In a recent development, the Canadian Centre for Cyber Security, in collaboration with the Federal Bureau of Investigation (FBI), has issued a warning regarding cyberattacks orchestrated by Chinese state-sponsored hackers, known as Salt Typhoon, targeting Canadian telecommunications companies. This group has previously been implicated in extensive cyberespionage campaigns against major telecommunications firms in the United States and other countries.
Background on Salt Typhoon
Salt Typhoon, also referred to as RedMike by some cybersecurity firms, is an advanced persistent threat (APT) group believed to be operated by China’s Ministry of State Security (MSS). Since its emergence in 2020, the group has been involved in high-profile cyber espionage activities, primarily focusing on counterintelligence targets and the theft of critical corporate intellectual property. Their operations have spanned across numerous countries, affecting various sectors, including telecommunications, technology, consulting, chemical, and transportation industries.
Recent Attacks in Canada
The Canadian Centre for Cyber Security has reported that in mid-February 2025, three network devices belonging to a Canadian telecommunications company were compromised by actors likely associated with Salt Typhoon. The attackers exploited a known vulnerability, CVE-2023-20198, in Cisco devices to retrieve configuration files and establish a Generic Routing Encapsulation (GRE) tunnel. This technique enables the collection of network traffic, potentially allowing the hackers to monitor and intercept communications.
The agency also noted that separate investigations have uncovered evidence of Salt Typhoon targeting entities outside the telecommunications sector within Canada. These activities may facilitate the collection of sensitive information from internal networks or serve as a foothold for compromising additional victims. In some instances, the threat actors’ activities were likely limited to network reconnaissance, gathering information about the network’s structure and vulnerabilities.
Global Implications and Previous Incidents
Salt Typhoon’s cyber activities are not confined to Canada. In late 2024, U.S. officials revealed that the group had infiltrated the computer systems of nine U.S. telecommunications companies, including major providers such as AT&T and Verizon. The hackers targeted core network components, including routers manufactured by Cisco, which are integral to internet infrastructure. By exploiting these vulnerabilities, Salt Typhoon gained access to metadata of users’ calls and text messages, including date and time stamps, source and destination IP addresses, and phone numbers. In some cases, they were able to obtain audio recordings of telephone calls made by high-profile individuals.
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have urged telecommunications companies to bolster their network security to prevent such intrusions. Recommendations include implementing encryption, centralizing network monitoring, and consistently updating systems to deter cyber intrusions. These measures aim to disrupt operations like those conducted by Salt Typhoon and make it more challenging for nation-state actors to execute similar attacks in the future.
Technical Details and Methodology
Salt Typhoon employs sophisticated techniques to infiltrate and maintain access to targeted networks. One of their primary methods involves exploiting vulnerabilities in unpatched network devices. For instance, they have been known to exploit CVE-2023-20198, a privilege escalation vulnerability in the web user interface of Cisco IOS XE software, to gain unauthorized access. Once inside, they may deploy advanced malware, such as the Demodex rootkit, to maintain persistence and evade detection.
The group’s operations are characterized by a high level of organization and a clear division of labor. They utilize a modular approach, allowing them to deploy or update different components of their malware independently based on their objectives. This adaptability complicates detection and analysis, making it challenging for cybersecurity professionals to fully understand and mitigate the threat.
Response and Mitigation Efforts
In response to the escalating threat posed by Salt Typhoon, various governmental and cybersecurity agencies have taken proactive measures. The U.S. Federal Communications Commission (FCC) proposed new rules mandating carriers to secure their networks against unauthorized access or interception of communications. These regulations aim to establish a modern framework to help companies secure their networks and better prevent and respond to cyberattacks.
Additionally, the FBI has offered a $10 million bounty for information leading to individuals associated with Salt Typhoon. This initiative underscores the severity of the threat and the commitment to holding those responsible accountable.
Conclusion
The recent targeting of Canadian telecommunications firms by Salt Typhoon highlights the persistent and evolving nature of cyber threats posed by state-sponsored actors. Organizations, especially those in critical infrastructure sectors, must remain vigilant and implement robust cybersecurity measures to protect against such sophisticated attacks. Collaboration between international agencies and the private sector is essential to effectively combat and mitigate the risks associated with cyber espionage activities.
