China's Salt Typhoon Hackers Still Active

Salt Typhoon Continues Attacks on Telecoms Despite Sanctions

Recent reports indicate that the Chinese government-affiliated hacking group, known as Salt Typhoon, persists in compromising telecommunications companies. This activity continues even after the imposition of sanctions by the U.S. government against the group.

Recent Breaches Observed

Threat intelligence firm Recorded Future, which monitors the group under the alias “RedMike,” has documented breaches at five telecommunications firms between December 2024 and January 2025. This information was shared with TechCrunch.

Previous High-Profile Infiltration

Salt Typhoon gained notoriety last September following revelations of successful infiltrations into major U.S. phone and internet service providers. AT&T and Verizon were among the companies targeted.

The group’s objective was to access private communications belonging to high-ranking U.S. government officials and prominent political figures.

Compromised Law Enforcement Systems

Furthermore, Salt Typhoon compromised systems utilized by law enforcement for legally authorized data collection. This potentially exposed sensitive information, including the identities of individuals of Chinese origin under U.S. surveillance.

Latest Victims and Reconnaissance Activities

While Recorded Future has not publicly identified the latest victims, they include a U.S. subsidiary of a leading U.K. telecommunications company. Other affected entities are a U.S. internet service provider, and telecommunications firms located in Italy, South Africa, and Thailand.

The hackers also conducted reconnaissance on infrastructure assets belonging to Mytel, a telecommunications provider based in Myanmar. This involved the covert gathering of information about the system.

Exploited Vulnerabilities

Salt Typhoon leveraged two specific vulnerabilities – CVE-2023-0198 and CVE-2023-20273 – to compromise Cisco devices. These devices were running the Cisco IOS XE software and lacked necessary security patches.

Recorded Future reports that the group has attempted to compromise over 1,000 Cisco devices globally. Their efforts have been particularly focused on devices connected to telecommunications networks.

Targeting of Academic Institutions

The group has also targeted devices associated with universities, including the University of California and Utah Tech. Researchers believe this targeting may be aimed at obtaining research related to telecommunications, engineering, and technology.

U.S. Government Response

The U.S. government has responded with sanctions against companies linked to Salt Typhoon. In January, the U.S. Treasury Department, itself a recent target of Chinese hackers, sanctioned Sichuan Juxinhe Network Technology. This China-based cybersecurity firm is believed to be directly connected to the hacking group.

Continued Threat Expected

Despite these sanctions, Recorded Future’s researchers anticipate that Salt Typhoon will continue its targeting of telecommunications providers both within the U.S. and internationally.

The group’s persistence highlights the ongoing challenge of countering state-sponsored cyberattacks.