In a recent cybersecurity development, the Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have jointly issued an advisory concerning cyber attacks orchestrated by the China-linked group known as Salt Typhoon. These attacks have specifically targeted major global telecommunications providers as part of an extensive cyber espionage campaign.
The attackers exploited a critical vulnerability in Cisco’s IOS XE software, identified as CVE-2023-20198 with a CVSS score of 10.0, the highest severity rating. This exploitation occurred in mid-February 2025, affecting three network devices registered to a Canadian telecommunications company. The specific identity of the targeted company has not been disclosed.
By leveraging this vulnerability, Salt Typhoon was able to access configuration files from the compromised devices. In at least one instance, the attackers modified these files to establish a Generic Routing Encapsulation (GRE) tunnel. This technique allows for the encapsulation of a wide variety of network layer protocols, effectively enabling the attackers to collect and redirect network traffic from the compromised network.
The advisory suggests that the scope of Salt Typhoon’s targeting likely extends beyond the telecommunications sector. The compromise of Canadian devices may facilitate the collection of sensitive information from these networks, which could be used to breach additional devices and networks. In some cases, the threat actors’ activities were assessed to be limited to network reconnaissance, indicating a strategic approach to understanding and mapping the network infrastructure.
This incident aligns with previous reports highlighting Salt Typhoon’s exploitation of vulnerabilities in Cisco devices. Earlier findings from Recorded Future detailed the group’s use of CVE-2023-20198 and another vulnerability, CVE-2023-20273, to infiltrate telecommunications and internet firms in the U.S., South Africa, and Italy. The attackers utilized these footholds to set up GRE tunnels, facilitating long-term access and data exfiltration.
The persistent targeting of edge network devices underscores their attractiveness to state-sponsored threat actors like Salt Typhoon. These devices serve as critical gateways between internal networks and the internet, making them prime targets for establishing and maintaining persistent access to telecom service providers.
In a related development, the U.K. National Cyber Security Centre (NCSC) has identified two malware families, SHOE RACK and UMBRELLA STAND, targeting FortiGate 100D series firewalls manufactured by Fortinet. SHOE RACK functions as a post-exploitation tool, providing remote shell access and TCP tunneling capabilities through a compromised device. UMBRELLA STAND is designed to execute shell commands issued from an attacker-controlled server.
Notably, SHOE RACK is partially based on a publicly available tool named reverse_shell, which has also been repurposed by a China-nexus threat cluster called PurpleHaze to develop a Windows implant known as GoReShell. While the exact relationship between these activities remains unclear, the similarities suggest a potential connection.
The NCSC has also observed resemblances between UMBRELLA STAND and COATHANGER, a backdoor previously employed by Chinese state-backed hackers in an attack on a Dutch armed forces network. These findings highlight the evolving tactics and tools utilized by state-sponsored actors to compromise critical infrastructure.
The ongoing activities of groups like Salt Typhoon and the emergence of sophisticated malware targeting network devices emphasize the critical need for robust cybersecurity measures. Organizations, particularly those in the telecommunications sector, are urged to implement comprehensive security protocols, regularly update and patch systems, and conduct thorough network monitoring to detect and mitigate potential threats.
As cyber threats continue to evolve, collaboration between international cybersecurity agencies and the private sector remains essential in identifying, understanding, and countering these sophisticated attacks.
