State-sponsored hackers linked to the People’s Republic of China (PRC) have successfully compromised systems within a Canadian telecom company, expanding a global cyber espionage campaign that has already targeted critical infrastructure across the United States.
The Canadian Centre for Cyber Security (Cyber Centre) and the U.S. Federal Bureau of Investigation (FBI) issued a joint warning following fresh intrusions attributed to the threat actor “Salt Typhoon,” a name used in industry reporting to describe PRC-backed espionage groups known for targeting telecoms. The advisory confirms that three network devices belonging to a Canadian telecom provider were breached in February 2025, marking the latest chapter in a years-long, state-directed effort to surveil sensitive communications.
According to the Cyber Centre, attackers exploited CVE-2023-20198, a high-severity vulnerability affecting Cisco IOS XE devices, to retrieve running configuration files from the compromised routers. At least one of these files was altered to enable a GRE (Generic Routing Encapsulation) tunnel, an advanced technique allowing the covert exfiltration of network traffic. This tactic suggests a calculated attempt to gather communications data from inside the provider’s infrastructure while remaining undetected.
Salt Typhoon's presence has been observed in both Canada and the U.S., where previous investigations revealed PRC-affiliated actors stealing call metadata and private communications, particularly those involving political and governmental targets. The latest advisory warns that the targeting is broader than initially believed, affecting not only telecom providers but also client organizations and potentially other sectors. Evidence collected from multiple incidents indicates that the hackers are performing network reconnaissance and data exfiltration activities, possibly using compromised systems as launch points for further intrusions.
Telecommunications service providers (TSPs) are especially attractive targets for state-backed actors due to their central role in carrying and storing communications data, including location, device, and identity metadata. These networks also manage communications billing and routing systems, components that can be rich sources of intelligence when compromised. The campaign’s scope includes exploiting vulnerabilities in edge infrastructure, routers, firewalls, and VPN gateways, that sit on the perimeter of organizational networks.
The Canadian bulletin reinforces earlier alerts from the U.S. government detailing similar intrusions into American wireless carriers, where hackers were found siphoning call detail records and intercepting private messages of high-value individuals. While attribution of such operations can be difficult, the evidence consistently points to PRC-affiliated groups conducting long-term espionage for strategic intelligence gains.
The Cyber Centre warns that such threats will “almost certainly” persist through at least the next two years, urging telecoms and their customers to bolster their defenses. Organizations are encouraged to harden network infrastructure, apply patches to edge devices promptly, and implement enhanced monitoring and detection controls.
Leave a Reply