In a critical escalation of global cyber-espionage, Canadian authorities have confirmed that the Chinese state-sponsored hacking group Salt Typhoon successfully breached a major Canadian telecommunications provider by exploiting a known Cisco vulnerability. The incident underscores a persistent threat to North American critical infrastructure and signals a broader campaign targeting telecom networks worldwide.
Sequence of Events
- Initial Discovery: In February 2025, Salt Typhoon compromised three network devices belonging to a Canadian telecom company. The attackers leveraged CVE-2023-20198, a critical Cisco IOS XE vulnerability, which allows remote, unauthenticated attackers to create privileged accounts and seize control of affected devices.
- Technical Exploitation: The flaw, first disclosed in October 2023, had already enabled hackers to infiltrate over 10,000 devices globally. Despite widespread warnings and available patches, the targeted Canadian provider had not secured its infrastructure, exposing it.
- Espionage Actions: Attackers extracted configuration files from all three devices and reconfigured at least one to establish a GRE tunnel, enabling the interception and collection of sensitive network traffic.
- Scope of Attack: Forensic investigations reveal that Salt Typhoon’s campaign extends beyond telecom, with reconnaissance and infiltration attempts detected across multiple Canadian sectors.
National and International Ramifications
- Persistent Threat: The Canadian Centre for Cyber Security and the FBI jointly warn that Salt Typhoon, almost certainly acting under the direction of the People’s Republic of China, will “almost certainly” continue targeting Canadian organizations—especially telecoms—over the next two years.
- Global Context: The same group has breached at least eight U.S. telecom firms, including major carriers, with the campaign reportedly spanning dozens of countries. U.S. officials admit that Chinese actors remain embedded in some networks, complicating full remediation.
- Espionage Objectives: Salt Typhoon’s operations prioritize intercepting communications of high-value targets, such as government officials and political figures, and exfiltrating call records and metadata.
Geopolitical Fallout
- Official Responses: Canada and the U.S. have issued urgent advisories, calling for immediate network hardening and patching of vulnerable systems. Beijing denies involvement, but international sanctions have already been levied against implicated Chinese entities.
- Broader Cyber Tensions: The campaign’s reach is not limited to North America; recent intelligence suggests Chinese APTs are also probing Russian defense systems, signaling shifting allegiances and a widening cyber battlefield.
What’s Next?
- Ongoing Risk: Authorities warn that the Salt Typhoon campaign is far from over. The group’s ability to exploit known vulnerabilities and slow patch adoption leaves critical infrastructure at continued risk.
- Defensive Measures: Organizations are urged to audit and secure all edge devices, prioritize patching, and monitor for suspicious activity linked to Salt Typhoon’s known tactics.
> “The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon,” stated the Canadian Centre for Cyber Security, emphasizing the urgent need for vigilance.