Security researchers have found that Salt Typhoon, a Chinese government-linked hacking group, continues to infiltrate global telecommunications companies despite recent US-imposed sanctions. Threat intelligence firm Recorded Future has observed Salt Typhoon, also known as RedMike, compromising at least five telecom firms between December 2024 and January 2025. The group has remained highly active even after being exposed for breaching major US telecom providers, including AT&T and Verizon, last year.
Salt Typhoon initially made headlines in September 2024 when reports surfaced that the group had gained access to private communications of senior US government officials and political figures. The hackers also breached systems used by law enforcement agencies for court-authorized data collection, raising concerns that sensitive intelligence, such as the identities of Chinese individuals under US surveillance, may have been accessed.
While Recorded Future declined to disclose the names of the latest victims, the firm revealed that Salt Typhoon’s recent attacks include a US-based affiliate of a major UK telecom provider, a US internet service provider, and telecom companies in Italy, South Africa, and Thailand. Additionally, Salt Typhoon conducted reconnaissance activities on Mytel, a Myanmar-based telecom company, likely assessing its infrastructure for vulnerabilities.
To execute these cyber intrusions, Salt Typhoon exploited two known Cisco vulnerabilities, CVE-20232-0198 and CVE-2023-20273, to infiltrate unpatched Cisco IOS XE devices. According to Recorded Future, the group has attempted to compromise over 1,000 Cisco devices globally, primarily targeting infrastructure tied to telecom networks.
Beyond telecom firms, Salt Typhoon has also set its sights on universities, including the University of California and Utah Tech. Researchers suggest that these academic institutions may have been targeted due to their work in fields related to telecommunications, engineering, and emerging technologies.
In response to Salt Typhoon’s escalating cyber activities, the US government imposed sanctions on entities linked to the group. In January 2025, the US Treasury Department, which itself was recently targeted by Chinese government hackers, sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm based in China believed to have direct ties to Salt Typhoon.
Despite these sanctions, security experts believe that Salt Typhoon will continue to target telecom networks, particularly in the US and its allies. As global tensions in cybersecurity and espionage grow, telecom companies and infrastructure providers remain at the center of this ongoing battle between nation-state hackers and defensive cybersecurity efforts.
Salt Typhoon’s persistence highlights the increasing sophistication of state-sponsored cyber threats and the urgent need for proactive security measures to safeguard global communications networks from continued attacks.
