China-Linked Salt Typhoon Exploits Critical Cisco Vulnerability to Compromise Canadian Telecommunications Sector

The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory regarding cyber attacks conducted by the China-linked Salt Typhoon actors. These attacks target significant global telecommunications providers, forming part of a broader cyber espionage campaign.

In mid-February 2025, attackers exploited a critical vulnerability in Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to gain access to configuration files from three network devices linked to a Canadian telecommunications firm. The specifics of the company involved have not been disclosed.

The threat actors are reported to have altered at least one of the files associated with a Generic Routing Encapsulation (GRE) tunnel, which allowed them to collect traffic data from the affected network.

It is believed that the targeting extends beyond the telecommunications sector, as the infiltration of Canadian devices could enable the collection of network information. This information may, in turn, allow the threat actors to leverage access to breach additional networks.

According to the alert, “In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance.” Edge network devices remain attractive targets for state-sponsored Chinese actors seeking to achieve persistent access to telecom service providers.

These findings align with a prior report from Recorded Future, which detailed the exploitation of CVE-2023-20198 and CVE-2023-20273 to infiltrate telecom and internet institutions across the U.S., South Africa, and Italy. Threat actors leveraged these vulnerabilities to establish GRE tunnels for sustained access and data exfiltration.

In a related development, the U.K. National Cyber Security Centre (NCSC) has reported two malware families named SHOE RACK and UMBRELLA STAND, which target FortiGate 100D series firewalls manufactured by Fortinet. SHOE RACK functions as a post-exploitation tool enabling remote shell access and TCP tunneling via compromised devices, whereas UMBRELLA STAND is programmed to execute shell commands from an attacker-controlled server.

Interestingly, SHOE RACK shares components with a publicly available tool known as reverse_shell, which has also been adapted by a China-related threat group named PurpleHaze to create a Windows implant referred to as GoReShell. The potential connections between these incidents remain unclear.

The NCSC has observed similarities between UMBRELLA STAND and COATHANGER, a backdoor previously utilized by Chinese state-sponsored hackers in an attack aimed at a Dutch armed forces network.