The Chinese hacking group Salt Typhoon is still infiltrating U.S. telecom networks, despite being sanctioned by U.S. authorities.
Between December 2024 and January, Salt Typhoon breached five telecom networks, including two in the United States, and targeted more than a dozen universities that could provide Beijing with valuable research and intellectual property, the researchers said.
These victims include a U.S.-based affiliate of a UK telecom provider and a U.S. internet service provider, as well as victims in South Africa, Italy, and Thailand. Recorded Future’s Insikt Group observed that seven Cisco devices associated with these firms were communicating with the hackers.
The Chinese state actors, which the researchers identified by the moniker “RedMike,” exploited two code vulnerabilities in Cisco network devices’ website interface. The first gave them initial access, and the latter provided “root privileges,” granting the hackers full control of the victim’s network. The hackers then reconfigured the device to retain persistent access.
Recorded Future found more than 12,000 insecure Cisco network devices. The cyber actors appeared to target about 1,000 of them, which were linked to telecommunications providers, the researchers said.
Among them were 13 universities, including U.S. institutions such as Loyola Marymount University, Utah Tech University, and the University of California–Los Angeles, according to the report.
U.S. agencies, in the weeks after discovering the Salt Typhoon intrusion, announced countermeasures to safeguard U.S. data.
Reached over the latest report on Salt Typhoon activities, Cisco stated that it’s aware of the vulnerabilities raised in the report.
“To date, we have not been able to validate these claims but continue to review available data,” a company spokesperson told The Epoch Times.
“We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols,” the spokesperson said.
