Security researchers say the Chinese government-linked hacking group, Salt Typhoon, is continuing to compromise telecommunications providers, despite the recent sanctions imposed by the U.S. government on the group.
In a report shared with TechCrunch, threat intelligence firm Recorded Future said it had observed Salt Typhoon — which the company tracks as “RedMike” — breaching five telecommunications firms between December 2024 and January 2025.
Salt Typhoon made headlines last September after it was revealed that the group had infiltrated several U.S. phone and internet giants, including AT&T and Verizon, to gain access to the private communications of senior U.S. government officials and political figures.
Salt Typhoon also hacked into the systems that law enforcement agencies use for court-authorized collection of customer data, potentially accessing sensitive data such as the identities of Chinese targets of U.S. surveillance.
Recorded Future declined to name Salt Typhoon’s latest victims, but said they include a U.S.-based affiliate of a prominent U.K. telecommunications provider; a U.S. internet service provider, and telecommunications companies in Italy, South Africa and Thailand.
The hackers also performed reconnaissance — the practice of covertly discovering and collecting information about a system — on multiple infrastructure assets operated by Myanmar-based telecommunications provider, Mytel, according to Recorded Future.
To carry out these attacks, Salt Typhoon exploited two vulnerabilities (tracked as CVE-20232-0198 and CVE-2023-20273) to compromise unpatched Cisco devices running Cisco IOS XE software. The hacking group has attempted to compromise more than 1,000 Cisco devices globally, focusing particularly on devices associated with telecommunications providers’ networks, Recorded Future said.
Recorded Future said it had also observed Salt Typhoon targeting devices associated with universities, including the University of California and Utah Tech. The researchers said the hacking group “possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology.”
The U.S. government has sanctioned companies linked to the group. In January, the U.S. Treasury Department — itself targeted by Chinese government hackers recently — said it had sanctioned a China-based cybersecurity company known as Sichuan Juxinhe Network Technology, which it says is directly linked to Salt Typhoon.
Recorded Future’s researchers say despite this action, it expects Salt Typhoon to continue targeting telecommunications providers in the U.S. and elsewhere.
