Chinese state-sponsored hackers, known as the Salt Typhoon group, have successfully infiltrated Canadian telecommunications networks, raising serious concerns about cybersecurity in the nation. Since mid-February 2025, the group has targeted telecommunications companies, exploiting significant vulnerabilities in Cisco devices, particularly CVE-2023-20198 and CVE-2023-20273, which affect Cisco IOS XE devices. This infiltration has granted the attackers unauthorized access to internal configurations, facilitating espionage operations aimed at high-value targets, including government personnel and political figures.
The joint advisory from the Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation highlights the gravity of the situation. The advisory indicates that these attacks are expected to continue over the next two years, suggesting a persistent threat rather than isolated incidents. Salt Typhoon’s modus operandi focuses on the strategic gathering of sensitive information, including call records and private communications, utilizing sophisticated techniques to maintain stealth and operational longevity within compromised networks. Notably, the joint advisory warns of ongoing threats expected from Salt Typhoon, emphasizing the need for enhanced cybersecurity measures. Additionally, the group is also mapping out network architectures to identify future vulnerabilities they can exploit.
Notably, at least three network devices in a Canadian telecom company have been confirmed compromised, allowing for covert monitoring of internal traffic. The attackers have employed tactics such as altering configurations to set up Generic Routing Encapsulation (GRE) tunnels, which facilitate covert data collection. The lack of significant service disruption indicates the group’s intent is primarily espionage rather than causing chaos or dysfunction within telecom services.
The attribution of these activities to a state-backed entity aligns with broader geopolitical objectives of Chinese intelligence, reflecting a systematic approach toward technology and information acquisition in foreign nations.
Salt Typhoon’s operations have proliferated globally, affecting telecom firms in multiple countries. Experts assert that the sophistication and persistence of the attacks denote organized, state-sponsored aggression rather than independent cybercriminal activities. As this situation develops, the implications for Canadian and international cybersecurity remain profound and concerning.
