Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, by a threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention.

Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.

Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.

​More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon.

The White House said Friday the Salt Typhoon breach occurred in large part due to failures at telecom companies to protect their systems. 

Senators briefed on the wide-ranging breaches by Chinese hackers called for action on Wednesday to protect the country's telecommunications networks.

Leaders of the big telecommunications companies were summoned to the White House to discuss strategies for overhauling the security of the nation’s telecommunications networks amid growing alarm at the scope of a Chinese hack.

T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.

China-linked threat actors compromised some U.S. internet service providers as part of a cyber espionage campaign code-named Salt Typhoon.

The state-sponsored hackers aimed at gathering intelligence from the targets or carrying out disruptive cyberattacks.

The Wall Street Journal reported that experts are investigating into the security breached to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.