Pierluigi Paganini
March 16, 2025
Denmark raised the cyber espionage threat level for its telecom sector from medium to high due to rising threats across Europe.
The Danish Social Security Agency published a new threat assessment for the cyber threat to the telecommunications sector that highlights the risks for the telecom companies in Europe.
“In this threat assessment, the Danish Agency for Social Security raises the threat level for cyber espionage against the Danish telecommunications sector to HIGH. This is because the extent of cyber espionage against the telecommunications sector in Europe has likely increased.” reads the threat assessment. “Danish telecommunications and internet providers must therefore also be aware of attempted cyber attacks by state hackers.”
The Danish telecom sector faces multiple cyber threats: espionage, destructive attacks (MEDIUM), cyber activism (HIGH), and criminal hackers (VERY HIGH), including ransomware.
Nation-state actors target telecom providers for cyber espionage to access user data, monitor communications, and potentially launch cyber or physical attacks.
The assessment warns that nation-state hackers have an extensive technical understanding of the telecommunications sector’s infrastructure and protocols in cyberattacks against the industry abroad.
Some hackers have demonstrated extensive technical understanding of the telecommunications sector’s infrastructure and protocols in cyberattacks against the industry abroad.
“For example, cybersecurity firm CrowdStrike has described how state-sponsored hackers have compromised telecom providers and used telecom-specific malware and protocols, such as GTP, to control and communicate with the compromised systems. As a result, the use of Windows systems was kept to a minimum.” continues the assessment. “These examples highlight that some cyber actors possess advanced technical capabilities, which they can deploy if they deem it advantageous in a given situation.”
Denmark issued the first public European warning on a Chinese spying campaign, Salt Typhoon, though the Danish Social Security Agency didn’t explicitly name China. The U.S. previously reported European targets were compromised.
In February, 2025, Cisco Talos researchers reported that China-linked APT group Salt Typhoon uses a custom-built utility, dubbed JumbledPath, to spy on network traffic of U.S. telecommunication providers. China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) and has been active since at least 2019 and targeted government entities and telecom companies.
The China-linked APT group is still targeting telecommunications providers worldwide, and according to a report recently published by Recorded Future’s Insikt Group, the threat actors has breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices.
Insikt Group researchers reported that the Chinese hacked have exploited two Cisco flaws, tracked as CVE-2023-20198 and CVE-2023-20273.
Insikt researchers reported that ongoing attacks have breached multiple telecom networks, including ISPs in the U.S. and Italy, a U.K.-affiliated U.S. telecom, and providers in South Africa and Thailand.
The threat actor used generic routing encapsulation (GRE) tunnels on compromised Cisco devices to maintain persistence, evade detection, and stealthily exfiltrate data by encapsulating it within GRE packets.
Cisco Talos researchers added that Salt Typhoon breached major U.S. telecom firms for over three years, mainly using stolen credentials, with limited vulnerability exploitation.
In mid-December 2024, the researchers also spotted the Salt Typhoon group performing reconnaissance against multiple infrastructure assets operated by a Myanmar-based telecommunications provider, Mytel.
In January, The Wall Street Journal reported that the China-linked cyberespionage group Salt Typhoon targeted more US telecoms than previously known.
According to WSJ, which cited people familiar with the matter, the Chinese cyberspies also compromised Charter Communications and Windstream. The threat actors exploited vulnerabilities in network devices from security major vendor, including Cisco and Fortinet.
At the end of December 2024, a White House official confirmed that China-linked APT group Salt Typhoon has breached a ninth U.S. telecoms company as part of a cyberespionage campaign aimed at telco firms worldwide.
In early December 2024, President Biden’s deputy national security adviser Anne Neuberger said that China-linked APT group Salt Typhoon had breached telecommunications companies in dozens of countries.
The Wall Street Journal reported that the senior White House official revealed that at least eight U.S. telecommunications firms were compromised in the attack.
The Salt Typhoon hacking campaign, active for 1–2 years, has targeted telecommunications providers in several dozen countries, according to a U.S. official.
In December, Lumen announced that the Salt Typhoon APT group, was locked out of its network, TechCrunch reported. The company added that it is not aware of a data breach.
In December, US carriers AT&T and Verizon also reported they had secured their networks after cyberespionage attempts by the China-linked Salt Typhoon group.
In March 2024, the security researcher HaxRob discovered a previously undetected Linux backdoor dubbed GTPDOOR, which is specifically crafted to carry out stealth cyber operations within mobile carrier networks. HaxRob attributes the GTPDOOR backdoor to the China-linked APT group Light Basin threat group (aka UNC1945).
LightBasin targeted and compromised mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.
The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.
In October 2021, CrowdStrike uncovered a campaign after the investigation of a series of security incidents in multiple countries. The cybersecurity firm added that the threat actors show an in-depth knowledge of telecommunication network architectures.
CrowdStrike article observed the threat actor using the GPRS Tunnelling Protocol (GTP) for encapsulating tinyshell traffic in a valid PDP context session. The APT group employed an SGSN emulator to tunnel traffic to an external GGSN in another operator’s network.
HaxRob reported that the GTPDOOR backdoor uses the GPRS Tunnelling Protocol (GTP) for C2 communications.
Here, GTPDOOR is leveraging not off a PDP context (GTP-U, userplane) but specific GTP-C signalling messages with it’s own extended message structure.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
