objectives. This campaign was a clear indication of the evolving and sophisticated nature of cyber-espionage activities, demanding constant vigilance and proactive measures to protect vital networks.
The potential for these infiltrations to cause widespread disruption and gather intelligence on sensitive communications raised significant concerns for national security. The attackers’ ability to manipulate data flows could support disinformation campaigns or interfere with critical services. Furthermore, the targeting of lawful intercept systems posed a direct threat to the integrity of law enforcement and intelligence-gathering operations. The implications of such breaches extended far beyond immediate data loss, highlighting the need for comprehensive cybersecurity strategies to defend against these advanced persistent threats.
Preventive Measures
In a sophisticated cyber espionage campaign, the Chinese state-sponsored group “Salt Typhoon,” also known as “RedMike,” targeted unsecured Cisco network devices, revealing critical infrastructure vulnerabilities. This group compromised over 1,000 Cisco devices globally between December 2024 and January 2025, with a particular focus on telecommunications providers and universities. The long-term implications of these cyber attacks are significant, putting at risk the security and stability of essential systems worldwide.
The recent breach by Salt Typhoon emphasizes the urgent need for stronger cybersecurity measures and constant vigilance to safeguard vital systems against state-backed cyber threats. Given that telecommunications and educational institutions are prime targets, enhancing security protocols and patching vulnerabilities is crucial. The incident also highlights the importance of international cooperation and information sharing among nations to effectively combat and prevent such sophisticated cyber-attacks, ensuring the ongoing protection and resilience of our critical infrastructure.