An advisory issued by the FBI in conjunction with Canada’s Cyber Centre unveils an ongoing cyber espionage campaign attributed to a China-associated group targeting global telecom networks. Dated June 20, 2025, the report highlights the activities of “Salt Typhoon,” a well-known advanced persistent threat (APT) group harnessing existing vulnerabilities in routers and other network perimeter devices to exfiltrate sensitive data.
Documented attacks since February have capitalized on weaknesses at the edge of network architectures, enabling unauthorized access, interception of communication data, and sustained control over compromised systems. One noted incident involved the infiltration of three devices within a Canadian telecommunications network, granting the attackers access to call records and user location information.
How the Attack Works
The group exploits vulnerabilities, including CVE-2023-20198, to extract configuration files from targeted devices. This flaw, affecting over 40,000 devices and first recognized in October 2023, highlights the ease with which attackers can leverage publicly known exploits. The FBI’s advisory underscores that while the focus has been on telecom providers, the techniques employed could extend to a broader array of organizations.
Devices such as routers, firewalls, and VPN appliances remain particularly susceptible, especially when running outdated firmware or weak configurations. Once inside a network, the attackers deploy Generic Routing Encapsulation (GRE) tunnels, enabling them to surreptitiously route traffic through their compromised systems. This method allows for the observation or manipulation of communications while evading conventional security measures.
Long-Term Espionage, Not Quick Hits
Unlike typical cyberattacks focused on rapid data theft, Salt Typhoon’s methodology emphasizes prolonged surveillance. This strategy is consistent with other state-sponsored initiatives that emphasize the acquisition of strategic intelligence over immediate financial gain. The group’s reliance on publicly acknowledged vulnerabilities, rather than zero-day exploits, allows them to maintain access over time without triggering security alarms.
What’s at Risk
The advisory warns that telecom networks inherently handle sensitive personal and commercial data. By compromising devices associated with this traffic, attackers can obtain critical insights into user behaviors, physical locations, and private communications. The FBI and Cyber Centre anticipate that such campaigns will continue and may increase in scope over the next two years.
While the alert refrains from naming affected organizations beyond the already reported incident in Canada, it notes similar activities have been observed in various other countries. Consequently, organizations are strongly encouraged to enhance the security of edge devices, conduct thorough audits of network activity for signs of malicious behavior, and promptly apply available patches to mitigate risks.
