6 days ago
6
ARTICLE AD BOX
The vulnerability, initially disclosed in October 2023, was already exploited as a zero-day by threat actors, impacting more than 10,000 devices.
Salt Typhoon has exploited a Cisco vulnerability to breach Canadian telecoms. (Photo: cunaplus/Shutterstock)
The Canadian Centre for Cyber Security (Cyber Centre) and the US Federal Bureau of Investigation have confirmed that the Chinese state-sponsored hacking group, Salt Typhoon, is targeting Canadian telecommunication companies. In February 2025, Salt Typhoon breached a Canadian telecom provider by exploiting a vulnerability identified as CVE-2023-20198. This flaw in Cisco IOS XE allows remote attackers to create arbitrary accounts and gain administrative privileges.
Initially disclosed in October 2023, the vulnerability had already been used by threat actors as a zero-day exploit, affecting over 10,000 devices. Despite the time elapsed since its disclosure, a major Canadian telecom provider had not yet patched the flaw, providing Salt Typhoon with an opportunity to compromise their devices.
“Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025,” said Canada’s cybersecurity agency in its bulletin. “The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network.”
In October 2024, following breaches of several American broadband providers by Salt Typhoon, Canadian authorities detected reconnaissance activities targeting numerous key organisations in the country. Although no breaches were confirmed at that time, the authorities urged critical service providers to enhance their security measures. However, some providers failed to act on these warnings. The Cyber Centre has indicated that Salt Typhoon’s activities extend beyond the telecommunications sector, affecting multiple industries. While much of this activity remains at the reconnaissance stage, data obtained from internal networks could facilitate lateral movements or supply chain attacks.
Cyber Centre warns of ongoing threats to Canadian organisations
The Cyber Centre has warned that attacks on Canadian organisations by Salt Typhoon “will almost certainly continue” over the next two years. They have urged critical organisations to implement protective measures for their networks. “The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network,” stated the Cyber Centre. Despite the ongoing threat, some critical service providers have yet to take the necessary actions to secure their networks.
Beyond telecommunications, the Cyber Centre notes that Salt Typhoon’s activities are likely affecting multiple other industries. Separate investigations and crowd-sourced intelligence suggest that the group’s activities are not confined to a single sector. While much of their current activity is limited to reconnaissance, the potential for more damaging attacks remains. The data stolen from internal networks can be used for lateral movement within organisations or could be leveraged in supply chain attacks.
