Chinese state-sponsored hacking group Salt Typhoon has launched a new wave of cyberattacks targeting U.S. telecommunications providers by exploiting vulnerabilities in unpatched Cisco IOS XE network devices. These breaches, affecting major firms such as AT&T, Verizon, and T-Mobile, have raised serious national security concerns as hackers gain unauthorized access to sensitive data, including call logs and text messages.
Massive Cyber Breach Targets Critical Infrastructure
According to cybersecurity researchers from Recorded Future’s Insikt Group, Salt Typhoon (also tracked as RedMike) has been actively targeting telecom networks worldwide. Between December 2024 and January 2025, the group targeted over 1,000 Cisco network devices, with more than half located in the U.S., South America, and India. The hackers exploited two critical vulnerabilities—CVE-2023-20198 (privilege escalation) and CVE-2023-20273 (Web UI command injection)—allowing them to bypass security controls and establish persistent access to compromised networks.
By leveraging these vulnerabilities, Salt Typhoon has reconfigured Cisco devices to communicate with their own command-and-control servers using encrypted tunnels. This method enables long-term infiltration and the potential to intercept sensitive communications without detection. Researchers have identified at least 12,000 exposed Cisco devices globally, making this a widespread and ongoing threat.
Government and Security Experts Sound the Alarm
These breaches are part of a broader cyber-espionage campaign confirmed by the FBI and CISA in October 2024. The attacks have compromised the private communications of a limited number of U.S. government officials and reportedly granted access to the U.S. law enforcement wiretapping platform. In addition to U.S. telecom providers, Salt Typhoon has also infiltrated a U.S.-based affiliate of a U.K. telecom company, a South African telecom firm, an Italian ISP, and a major telecommunications provider in Thailand.
Salt Typhoon, also known as FamousSparrow and Ghost Emperor, has been conducting cyber-espionage campaigns against telecommunications companies and government entities since at least 2019. The group’s tactics have evolved, shifting focus from individual networks to broader infrastructure vulnerabilities that impact thousands of devices at once.
Urgent Call for Cybersecurity Measures
Security experts are urging telecom providers to apply the latest security patches immediately to prevent further breaches. Cisco has issued multiple advisories warning companies to update their software and close known vulnerabilities. However, a significant number of devices remain unpatched, leaving them open to exploitation.
“The scale and persistence of these attacks highlight the urgent need for improved cybersecurity defenses in the telecommunications sector,” said a Cisco spokesperson. “Organizations must prioritize patching known vulnerabilities and follow best practices for securing network management interfaces.”
The ongoing cyberattacks by Salt Typhoon reinforce concerns about the growing threat posed by state-sponsored hacking groups. With telecommunications infrastructure increasingly under siege, experts warn that failure to act swiftly could result in more widespread disruptions and deeper security breaches.
