Pierluigi Paganini June 24, 2025

Canada and FBI warn of China-linked APT Salt Typhoon targeting Canadian telecom firms in ongoing cyber espionage operations.

The Canadian Centre for Cyber Security and the FBI warn that China-linked APT cyber espionage group Salt Typhoon, is targeting Canadian telecom firms in espionage attacks.

The Salt Typhoon hacking campaign, active for 1–2 years, has targeted telecommunications providers in several dozen countries, according to a U.S. official.

In February 2025, Recorded Future’s Insikt Group reported that China-linked APT group Salt Typhoon was still targeting telecommunications providers worldwide, and the threat actors had breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices.

Insikt Group researchers reported that the Chinese hacked have exploited two Cisco flaws, tracked as CVE-2023-20198 and CVE-2023-20273.

Canada’s Cyber Centre reports that PRC-linked group Salt Typhoon likely hacked three telecom devices in February 2025, exploiting CVE-2023-20198 to steal configs and set up a GRE tunnel for data collection.

“The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.” reads the guidance published by the Canadian Centre for Cyber Security. “Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025. The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network.”

The Cyber Centre found that the China-nexus group is targeting more than telecoms, conducting network reconnaissance and possibly using compromised devices to reach more victims. This espionage activity is expected to continue over the next two years, with a focus on telecoms and their clients.

The government experts believe the nation-state actor is also targeting organizations that are in other sectors.

State-sponsored hackers, especially from China, are heavily targeting telecom providers for espionage. These networks hold valuable data like call logs, locations, and private communications. In 2024,

In early December 2024, President Biden’s deputy national security adviser Anne Neuberger said that China-linked APT group Salt Typhoon had breached telecommunications companies in dozens of countries.

The Wall Street Journal reported that the senior White House official revealed that at least eight U.S. telecommunications firms were compromised in the attack. The deputy national security adviser said China accessed extensive metadata from targeted Americans while seeking specific communications, focusing regionally on government and political figures.

China-linked APT Salt Typhoon has also reportedly targeted satellite firm Viasat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)