In June 2025, cybersecurity agencies from Canada and the United States issued a joint warning about a Chinese state-sponsored hacking group known as Salt Typhoon. The group exploited a known vulnerability in Cisco network software, which had been publicly disclosed and patched back in 2023. Despite the patch being available, the attackers used the flaw in early 2025 to breach the network of a Canadian telecommunications provider.

The attackers managed to compromise three Cisco devices. On one of them, they set up a GRE tunnel—a type of network pathway that allowed them to intercept and monitor internet traffic. Although the breach didn’t appear to involve destructive activity, it gave the group a powerful foothold for espionage.

Salt Typhoon, active since at least 2020, has a history of targeting telecom and satellite companies, especially in the United States. Past campaigns have included attempts to collect metadata from calls and text messages, potentially monitoring communications of high-profile individuals. Their operations are typically quiet, precise, and long-term, aiming to gather intelligence rather than disrupt systems.

The agencies emphasized that Salt Typhoon may continue targeting infrastructure in Canada and other countries over the next few years. Their method often involves exploiting network edge devices—those that connect directly to the internet—to quietly move deeper into networks and conduct surveillance.

Security experts stressed the importance of promptly applying software updates, especially for internet-facing equipment. Even widely known vulnerabilities can remain dangerous if organizations delay patching. The report also encouraged network defenders to look for unusual traffic patterns, unexpected tunnels, or changes to device configurations as signs of compromise.

‍

Source: https://thehackernews.com/2025/06/china-linked-salt-typhoon-exploits.html