Recorded Future’s Insikt Group uncovered a Chinese state-sponsored threat group identified as RedMike, which corresponds to the group named Salt Typhoon by Microsoft, targeting unpatched, internet-facing Cisco network devices, predominantly affecting global telecommunications providers between December 2024 and January 2025. Among the victim organizations were a U.S.-based affiliate of a U.K. telecommunications provider and a telecommunications provider based in South Africa.
Using Recorded Future Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access.
Insikt Group researchers identified that RedMike has attempted to exploit more than 1,000 Cisco devices globally. The group likely compiled a list of target devices based on their association with telecommunications providers’ networks.
The researchers detailed that in mid-December 2024, RedMike, from the same infrastructure that exploited the Cisco network devices, performed reconnaissance against multiple infrastructure assets operated by a Myanmar-based telecommunications provider, Mytel, likely including their corporate mail server.
They also observed RedMike targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States (US), and Vietnam. RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft.
Often involved in cutting-edge research, universities are prime targets for Chinese state-sponsored threat activity groups to acquire valuable research data and intellectual property. Previous examples include APT40, which has targeted universities for biomedical, robotics, and maritime research; RedGolf (APT41) for medical research; and RedBravo (APT31), which has directly targeted academics. China’s cyber strategy aligns with its broader economic and military goals, making universities high-value targets for long-term intelligence-gathering and technology acquisition.
“Unpatched public-facing appliances serve as direct entry points into an organization’s infrastructure. Sophisticated Chinese threat activity groups have shifted heavily toward exploiting these devices for initial access over the past five years,” according to the research data. “RedMike’s exploitation of telecommunications infrastructure goes beyond technical vulnerabilities and represents a strategic intelligence threat. Persistent access to critical communications networks enables state-backed threat actors to monitor confidential conversations, manipulate data flows, and disrupt services during geopolitical conflicts.”
RedMike’s targeting of lawful intercept programs and US political figures highlights the strategic intelligence objectives behind these operations and the national security threat they pose.
Organizations, particularly those in the telecommunications industry, must prioritize remediating exposed network devices, as unpatched systems remain a key initial access vector for Chinese state-sponsored threat activity groups.
Furthermore, network administrators should implement strict access controls, disable unnecessary web UI exposure, and monitor for unauthorized configuration changes. Individuals should use end-to-end encrypted communication methods for sensitive information, just as the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) recommended, which is crucial to mitigate potential eavesdropping risks.
Additionally, governments and cybersecurity entities should improve threat intelligence sharing and impose stricter regulatory compliance for network security. While the US sanctions on RedMike-affiliated Sichuan Juxinhe Network Technology signal a more assertive and commendable stance against state-backed cyber espionage in critical infrastructure, robust international cooperation is crucial for effectively countering these persistent threats.
RedMike configured GRE tunnels between the compromised Cisco devices and their infrastructure. GRE is a tunneling protocol encapsulating various network layer protocols inside point-to-point connections. It is a standard feature that can be configured on Cisco network devices. It is commonly used to create virtual private networks (VPNs), enable interoperability between different network types, and transport multicast or non-IP traffic over IP networks.
Threat activity groups use GRE tunnels to maintain persistence by establishing covert communication channels that bypass firewalls and intrusion detection systems. These tunnels also facilitate stealthy data exfiltration by encapsulating stolen data within GRE packets, potentially bypassing network monitoring.
In mid-December 2024, RedMike, from the same infrastructure that exploited the Cisco network devices, performed reconnaissance against multiple infrastructure assets operated by a Myanmar-based telecommunications provider, Mytel, likely including their corporate mail server.
Insikt Group called upon organizations to prioritize applying available security patches and updates to network devices exposed to the Internet; and avoid exposing administration interfaces or non-essential services on public-facing appliances directly to the Internet, particularly for end-of-life devices. They must monitor for network device configuration changes; monitor network traffic for protocols not implemented in the network, such as GRE; and use the advanced query feature in Recorded Future to monitor for actively exploited technology within the stack and set alerts to notify of any at-risk assets.
