A Chinese state-backed cyber group known as “Salt Typhoon” has been linked to a February 2025 breach involving a Canadian telecommunications provider, according to a joint bulletin issued by the Canadian Centre for Cyber Security and the U.S. FBI.
The attackers reportedly gained access by taking advantage of a known flaw in Cisco’s IOS XE software (CVE-2023-20198). The vulnerability—initially revealed in October 2023—allowed remote access to network devices without the need for login credentials, giving intruders administrative-level control. At the time of its discovery, it was already being exploited to hijack tens of thousands of devices worldwide.
Despite public warnings and available security patches, at least one Canadian telecom firm had not applied the fix. That oversight enabled the attackers to break into three of the company’s network devices. Investigators say the intruders copied the devices’ configuration files and modified one to set up a GRE tunnel, likely to intercept data traffic.
This isn’t the first time Salt Typhoon has drawn attention. Back in October 2024, after a string of confirmed breaches at U.S. broadband providers, Canadian authorities noticed scanning activity aimed at domestic networks. While no Canadian systems were confirmed compromised at the time, the warning signs were clear. Still, not all critical service operators followed up with stronger protections.
Investigations suggest the group’s operations stretch beyond telecom. Based on shared intelligence, Salt Typhoon has shown interest in multiple industries, often starting with surveillance-level access. In many cases, initial intrusions are used to gather internal data, which could later be used to move deeper into networks or target supply chains.
The Cyber Centre now warns that attacks like these are unlikely to stop anytime soon. It expects the targeting of Canadian infrastructure to continue into the foreseeable future and is urging organizations responsible for essential services to tighten network security.
Telecom providers are particularly exposed, as they store and manage sensitive information—like SMS content, user location data, call logs, and even government communications. The attackers typically go after edge network hardware such as firewalls, routers, and VPNs. Indirect routes are also a risk, with cloud providers and IT service firms becoming entry points into larger systems.
To help mitigate future breaches, officials have released technical guidance focused on strengthening device-level defenses for critical operators.
Salt Typhoon’s campaigns have already hit telecom providers across the globe. Companies such as AT&T, Verizon, Lumen, Charter, Consolidated Communications, and Windstream have reported related incidents. Just last week, Viasat acknowledged a breach linked to the group but said no customer data was affected.
