Salt Typhoon targets telecoms

Salt typhoon exploits router flaws to target telecoms

A China-linked cyber espionage group known as Salt Typhoon has been actively exploiting vulnerabilities in edge network devices to infiltrate telecom companies. Canadian and U.S. telecom providers are among the confirmed targets. This campaign highlights an ongoing trend where threat actors abuse router flaws as an entry point into high-value infrastructure.

From edge devices to espionage

According to a joint advisory from the FBI, CISA, and the Canadian Centre for Cyber Security, Salt Typhoon, also referred to as BRONZE STARLIGHT or APT41, has been using known vulnerabilities in Cisco routers to gain unauthorized access. Once inside, the group reportedly deploys custom malware and establishes persistent access. This allows them to harvest sensitive data and monitor internal communications.

Unlike financially motivated groups, Salt Typhoon operates with discretion. They avoid ransomware and focus instead on intelligence gathering. Their tactics indicate a clear objective: to maintain long-term, undetected access to critical networks.

To better understand the motivations and tactics behind groups like Salt Typhoon, you can read more about state-sponsored hacking here.

Cisco routers under attack

One of the exploited vulnerabilities is CVE-2023-20082, a high-severity flaw affecting older Cisco routers running the IOS XE operating system. Although Cisco released a patch in 2023, many devices remain outdated or unpatched. This creates an opportunity for attackers to compromise these devices with little resistance.

Researchers have observed that Salt Typhoon uses these exposed routers as an initial foothold. From there, they move deeper into the internal network. Because edge devices often fall outside the coverage of endpoint detection tools, they represent an ideal target for sophisticated attackers.

Telecom providers are valuable targets

Telecommunications companies are a prime target for espionage groups. These firms hold access to large volumes of metadata, user communications, and network infrastructure. Such access can be exploited for surveillance and long-term strategic advantage.

The Canadian Centre for Cyber Security confirmed that at least one national telecom provider was successfully breached. The name of the company has not been disclosed. This incident reflects a growing pattern of state-aligned cyber operations targeting Western telecoms through increasingly advanced techniques.

Security recommendations

Authorities are urging organizations to take immediate steps to protect their networks. These include:

• Applying available security patches to all internet-facing devices

• Segmenting internal networks to reduce the impact of a potential breach

• Monitoring router and firewall activity through network logs

• Disabling unused services and auditing configurations regularly

Organizations should also ensure they maintain a complete and accurate inventory of their edge devices. Regular vulnerability scanning can help identify and address overlooked risks.

The new face of cyber espionage

Salt Typhoon represents a shift in how cyber espionage is conducted. State-sponsored actors are becoming more patient, strategic, and technically refined. By focusing on devices that are often neglected in traditional cybersecurity strategies, they are finding new ways to bypass defenses.

This campaign serves as a reminder that critical infrastructure begins at the edge. Organizations must adopt a broader view of cybersecurity that includes all network components, not just traditional endpoints.

In recent years, state-backed cyber operations have become increasingly common and diverse in their objectives. From North Korea’s Lazarus Group stealing $1.4 billion from the crypto platform Bybit to the global surveillance abuses involving Pegasus spyware developed by the Israeli firm NSO Group, these campaigns illustrate the global reach and political complexity of modern cyber threats.