Hackers suspected of working on behalf of the Chinese government exploited a maximum-severity vulnerability, which had received a patch 16 months earlier, to compromise a telecommunications provider in Canada, officials from that country and the US said Monday.
“The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies,” officials for the center, the Canadian government’s primary cybersecurity agency, said in a statement. “The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.” The FBI issued its own nearly identical statement.
A major security lapse
Salt Typhoon is the name researchers and government officials use to track one of several discreet groups known to hack nations all over the world on behalf of the People's Republic of China. In October 2023, researchers disclosed that hackers had backdoored more than 10,000 Cisco devices by exploiting CVE-2023-20198, a vulnerability with a maximum severity rating of 10.
Any switch, router, or wireless LAN controller running Cisco's iOS XE that had the HTTP or HTTPS server feature enabled and exposed to the Internet was vulnerable. Cisco released a security patch about a week after security firm VulnCheck published its report.
Salt Typhoon has been linked to hacks last year that compromised multiple US-based telecom companies, including Verizon and AT&T. The Wall Street Journal, citing unnamed officials, said the hackers likely used their monthslong covert access to monitor wiretap systems the companies employ on behalf of governmental agencies. Salt Typhoon members also had access to other types of Internet traffic, the WSJ reported.
In February of this year, Cisco said that attackers in the same 2024 campaign exploited not just CVE-2023-20198, but also several other previously patched vulnerabilities, including those tracked as CVE-2018-0171 and CVE-2023-20273. Cisco said Salt Typhoon also exploited CVE-2024-20399, a newer vulnerability that was patched in November.
On Monday, Canada's Cyber Center said that three network devices operated by an unnamed Canadian telecom company “were compromised by likely Salt Typhoon actors in mid-February 2025.” The hackers exploited CVE-2023-20198 to retrieve running configuration files from the devices and modified at least one of the files to create a GRE tunnel allowing traffic collection from the network the devices were connected to.
“In separate investigations, the Cyber Centre has found overlaps with malicious indicators associated with Salt Typhoon, reported by our partners and through industry reporting, which suggests that this targeting is broader than just the telecommunications sector,” Monday's advisories stated. “Targeting of Canadian devices may allow the threat actors to collect information from the victim’s internal network, or use the victim’s device to enable the compromise of further victims.” The Cyber Center officials went on to say that some of the hacking activities “may have been limited to network reconnaissance.”
Both the Cyber Center and FBI said that the hackers exploited CVE-2023-20198, but neither addressed the fact that a patch has been available since October 2023. Given the severity of the vulnerability and its known status as an actively exploited vulnerability, the inaction by the Canadian Telecom is a major security lapse that had the potential to harm people downstream. Canadian officials said China state hackers “will almost certainly continue to target Canadian organizations as part of this espionage campaign, including telecommunications service providers and their clients, over the next two years.”
Cuomo Makes 11th-Hour Pass At Female New Yorkers