Salt Typhoon Continues Global Telecom Breach Campaign
Despite rigorous U.S. government sanctions, the Chinese state-linked hacking collective known as Salt Typhoon remains active and continues to compromise telecommunications infrastructure worldwide. New intelligence reveals that the group—tracked by security analysts as “RedMike”—successfully infiltrated five major telecommunications providers between December 2024 and January 2025.
Global Scope of the Cyber Infiltration
The latest campaign marks a persistent threat to international data security. According to threat intelligence firm Recorded Future, the group’s recent targets include a U.S.-based affiliate of a major U.K. telecom provider, a U.S. internet service provider, and additional telecommunications firms operating in Italy, South Africa, and Thailand.
Furthermore, the hackers conducted extensive reconnaissance on infrastructure assets managed by Mytel, a telecommunications provider based in Myanmar. This follows the group’s high-profile infiltration last September, where they breached U.S. giants such as AT&T and Verizon to intercept private communications of senior government officials and political figures.
Exploiting Critical Vulnerabilities
Salt Typhoon’s methodology relies on exploiting unpatched hardware. The group has focused its efforts on Cisco devices running IOS XE software, specifically targeting two known vulnerabilities: CVE-2023-20198 and CVE-2023-20273. Recorded Future reports that the hackers have attempted to compromise over 1,000 Cisco devices globally, prioritizing networks integral to telecommunications.
Broader Targets: From Telecom to Academia
The scope of the operation extends beyond traditional telecom operators. Researchers identified that Salt Typhoon has also targeted academic institutions, specifically the University of California and Utah Tech. Analysts suggest these breaches were likely aimed at harvesting sensitive research in engineering, telecommunications, and advanced technology sectors.
Sanctions Fail to Deter Operations
In January, the U.S. Treasury Department imposed sanctions on Sichuan Juxinhe Network Technology, a China-based cybersecurity firm identified as a direct proxy for Salt Typhoon. Despite these punitive measures and the Treasury’s own recent experience as a target of Chinese state-sponsored cyberattacks, intelligence experts warn that the threat remains undiminished.
Recorded Future maintains that Salt Typhoon shows no signs of slowing its operations, with expectations that the group will continue to aggressively target telecommunications providers both within the United States and across the international landscape.