Chinese State-Backed Hackers Breach US Telecoms Through Cisco Router Exploits

In an alarming development in cybersecurity, Chinese state-backed hackers, known as Salt Typhoon, continue to target global telecommunications providers, exploiting unpatched vulnerabilities in Cisco IOS XE network devices. These sophisticated cyberattacks have led to breaches in multiple telecommunications providers, including companies in the U.S., U.K., South Africa, Italy, and Thailand.

According to a recent report by Recorded Future’s Insikt Group, the Chinese hacking group — also tracked under the name RedMike — has been actively exploiting two critical vulnerabilities: CVE-2023–20198, a privilege escalation flaw, and CVE-2023–20273, a Web UI command injection vulnerability. The attackers have leveraged these weaknesses to gain unauthorized access to Cisco devices, compromising network infrastructure and facilitating persistent access through sophisticated tunneling methods.

The Ongoing Attack Campaign

Between December 2024 and January 2025, Salt Typhoon targeted over 1,000 Cisco network devices, with a significant focus on the U.S., South America, and India. Threat researchers identified compromised Cisco devices that were reconfigured to communicate with Salt Typhoon-controlled servers via Generic Routing Encapsulation (GRE) tunnels. This method provides attackers with persistent access to the networks, allowing them to exfiltrate data and manipulate network traffic undetected.

Insikt Group’s research further revealed that more than 12,000 Cisco network devices were exposed to the internet, with their web UIs accessible to potential attackers. While only 8% of these devices were directly targeted, the hacking group appeared to selectively focus on network infrastructure linked to telecommunications providers, underscoring the strategic intent behind their attacks.

The recorded breaches include:

• A U.S.-based internet service provider (ISP)
• A U.S. affiliate of a U.K. telecommunications provider
• A South African telecom provider
• An Italian ISP
• A large telecommunications provider in Thailand

The attackers’ reconnaissance tactics suggest a methodical approach, scanning internet-facing devices for vulnerabilities before launching their targeted incursions. The sophistication and scale of these operations indicate state-backed support, with intelligence gathering and persistent network infiltration as primary objectives.

Cisco Vulnerabilities: A Persistent Target

The two vulnerabilities exploited by Salt Typhoon were initially identified in 2023, when they were leveraged in zero-day attacks against more than 50,000 Cisco IOS XE devices. These attacks enabled adversaries to deploy backdoor malware using rogue privileged accounts, granting them long-term control over compromised networks.

A joint advisory issued by the Five Eyes intelligence alliance in November 2023 classified these vulnerabilities among the top four most exploited security flaws of the year. Despite urgent recommendations from cybersecurity agencies and Cisco itself, many organizations have failed to patch their devices, leaving their network infrastructure vulnerable to exploitation.

Recommendations for Network Administrators

Given the ongoing nature of these attacks, security experts at Insikt Group and Cisco strongly advise network administrators to take immediate action to mitigate risks. Key recommendations include:

Apply Security Patches: Network operators must ensure that all Cisco IOS XE devices are updated with the latest security patches. Cisco has issued fixes for CVE-2023–20198 and CVE-2023–20273, which should be implemented without delay.

Restrict Internet Exposure: Administrators should avoid exposing web UI management interfaces and other non-essential services to the public internet.

Monitor for Anomalous Activity: Organizations should conduct regular security audits and monitor network traffic for suspicious activity, including unauthorized GRE tunnels and unexpected configuration changes.

Implement Strong Access Controls: Enforcing multi-factor authentication (MFA) and restricting privileged account access can help prevent unauthorized changes to network infrastructure.

Deploy Intrusion Detection Systems (IDS): Advanced threat detection mechanisms can identify potential breaches in real-time, allowing for quicker response and mitigation.

A Cisco spokesperson, in response to these findings, emphasized the importance of proactive security measures:

“To date, we have not been able to validate these claims but continue to review available data. In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols.”

Chinese Espionage: A Broader Campaign

The breaches attributed to Salt Typhoon are part of a broader cyber-espionage campaign confirmed by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in October 2024. These coordinated attacks targeted multiple U.S. telecommunications providers, including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream.

Beyond telecom infrastructure, the attackers infiltrated sensitive government networks. They gained access to private communications of a limited number of U.S. government officials and even compromised law enforcement’s wiretapping platform. Such incursions raise significant national security concerns, as they could enable Chinese intelligence agencies to intercept classified conversations, disrupt communications, and conduct surveillance operations.

Salt Typhoon: A Longstanding Threat

Salt Typhoon, also tracked under aliases such as FamousSparrow, Ghost Emperor, Earth Estries, and UNC2286, has been actively targeting telecom providers and government agencies since at least 2019. Their operations primarily focus on:

Reconnaissance and Surveillance: Mapping critical infrastructure and gathering intelligence on high-value targets.

Persistent Network Access: Deploying backdoors and tunneling mechanisms for long-term infiltration.

Data Exfiltration: Stealing sensitive communications and proprietary information.

Disruptive Capabilities: Gaining control over network infrastructure to potentially disrupt services if needed.

Conclusion

The ongoing breaches of U.S. telecom providers via unpatched Cisco routers demonstrate the persistent and evolving threat posed by Chinese state-sponsored hackers. Despite previous warnings and available patches, organizations continue to be compromised due to lax security practices and failure to implement necessary updates.

These cyberattacks not only jeopardize the security of telecommunications infrastructure but also pose a significant risk to national security. With threat actors actively targeting ISPs and government networks, there is an urgent need for robust cybersecurity measures, timely patching, and proactive threat intelligence sharing.

Organizations using Cisco IOS XE devices must prioritize security by patching known vulnerabilities, restricting internet exposure, and enhancing network monitoring capabilities. In an era of escalating cyber warfare, vigilance and resilience are paramount to defending against increasingly sophisticated adversaries.