Salt Typhoon Targets Canada: Cisco Vulnerability Under Attack

Essential Insights

1. Cyber Espionage Warning: Canadian and U.S. security agencies have alerted about cyber attacks by the China-linked Salt Typhoon actors targeting major telecommunications providers, employing a critical vulnerability (CVE-2023-20198, CVSS 10.0) in Cisco software.

2. Data Theft Techniques: The attackers accessed and modified configuration files of a Canadian telecom network, establishing a Generic Routing Encapsulation (GRE) tunnel to collect network traffic, indicating plans for broader data exfiltration.

3. Broader Threat Assessment: The targeting may extend beyond telecoms, allowing threat actors to leverage compromised networks for reconnaissance and potential access to further devices, emphasizing ongoing vulnerabilities in edge network devices.

4. Emerging Malware Threats: Concurrently, the U.K. NCSC identified two new malware families (SHOE RACK and UMBRELLA STAND) targeting Fortinet devices, signaling an adaptation of publicly available tools by Chinese-linked threat actors for sophisticated network compromise.

The Issue

On June 24, 2025, the Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) issued a critical advisory regarding a cyber espionage initiative orchestrated by the China-linked group known as Salt Typhoon. This nefarious campaign involved the exploitation of a severe vulnerability in Cisco’s IOS XE software (CVE-2023-20198), resulting in a breach of several network devices affiliated with an unnamed Canadian telecommunications company around mid-February 2025. The attackers not only accessed sensitive configuration files but also modified at least one to establish a Generic Routing Encapsulation (GRE) tunnel, facilitating ongoing data collection and reconnaissance efforts potentially spanning beyond the telecommunications sector.

The implications of these findings suggest a deeper, more systemic threat posed by state-sponsored Chinese actors, drawing parallels with previously documented infiltrations of telecom and internet providers in the U.S., South Africa, and Italy. This expansive campaign highlights a concerted effort to infiltrate critical infrastructure and underscores the enduring vulnerabilities within edge network devices, which serve as prime targets for long-term exploitation and information gathering. In parallel, the U.K. National Cyber Security Centre reported on emerging malware aimed at Fortinet devices, further indicating a troubling trend of sophisticated cyber threats linked to state-sponsored entities.

Potential Risks

The recent advisory from the Canadian Centre for Cyber Security and the FBI regarding cyber attacks linked to the China-based Salt Typhoon actors signals a profound risk not only to telecommunications but also to a myriad of interconnected businesses, users, and organizations. As these threat actors exploit vulnerabilities such as the critical Cisco IOS XE software flaw (CVE-2023-20198) to infiltrate networks, the potential for widespread data breaches accumulates, translating into cascading vulnerabilities across various sectors. When one entity is compromised, the attackers often leverage that access to initiate a domino effect, breaching additional enterprises and siphoning sensitive data, which in turn compromises customer trust and operational integrity. Companies reliant on these telecommunications services could experience service disruptions, financial losses, and reputational damage, ultimately undermining market stability and elevating the collective exposure of businesses to further cyber threats. The multifaceted nature of these attacks underscores the urgent necessity for robust cybersecurity measures and collaborative defense strategies, as the interconnectedness of today’s digital infrastructure amplifies the ramifications of each breach.

Possible Action Plan

Timely remediation is critical in cybersecurity, particularly in the context of exploitative tactics utilized by state-sponsored actors like those associated with ‘Salt Typhoon.’ Swift actions not only protect sensitive infrastructure but also bolster national security against increasingly sophisticated threats.

Mitigation Steps

1. Patch Vulnerabilities: Immediately update affected Cisco devices with the latest security patches.
2. Access Controls: Implement strict access controls and user authentication protocols.
3. Network Segmentation: Isolate critical assets from less secure parts of the network.
4. Intrusion Detection: Deploy advanced IDS/IPS systems to monitor and thwart unauthorized access.
5. Incident Response Planning: Formulate and rehearse an incident response plan tailored to this threat.
6. Threat Intelligence Sharing: Collaborate with industry peers and governmental agencies for shared intelligence on emerging threats.
7. Employee Training: Conduct cybersecurity awareness training to recognize social engineering tactics.

NIST CSF Guidance
The NIST Cybersecurity Framework underscores the necessity for ongoing risk assessments and the implementation of robust incident response protocols. Specifically, the NIST Special Publication (SP) 800-53 provides comprehensive controls applicable to vulnerability management and incident handling. Organizations are urged to reference this document for actionable measures aligned with best practices in cybersecurity resilience.

Advance Your Cyber Knowledge

Discover cutting-edge developments in Emerging Tech and industry Insights.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1