When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans’ texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers’ high-profile exposure, they’ve continued their spree of breaking into telecom networks worldwide, including more in the US.
Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they’ve seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company’s analysts, though they declined to name those victims to WIRED.
“They’re super active, and they continue to be super active,” says Levi Gundert, who leads Recorded Future’s research team known as Insikt Group. “I think there’s just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”
To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco’s IOS software, which runs on the networking giant’s routers and switches. The hackers exploited two different vulnerabilities in those devices’ code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim’s network.
“Any time you’re embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you’re able to access and observe and exfiltrate,” Gundert says.
Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers’ own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.
When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,” a spokesperson wrote in a statement.
Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That’s in part because those network devices lack many of the security controls and monitoring software that’s been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.