Salt Typhoon strikes again - more US ISPs, universities and telecoms networks hit by Chinese hackers

(Image credit: Shutterstock)

Security researchers from Recorded Future observe new Salt Typhoon activity
The threat actor is still going after ISPs and universities in the west
The group is abusing flaws in Cisco gear to hit new targets

Salt Typhoon, a Chinese state-sponsored threat actor best known for recently breaching almost a dozen telecom providers in the US, has struck again, hitting not just American organizations, but also those from the UK, South Africa, and elsewhere around the world.

The latest intrusions were spotted by cybersecurity researchers from Recorded Future, which said the group is targeting internet-exposed web interfaces of Cisco’s IOS software that powers different routers and switches. These devices have known vulnerabilities that the threat actors are actively exploiting to gain initial access, root privileges, and more.

More than 12,000 Cisco devices were found connected to the wider internet, and exposed to risk, Recorded Future further explained. However, Salt Typhoon is focusing on a “smaller subset” of telecoms and university networks.

Recent activity

This “smaller subset” of targets includes US internet service providers and telecommunications firms, a US affiliate of a UK telecom, telecoms in South Africa and Thailand, an internet service provider in Italy, different universities around the world (Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US).

All of this activity was spotted between December 2024, and January 2025, meaning the group is currently quite active.

“They’re super active, and they continue to be super active,” Levi Gundert, who leads Recorded Future's research team known as Insikt Group, told Wired. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”

Cisco also chimed in, saying that the vulnerabilities Salt Typhoon is exploiting have all been fixed, and urged users to apply the available patches as soon as possible.

Unpatched n-day vulnerabilities are low-hanging fruit for cybercriminals, since they already have a working exploit and a proof-of-concept for malware infections, which makes their work relatively easy.

Via Wired

Salt Typhoon attacks may have hit more US firms than previously thought
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.