Hurri(Can)e(ada): Salt Typhoon Breaches Canadian Telecom Network

Salt Typhoon, the Chinese state-sponsored cyber-espionage group also known as Bronze Silhouette or RedHotel, has added another strike to its growing campaign. In a disclosure made public in June 2025, the Canadian Centre for Cyber Security confirmed that one of the country’s telecommunications providers had been infiltrated months earlier, in February. The attackers compromised three network devices using a known Cisco vulnerability, CVE-2023-20198, which enables remote privilege escalation through the Cisco IOS XE Web UI.

This operation forms part of Salt Typhoon’s broader global offensive targeting telecom providers and critical communications infrastructure across multiple continents. Canada now joins the United States, Italy, South Africa, and Thailand among the countries directly affected. The campaign reveals a strategic aim to monitor, manipulate, and exfiltrate sensitive communications at the network level, with threat actors remaining undetected for extended periods.

Targeting the Network’s Nerve Center

Unlike indiscriminate attacks that target large user populations, this intrusion was surgical and strategic. The compromised systems belonged to a Canadian telecom provider with access to critical communications infrastructure, making the real targets those with the keys to the network.

The victims likely include:

• Senior executives with insight into organizational operations and potential access to policy-sensitive discussions.

• Network engineers and administrators, who manage infrastructure and routing—key assets for those seeking to intercept communications or reroute traffic.

• Privileged users in charge of surveillance links or government-affiliated operations, whose credentials could allow adversaries to access protected data or maintain persistence undetected.

While the company itself remains unnamed, the implication is clear: Salt Typhoon is targeting not just systems, but the people who operate and secure them.

Anatomy of a Breach

The attackers gained access through a now-well-documented vulnerability in Cisco’s IOS XE Web UI: CVE-2023-20198. This flaw allows unauthenticated attackers to escalate privileges remotely. According to Canadian authorities, Salt Typhoon used this exploit to compromise three routers belonging to the unnamed telecom firm.

Once inside, they:

• Extracted the active running configuration files from all affected devices—files that may include stored credentials, routing rules, VPN details, and firewall settings.

• Altered at least one configuration file to establish a GRE (Generic Routing Encapsulation) tunnel, effectively setting up a covert communications channel.

• Diverted and collected live traffic passing through the infrastructure, enabling the exfiltration of sensitive communications without disrupting service.

As with previous Salt Typhoon intrusions, the goal was not destruction but deep surveillance. Captured data likely included:

• Call metadata

• Private communications

• Government surveillance-related records

These tactics mirror those used in earlier breaches affecting AT&T, Verizon, T-Mobile, Viasat, and Lumen Technologies, as well as global carriers in Europe and Africa.

National Alarm, Global Response

Salt Typhoon’s operations continue to evolve and expand, and national governments are beginning to recognize the scope and persistence of the threat. Canada’s cyber authority now warns that Salt Typhoon and affiliated China-based groups are likely to continue targeting telecommunications providers and their clients well into 2026.

To counter this expanding threat, the Canadian Centre for Cyber Security urges organizations to adopt stronger and more proactive defenses, particularly in sectors critical to national infrastructure.

Recommended Strategic Measures:

• Harden edge devices: Prioritize patching and configuration integrity for routers, firewalls, and VPN appliances.

• Treat telecom nodes as crown jewels: Recognize infrastructure and backbone services as strategic assets vulnerable to long-term compromise.

• Replace passive security with active detection: Implement behavioral monitoring, anomaly detection, and real-time alerting.

• Monitor configuration changes: Use audit logging and version control to detect unauthorized alterations to network devices.

• Segment the network and limit privilege: Reduce lateral movement opportunities by isolating sensitive assets and applying the principle of least privilege.

• Establish intelligence sharing pipelines: Join sector-specific threat intelligence exchanges to track IOCs (Indicators of Compromise) and evolving TTPs (Tactics, Techniques, and Procedures).

Salt Typhoon’s success lies not in overwhelming force, but in precise, long-term infiltration. Defending against it requires the same: focused vigilance, informed by strategy—not just patches.

https://www.darkreading.com/cloud-security/canada-targeted-salt-typhoon-telecom