Chinese Hackers Target Cisco Devices in Global Cyber Campaign

A China-linked hacking group known as Salt Typhoon has intensified its attacks on Cisco network devices used by telecommunications companies and universities worldwide, researchers revealed on Thursday.

 

Cybersecurity analysts at Recorded Future’s Insikt Group identified the latest wave of attacks between December 2023 and January 2024, affecting over 1,000 Cisco devices globally. Many targeted devices were associated with telecom providers, including a South African firm and a U.S. affiliate of a UK telecom company.

 

The researchers found seven compromised devices communicating with Salt Typhoon infrastructure, linked to telecom companies in the U.S., South Africa, Italy, and Thailand. Additionally, reconnaissance activity was observed in Myanmar, suggesting further potential targets.

 

More than half of the affected Cisco devices were located in the U.S., South America, and India, with the rest spread across over 100 countries. The hackers also targeted universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the U.S., and Vietnam, likely seeking access to telecommunications and technology research.

 

U.S. officials have raised alarm over Salt Typhoon’s operations, noting its breaches of at least nine major U.S. telecom firms, including Verizon, T-Mobile, AT&T, and Lumen. Intelligence sources claim the group accessed call records of high-profile political figures, including Donald Trump, JD Vance, and senior Democratic leaders.

 

The hackers exploited two Cisco vulnerabilities, CVE-2023-20198 and CVE-2023-20273, allowing them to gain initial access and escalate privileges. They conducted six scans for vulnerable devices in December and January, reinforcing concerns about their persistence.

 

In response, the U.S. Treasury Department imposed sanctions on a Chinese contractor allegedly linked to the group, labelling the latest attacks as a significant escalation in China’s cyber operations against U.S. critical infrastructure.

 

Security experts urge Cisco administrators to patch devices immediately and monitor networks for potential breaches.