The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation issued a new warning about ongoing cyber activity by Salt Typhoon, a group linked to Chinese state-sponsored operations. The Cyber Centre confirmed that Canadian telecommunications companies are currently being targeted. At least three network devices belonging to one telecom provider were compromised in mid-February 2025. The attackers, almost certainly linked to the People’s Republic of China (PRC), exploited CVE-2023-20198 to extract running configuration files from the devices. They altered at least one file to establish a GRE tunnel, allowing them to siphon network traffic.
Separate investigations by the Cyber Centre have found overlapping indicators tied to Salt Typhoon, suggesting the campaign may extend beyond the telecommunications sector.
“In separate investigations, the Cyber Centre has found overlaps with malicious indicators associated with Salt Typhoon, reported by our partners and through industry reporting, which suggests that this targeting is broader than just the telecommunications sector,” the cyber threat bulletin disclosed. “Targeting of Canadian devices may allow the threat actors to collect information from the victim’s internal network, or use the victim’s device to enable the compromise of further victims. In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance.”
It added that “While our understanding of this activity continues to evolve, we assess that PRC cyber actors will almost certainly continue to target Canadian organizations as part of this espionage campaign, including telecommunications service providers and their clients, over the next two years.”
The agencies also expressed concern on the potential impacts to the sensitive information of client organizations working directly with telecommunications providers. PRC cyber threat actors frequently attempt to compromise trusted service providers, including telecommunications, managed service providers (MSPs) and cloud service providers, to access client information or networks indirectly.
The bulletin identified that telecommunications networks are almost certainly among the highest priority espionage targets for state-sponsored cyber threat actors. Hostile state actors very likely rely on access to telecommunications service providers (TSPs) and telecommunications networks around the world as a key source of foreign intelligence collection. TSPs carry telecommunications traffic and collect and store large amounts of customer data that have intelligence value, including communication, location, and device data.
“State-sponsored cyber threat actors have persistently compromised TSPs globally, often as part of broad and long-running intelligence programs to exfiltrate bulk customer data and collect information on high-value targets of interest, such as government officials,” it added. “This includes geolocating and tracking individuals, monitoring phone calls, and intercepting SMS messages. State actors have gained access to telecommunications networks and data by exploiting vulnerabilities in network devices, such as routers, and by taking advantage of insecure design in the systems that route, bill, and manage communications.”
In 2024, partner investigations discovered that PRC state-sponsored cyber threat actors had compromised the networks of major global TSPs, including U.S. wireless carriers, very likely as part of a targeted espionage operation. According to partners, the actors were able to steal customer call records data from the compromised TSPs. The threat actors also collected the private communications of a limited number of individuals primarily involved in government or political activity.
Citing the National Cyber Threat Assessment 2025-2026, the bulletin noted that “cyber threat actors are exploiting vulnerabilities in security and networking devices that sit at the perimeter of networks, including routers, firewalls, and virtual private network (VPN) solutions. By compromising these edge devices, a cyber threat actor can enter a network, monitor, modify, and exfiltrate network traffic flowing through the device, or possibly move deeper into the victim network.”
As part of the campaign, PRC cyber actors are targeting these network devices, exploiting existing vulnerabilities to gain and maintain access to TSPs. Despite public reporting outlining their activities, it is very likely that the actors continue to operate.
To counter the threat, the agencies urged Canadian organizations to strengthen their networks and apply strict security measures to edge devices. They also advised consulting official online resources for further guidance and actionable recommendations.
In April, the FBI requested public assistance in reporting information related to PRC-affiliated cyber activity publicly tracked as ‘Salt Typhoon,’ which involves the compromise of multiple U.S. telecommunications companies. Issued via the FBI’s Internet Crime Complaint Center (IC3), the announcement seeks details, especially regarding individuals linked to the campaign.
