A Canadian telecommunications provider has fallen victim to a state-sponsored cyberattack linked to a Chinese threat group, months after a critical Cisco vulnerability was publicly patched—a stark reminder of the ongoing risks posed by delayed security patching.
According to coordinated advisories released Monday by Canada’s Cyber Centre and the FBI, the group behind the intrusion is known as Salt Typhoon, a state-backed actor believed to operate on behalf of the People's Republic of China. Their target: internet-facing Cisco devices left vulnerable by CVE-2023-20198, a maximum-severity vulnerability disclosed and patched in October 2023.
A Patch Ignored
Despite the availability of a fix, Salt Typhoon successfully compromised at least three devices within a major Canadian telecom network in February 2025—16 months later. The attackers retrieved sensitive configuration files and manipulated at least one to establish a GRE tunnel, a classic tactic for siphoning network traffic without detection.
Cisco’s IOS XE devices were particularly at risk—specifically those with HTTP/HTTPS server features exposed to the internet. The breach raises serious concerns over patch management practices in critical infrastructure sectors.
Salt Typhoon’s Expanding Reach
Salt Typhoon is no stranger to high-level espionage. The group has previously been linked to breaches of multiple U.S. telecom companies, including Verizon and AT&T, reportedly using their footholds to surveil lawful interception systems and access other forms of sensitive internet traffic, as detailed in a Wall Street Journal report.
The Canadian government warned that this attack is likely not an isolated incident. Investigators uncovered threat indicators consistent with broader Salt Typhoon operations, potentially extending beyond telecom into other strategic sectors.
“This activity may enable further compromises by using infected infrastructure as a staging point,” the Cyber Centre noted, adding that in some cases, the group’s actions appeared limited to reconnaissance—likely a precursor to more damaging operations.
A Preventable Breach
Both the Canadian and U.S. governments confirmed that CVE-2023-20198 was the initial vector, but notably, neither directly addressed why the vulnerability remained unpatched for so long. The oversight—especially for infrastructure that underpins national communication—reflects a serious breakdown in basic cybersecurity hygiene.
Cisco previously noted that Salt Typhoon also leveraged CVE-2023-20273, CVE-2018-0171, and a more recent vulnerability, CVE-2024-20399, to maintain access and escalate control across targeted networks.
The Road Ahead
Authorities warn that these operations are ongoing and likely to continue, stating, “PRC state-sponsored actors will almost certainly continue to target Canadian telecom providers and their customers as part of a broader espionage campaign over the coming years.”
For security professionals, this incident underscores a critical truth: timely patching of known vulnerabilities—especially those actively exploited in the wild—is not just best practice, it’s essential defense.
0 Comments