The Salt Typhoon hacker group continues to attack global telecommunications networks, ignoring international sanctions and active media coverage. From December 2024 to January 2025, the attackers actively exploited vulnerabilities in Cisco network equipment, attacking universities, Internet service providers, and telecom companies in the United States, Italy, Thailand, South Africa, and several other countries. This cyber espionage operation has already become one of the largest cyber attacks on American telecommunications in history.
Image Source: Wesley Tingey / Unsplash
Attempts by the US authorities to stop Salt Typhoon have not yielded any tangible results. On the contrary, the group, which is believed to be supported by Chinese state structures, not only continues its attacks, but also expands the geography of its intrusions, compromising organizations in different countries. The analytical company Recorded Future emphasizes that the attackers are adapting to cyber defense measures, using proven methods and finding new vulnerabilities in the network infrastructure.
The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) announced back in 2024 that Salt Typhoon was conducting a long-term campaign of hacking US telecommunications providers. The hackers actively exploit known vulnerabilities, including “specific features” of Cisco equipment, which is widely used in the communications industry. The main goal of the attacks, according to experts, is to obtain compromising information about high-ranking US officials.
In December 2024, the largest US telecom operators, AT&T and Verizon, said they had not detected Salt Typhoon activity on their networks. However, a Recorded Future study conducted in December 2024 – January 2025 showed that attackers were continuing attacks by exploiting vulnerabilities in unprotected Cisco devices. The report notes that hackers are deliberately compromising telecom infrastructure, targeting the most vulnerable network nodes.
The organizations attacked included Internet service providers in the United States and Italy, telecommunications companies in Thailand and South Africa, and the American branch of a British telecommunications corporation. The scale of the attacks indicates a systematic and targeted strategy. Analysts at Insikt Group, a division of Recorded Future, recorded more than 12,000 Cisco network devices whose web interfaces were open to access from the Internet. According to the report, the Salt Typhoon hackers attempted to hack more than 1,000 of them, choosing targets based on their connections to telecommunications networks.
In addition to telecommunications companies, the hacker attacks affected universities in the United States, Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand and Vietnam. Experts believe that the attacks were aimed at gaining access to research in the fields of telecommunications, engineering and high technology. The group’s key targets include the University of California, Los Angeles (UCLA) and the Delft University of Technology (TU Delft).
Compromising the network infrastructure of telecom companies and universities gives attackers the ability to intercept voice calls, text messages, and Internet traffic. Recorded Future characterizes these attacks as a “strategic intelligence threat” because they allow not only the interception of confidential information, but also interference in data transmission, manipulation of information flows, and even destabilization of communications systems.
Telecom companies must immediately patch vulnerabilities in their network devices, experts warn. The Recorded Future report highlights that the failure to update Cisco equipment in a timely manner creates a critical security gap, turning these devices into vulnerable entry points for hackers. CISA and the FBI strongly recommend switching to end-to-end encryption to protect sensitive information and minimize the risk of unauthorized interception of data.