DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Salt Typhoon cyber espionage campaign targeting Canadian telecom networks

15 February 2025 · Canada
Satellite Imagery © Esri

What happened

In mid-February 2025, three network devices belonging to a Canadian telecommunications company were compromised by actors assessed to be the People's Republic of China state-sponsored group tracked in industry reporting as Salt Typhoon. According to a joint cyber threat bulletin issued by the Canadian Centre for Cyber Security and the United States Federal Bureau of Investigation, the actors exploited CVE-2023-20198, a critical vulnerability in Cisco IOS XE software that allows a remote attacker to create privileged accounts and gain administrative control. The flaw had been publicly disclosed in October 2023, but the affected devices remained unpatched.

The Cyber Centre stated that the actors retrieved the running configuration files from all three devices and modified at least one of them to configure a Generic Routing Encapsulation (GRE) tunnel, enabling them to collect traffic from the network. The bulletin did not name the affected company. Separate Cyber Centre investigations identified overlapping indicators associated with Salt Typhoon, suggesting the targeting extends beyond the telecommunications sector to other Canadian organizations.

The activity fits a wider campaign. As reported by BleepingComputer and The Hacker News, partner investigations in 2024 found that Salt Typhoon had compromised major global telecommunications providers, including United States carriers, and in some cases accessed customer call records and the private communications of individuals involved in government or political activity. The Cyber Centre assessed that PRC actors will almost certainly continue to target Canadian telecom providers and their clients over the following two years.

Assessment

This is a state-linked cyber espionage operation rather than disruptive sabotage. Attribution to PRC actors is the official assessment of Canada's Cyber Centre and the FBI, characterized as almost certain rather than judicially proven. The intrusion exploited a known, unpatched vulnerability, underscoring that long-disclosed flaws remain a primary access vector. The use of a GRE tunnel for traffic collection is consistent with intelligence-gathering objectives seen across Salt Typhoon's broader campaign against Western telecom infrastructure, which collected call records and targeted communications of political and government figures.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.