Chinese state hackers targeted more than 1,000 Cisco routers globally in their latest operation.
The Chinese hacking group Salt Typhoon is still infiltrating U.S. telecom networks, despite being sanctioned from U.S. authorities.
The group, whose hacking activities have impacted the highest levels of the U.S. government, attempted to exploit more than 1,000 network devices of tech giant Cisco, according to a Feb. 13 report from cybersecurity firm Recorded Future.
Between December and January, Salt Typhoon breached five telecom networks, including two in the United States, and targeted more than a dozen universities that could give Beijing valuable research and intellectual property, the researchers said.
These victims include a U.S.-based affiliate of a UK telecom provider and a U.S. internet service provider, as well as three from South Africa, Italy, and Thailand. Recorded Future’s Insikt Group observed seven Cisco devices associated with these firms were communicating with the hackers.
The Chinese state actors, which the researchers identified by the moniker “RedMike,” exploited two code vulnerabilities in Cisco network devices’ website interface. The first gave them initial access, and the latter provided “root privileges,” granting the hackers full control of the victim’s network. The hackers then reconfigured the device to retain persistent access.
Recorded Future found more than 12,000 insecure Cisco network devices. The cyber actors appeared to target about 1,000 of them, which were linked to telecommunications providers, the researchers said.
Related Stories
Among them were 13 universities, including U.S. institutions such as Loyola Marymount University, Utah Tech University, and University of California, Los Angeles, the report noted.
Salt Typhoon is one of several Chinese state-linked hacking groups that have drawn U.S. concerns.
The group was responsible for breaching and stealing documents from the Treasury Department’s Office of Foreign Assets Control, which enforces U.S. economic and trade sanctions. It also previously compromised at least nine major U.S. telecom networks, including Verizon, AT&T, and CenturyLink. The operation had aimed at phone communications of senior political figures, targeting President Donald Trump, Vice President JD Vance, as well as then-Vice President Kamala Harris’s campaign ahead of the 2024 presidential election.
The malicious activities rattled the U.S. intelligence community, triggering a warning from the Cybersecurity and Infrastructure Security Agency to individuals in senior government officials to ditch regular communication methods and encrypt their communication.
The AT&T logo is displayed at a store in Washington, D.C., on Jan. 18, 2022. Stefani Reynolds/AFP via Getty Images
U.S. agencies, in the weeks after discovering Salt Typhoon intrusion, announced countermeasures to safeguard U.S. data.
In December 2024, the Justice Department labeled China a country of concern for its penchant to exploit sensitive U.S. personal and government-related data en masse, and blocked entities deemed as threat actors from transacting certain data it considers important to national security.
Three weeks later, authorities sanctioned a Chinese cyber actor and a Chinese cybersecurity firm for aiding the Salt Typhoon attacks.
Reached over the latest report on Salt Typhoon activities, Cisco said it’s aware of the vulnerabilities raised in the report.
“To date, we have not been able to validate these claims but continue to review available data,” a company spokesperson told The Epoch Times. The company noted it had issued a security advisory in 2023 on the vulnerabilities to customers, telling them to “urgently apply the available software fix.”
“We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols,” the spokesperson said.
