(Credit: GREG BAKER/AFP via Getty Images)
One of the most extensive Chinese telecom hacks in US history is still ongoing, despite government efforts to stall it.
Undeterred by "significant media coverage and US sanctions," the group known as Salt Typhoon "continues to compromise telecommunications providers globally, including in the US," says a new report from cybersecurity firm Recorded Future.
The US revealed last fall that Salt Typhoon had breached at least eight US telecommunications companies in a long-running campaign that saw hackers looking for dirt on high-profile officials. Last year, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said the group used existing flaws, including “Cisco-specific features” used in the communications sector.
In December, AT&T and Verizon said they were no longer detecting Salt Typhoon activity on their networks. However, Recorded Future says it identified a campaign conducted between December 2024 and January 2025 that was "exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers."
Victim organizations included a US and Italian ISP, South African and Thai telecom providers, and a US-based affiliate of a UK-based telecom provider.
“They’re super active, and they continue to be super active,” Levi Gundert, who leads Recorded Future's Insikt Group research team, tells Wired. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”
Cisco has "not been able to validate these claims but continue to review available data," a company spokesperson tells PCMag. The company issued a security advisory in 2023 disclosing these vulnerabilities along with "guidance for customers to urgently apply the available software fix." Cisco strongly encourages customers to address these known issues.
Yet the Insikt Group says it identified more than 12,000 Cisco network devices with their web UIs exposed to the internet. Of those, Salt Typhoon tried to exploit more than 1,000, likely compiling a list of target devices based on their association with telecom providers' networks, Recorded Future says.
Hackers also went after devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the US, and Vietnam, possibly "to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft."
Gaining access to these devices allows Chinese state actors to eavesdrop on conversations, including calls and texts. The activities represent "a strategic intelligence threat," Recorded Future says. This could enable state-backed threat actors to "monitor confidential conversations, manipulate data flows, and disrupt services during geopolitical conflicts"
Recorded Future calls on telecom companies to prioritize patching exposed network devices, which are currently an open door for Chinese state-sponsored threat actors. Individuals should use end-to-end encrypted communication for sensitive conversations, something CISA and the FBI also recommended, to avoid "eavesdropping risks."
Editors' Note: This story has been updated with comment from Cisco.