A newly released advisory from the FBI and Canada’s Cyber Centre warns of an ongoing cyber espionage campaign by a China-linked group that is targeting telecom networks worldwide. The report, issued June 20, 2025, points to “Salt Typhoon,” a notorious Chinese APT group using known vulnerabilities in routers and other edge network devices to steal sensitive data.
The activity, tracked since at least February, involves exploiting devices at the network perimeter to gain hidden access, siphon off communications data, and maintain long-term control. In one documented incident, three network devices at a Canadian telecom were compromised, allowing attackers to intercept call records and user locations.
How the Attack Works
The group is using vulnerabilities like CVE-2023-20198 to extract configuration files from targeted devices. This Cisco Web UI flaw was first identified in October 2023 and was widely exploited, affecting over 40,000 devices.
As per the FBI’s advisory (PDF), While the campaign centers on telecommunications providers, the tactics used could apply to a broader range of targets. Edge devices such as routers, firewalls, and VPN appliances are especially vulnerable, particularly if they run outdated firmware or weak configurations.
Once inside, they deploy GRE (Generic Routing Encapsulation) tunnels, allowing them to silently route network traffic through systems under their control. This technique lets them observe or manipulate communications while avoiding traditional security detection.
Long-Term Espionage, Not Quick Hits
Unlike smash-and-grab cyberattacks that aim for fast data theft, Salt Typhoon appears focused on quiet, long-term surveillance. This approach aligns with other known state-linked campaigns that prioritize strategic intelligence gathering over monetary gain.
The attackers are not using zero-day exploits. Instead, they rely on publicly known vulnerabilities, which are often left unpatched for long periods. This allows them to build access over time without raising alarms.
What’s at Risk
The FBI and Cyber Centre warn that telecom networks, by their nature, carry sensitive personal and commercial data. By compromising devices that handle this traffic, attackers can gain insight into user behaviour, physical locations, and private conversations.
The advisory suggests that these campaigns are likely to continue and may expand further over the next two years.
The joint alert did not name affected companies beyond the single Canadian incident but noted that similar activity has been observed globally. Therefore, organizations are urged to secure edge devices, audit network activity for malicious activities, and apply available patches without delay.
