China’s Salt Typhoon Still Hacking US Telecoms Despite Sanctions: Report

By: Eva Fu

The Chinese hacking group Salt Typhoon is still infiltrating U.S. telecom networks, despite being sanctioned by U.S. authorities.

The group, whose hacking activities have affected the highest levels of the U.S. government, attempted to exploit more than 1,000 network devices of tech giant Cisco, according to a Feb. 13 report from cybersecurity firm Recorded Future.

Between December 2024 and January, Salt Typhoon breached five telecom networks, including two in the United States, and targeted more than a dozen universities that could provide Beijing with valuable research and intellectual property, the researchers said.

These victims include a U.S.-based affiliate of a UK telecom provider and a U.S. internet service provider, as well as victims in South Africa, Italy, and Thailand. Recorded Future’s Insikt Group observed that seven Cisco devices associated with these firms were communicating with the hackers.

The Chinese state actors, which the researchers identified by the moniker “RedMike,” exploited two code vulnerabilities in Cisco network devices’ website interface. The first gave them initial access, and the latter provided “root privileges,” granting the hackers full control of the victim’s network. The hackers then reconfigured the device to retain persistent access.

Recorded Future found more than 12,000 insecure Cisco network devices. The cyber actors appeared to target about 1,000 of them, which were linked to telecommunications providers, the researchers said.

Among them were 13 universities, including U.S. institutions such as Loyola Marymount University, Utah Tech University, and the University of California–Los Angeles, according to the report.

Salt Typhoon is one of several Chinese state-linked hacking groups that have drawn U.S. concerns.

The group was responsible for breaching and stealing documents from the Treasury Department’s Office of Foreign Assets Control, which enforces U.S. economic and trade sanctions. It also previously compromised at least nine major U.S. telecom networks, including Verizon, AT&T, and CenturyLink. The operation had aimed at the phone communications of senior political figures, targeting President Donald Trump and Vice President JD Vance, as well as then-Vice President Kamala Harris’s campaign ahead of the 2024 presidential election.

The malicious activities rattled the U.S. Intelligence Community, triggering a warning from the Cybersecurity and Infrastructure Security Agency to individuals in senior government officials to ditch regular communication methods and encrypt their communications.

U.S. agencies, in the weeks after discovering the Salt Typhoon intrusion, announced countermeasures to safeguard U.S. data.

In December 2024, the Department of Justice labeled China as a country of concern for its penchant to exploit sensitive U.S. personal and government-related data en masse and blocked entities deemed to be threat actors from transacting certain data that it identifies as important to national security.

Three weeks later, authorities sanctioned a Chinese cyber actor and a Chinese cybersecurity firm for aiding the Salt Typhoon attacks.

Reached over the latest report on Salt Typhoon activities, Cisco stated that it’s aware of the vulnerabilities raised in the report.

“To date, we have not been able to validate these claims but continue to review available data,” a company spokesperson told The Epoch Times.

The company noted that it had issued a security advisory in 2023 on the vulnerabilities to customers, telling them to “urgently apply the available software fix.”

“We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols,” the spokesperson said.

          (TheEpochTimes.com)