{
	"id": "532ef45b-02ce-40b8-83dd-846276e820ef",
	"created_at": "2026-04-06T00:15:24.180552Z",
	"updated_at": "2026-04-10T13:11:43.815154Z",
	"deleted_at": null,
	"sha1_hash": "b69741a65b6bc9bab409303b496edf7f6c3c1413",
	"title": "Canada says Salt Typhoon hacked telecom firm via Cisco flaw",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3264611,
	"plain_text": "Canada says Salt Typhoon hacked telecom firm via Cisco flaw\r\nBy Bill Toulas\r\nPublished: 2025-06-23 · Archived: 2026-04-05 23:21:21 UTC\r\nThe Canadian Centre for Cyber Security and the FBI confirm that the Chinese state-sponsored 'Salt Typhoon' hacking group\r\nis also targeting Canadian telecommunication firms, breaching a telecom provider in February.\r\nDuring the February 2025 incident, Salt Typhoon exploited the CVE-2023-20198 flaw, a critical Cisco IOS XE vulnerability\r\nallowing remote, unauthenticated attackers to create arbitrary accounts and gain admin-level privileges.\r\nThe flaw was first disclosed in October 2023, when it was reported that threat actors had exploited it as a zero-day to hack\r\nover 10,000 devices.\r\nhttps://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nDespite a significant period having passed, at least one major telecommunications provider in Canada still hadn't patched,\r\ngiving Salt Typhoon an easy way to compromise devices.\r\n\"Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon\r\nactors in mid-February 2025,\" reads the bulletin.\r\n\"The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at\r\nleast one of the files to configure a GRE tunnel, enabling traffic collection from the network.\"\r\nIn October 2024, following Salt Typhoon breaches on multiple American broadband providers, the Canadian authorities\r\nflagged reconnaissance activity that targeted dozens of key organizations in the country.\r\nNo actual breaches were confirmed at the time, and despite the calls to elevate security, some critical service providers didn't\r\ntake the required action.\r\nThe Cyber Centre notes that, based on separate investigations and crowd-sourced intelligence, activity likely tied to Salt\r\nTyphoon extends beyond the telecommunications sector, targeting multiple other industries.\r\nIn many cases, the activity is limited to reconnaissance, though the data stolen from internal networks can be used for lateral\r\nmovement or supply chain attacks.\r\nThe Cyber Centre warned that the attacks against Canadian organizations \"will almost certainly continue\" over the next two\r\nyears, urging critical organizations to protect their networks.\r\nTelecommunication service providers who handle valuable data, such as call metadata, subscriber location data, SMS\r\ncontents, and government/political communications, are prime targets for state-sponsored espionage groups.\r\nTheir attacks typically target edge devices at the network perimeter, routers, firewalls, and VPN appliances, while MSPs and\r\ncloud vendors are also targeted for indirect attacks on their customers.\r\nThe Cyber Centre's bulletin lists resources providing edge device hardening instructions for critical infrastructure operators.\r\nSalt Typhoon attacks have impacted multiple telecom companies in dozens of countries, including AT\u0026T, Verizon, Lumen,\r\nCharter Communications, Consolidated Communications, and Windstream.\r\nLast week, Viasat also confirmed that Salt Typhoon had breached them, but customer data was not impacted.\r\nhttps://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/\r\nhttps://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/"
	],
	"report_names": [
		"canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw"
	],
	"threat_actors": [
		{
			"id": "f0eca237-f191-448f-87d1-5d6b3651cbff",
			"created_at": "2024-02-06T02:00:04.140087Z",
			"updated_at": "2026-04-10T02:00:03.577326Z",
			"deleted_at": null,
			"main_name": "GhostEmperor",
			"aliases": [
				"OPERATOR PANDA",
				"FamousSparrow",
				"UNC2286",
				"Salt Typhoon",
				"RedMike"
			],
			"source_name": "MISPGALAXY:GhostEmperor",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff",
			"created_at": "2024-12-28T02:01:54.899899Z",
			"updated_at": "2026-04-10T02:00:04.880446Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Earth Estries",
				"FamousSparrow",
				"GhostEmperor",
				"Operator Panda",
				"RedMike",
				"Salt Typhoon",
				"UNC2286"
			],
			"source_name": "ETDA:Salt Typhoon",
			"tools": [
				"Agentemis",
				"Backdr-NQ",
				"Cobalt Strike",
				"CobaltStrike",
				"Crowdoor",
				"Cryptmerlin",
				"Deed RAT",
				"Demodex",
				"FamousSparrow",
				"FuxosDoor",
				"GHOSTSPIDER",
				"HemiGate",
				"MASOL RAT",
				"Mimikatz",
				"NBTscan",
				"NinjaCopy",
				"ProcDump",
				"PsExec",
				"PsList",
				"SnappyBee",
				"SparrowDoor",
				"TrillClient",
				"WinRAR",
				"Zingdoor",
				"certutil",
				"certutil.exe",
				"cobeacon",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff",
			"created_at": "2025-04-23T02:00:55.190165Z",
			"updated_at": "2026-04-10T02:00:05.361244Z",
			"deleted_at": null,
			"main_name": "Salt Typhoon",
			"aliases": [
				"Salt Typhoon"
			],
			"source_name": "MITRE:Salt Typhoon",
			"tools": [
				"JumbledPath"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6477a057-a76b-4b60-9135-b21ee075ca40",
			"created_at": "2025-11-01T02:04:53.060656Z",
			"updated_at": "2026-04-10T02:00:03.845594Z",
			"deleted_at": null,
			"main_name": "BRONZE TIGER",
			"aliases": [
				"Earth Estries ",
				"Famous Sparrow ",
				"Ghost Emperor ",
				"RedMike ",
				"Salt Typhoon "
			],
			"source_name": "Secureworks:BRONZE TIGER",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434524,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b69741a65b6bc9bab409303b496edf7f6c3c1413.pdf",
		"text": "https://archive.orkl.eu/b69741a65b6bc9bab409303b496edf7f6c3c1413.txt",
		"img": "https://archive.orkl.eu/b69741a65b6bc9bab409303b496edf7f6c3c1413.jpg"
	}
}