In February 2025, Chinese state-backed threat group Salt Typhoon breached a Canadian telecommunications provider. The attackers exploited a critical Cisco IOS XE vulnerability, CVE-2023-20198. This flaw allows remote access, enabling attackers to create admin-level accounts without authentication.
Despite this issue being publicly disclosed in October 2023, some providers failed to patch. As a result, Salt Typhoon gained access to multiple devices, modifying system configurations and extracting data.
Cisco Exploit Enables Network Tunneling and Data Collection
The attackers altered at least one router’s configuration to enable a GRE tunnel. This allowed them to collect traffic from within the provider’s network. The Canadian Centre for Cyber Security confirmed three compromised edge devices linked to the breach.
Salt Typhoon had previously been linked to attacks on major U.S. telecom providers. After these incidents, Canadian authorities warned of reconnaissance activity targeting key domestic organizations. Despite alerts, many firms did not act swiftly to secure their systems.
Telecom and Beyond: Ongoing Threat Across Industries
Salt Typhoon’s tactics extend beyond telecom. They now pose a threat to multiple industries, according to crowd-sourced intelligence and government analysis. The attacks often begin with reconnaissance but can escalate to supply chain compromise or lateral network movement.
Canadian authorities expect these threats to continue over the next two years. Telecom firms remain especially attractive targets due to their access to sensitive metadata, location tracking, and government communications. Edge devices such as routers, firewalls, and VPNs are primary entry points.
Operators are urged to apply hardened configurations, as detailed in government advisories. Past victims include major global telecom players such as AT&T, Verizon, and Lumen. Eye World advises all critical infrastructure providers to act now—before reconnaissance becomes intrusion.
