##### CYBER THREAT ANALYSIS By Insikt Group® **CHINA** February 13, 2025 # RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices of Global Telecommunications Providers **Despite significant media coverage** **Insikt group observed RedMike** **RedMike compromised devices** **and US sanctions, RedMike (Salt** **exploiting privilege escalation** **of a US-based affiliate of a UK** **Typhoon) continues to target** **vulnerabilities CVE-2023-20198 and** **telecommunications company, a South** telecommunications providers globally, CVE-2023-20273 to compromise **African telco, and it attempted to exploit** including in the US. unpatched Cisco network devices over 1,000 Cisco devices between ----- ## Executive Summary Between December 2024 and January 2025, Recorded Future’s Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers. Victim organizations included a United States-based affiliate of a significant United Kingdom-based telecommunications provider and a South African telecommunications provider. Insikt Group attributes this activity to the Chinese state-sponsored threat activity group tracked by Insikt Group as RedMike, which aligns with the Microsoft-named group Salt Typhoon. Using Recorded Future® Network Intelligence, Insikt Group observed RedMike target and exploit unpatched Cisco network devices vulnerable to CVE-2023-20198, a privilege escalation vulnerability found in the web user interface (UI) feature in Cisco IOS XE software, for initial access before exploiting an associated privilege escalation vulnerability, CVE-2023-20273, to gain root privileges. RedMike reconfigures the device, adding a generic routing encapsulation (GRE) tunnel for persistent access. RedMike has attempted to exploit more than 1,000 Cisco devices globally. The group likely compiled a list of target devices based on their association with telecommunications providers' networks. Insikt Group also observed RedMike targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States (US), and Vietnam. RedMike possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like UCLA and TU Delft. In addition to this activity, in mid-December 2024, RedMike also carried out a reconnaissance of multiple IP addresses owned by a Myanmar-based telecommunications provider, Mytel. Unpatched public-facing appliances serve as direct entry points into an organization’s infrastructure. [Sophisticated Chinese threat activity groups have shifted](https://go.recordedfuture.com/hubfs/reports/cta-2023-1107.pdf) heavily toward exploiting these devices for initial access over the past five years. RedMike’s exploitation of telecommunications infrastructure goes beyond technical vulnerabilities and represents a strategic intelligence threat. Persistent access to critical communications networks enables state-backed threat actors to monitor confidential conversations, manipulate data flows, and disrupt services during geopolitical conflicts. RedMike’s targeting of lawful intercept programs and US political figures highlights the strategic intelligence objectives behind these operations and the national security threat they pose. Organizations, particularly those in the telecommunications industry, must prioritize remediating exposed network devices, as unpatched systems remain a key initial access vector for Chinese state-sponsored threat activity groups. Network administrators should implement strict access controls, disable unnecessary web UI exposure, and monitor for unauthorized configuration changes. Individuals should use end-to-end encrypted communication methods for sensitive information, just as the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) recommended, which is crucial to mitigate potential eavesdropping risks. 1 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- Additionally, governments and cybersecurity entities should improve threat intelligence sharing and impose stricter regulatory compliance for network security. While the US sanctions on RedMike-affiliated Sichuan Juxinhe Network Technology signal a more assertive and commendable stance against state-backed cyber espionage in critical infrastructure, robust international cooperation is crucial for effectively countering these persistent threats. ## Key Findings - Despite significant media coverage and US sanctions, RedMike continues to compromise telecommunications providers globally, including in the US. - RedMike compromised Cisco network devices of a US-based affiliate of a United Kingdom (UK) telecommunications provider and a primary South African telecommunications provider. - RedMike exploited privilege escalation vulnerabilities CVE-2023-20198 and CVE-2023-20273 to compromise unpatched Cisco network devices running Cisco IOS XE software. - Using Recorded Future Network Intelligence, Insikt Group identified RedMike attempting to exploit over 1,000 Cisco network devices between December 2024 and January 2025. ## Background [In late September 2024, media reporting (1, 2) stated that the Chinese state-sponsored group Salt](https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835?st=cYA8J5&reflink=desktopwebshare_permalink) Typhoon had compromised the networks of major US telecommunications companies, including [Verizon (1), AT&T, and Lumen Technologies. The activity likely affected telecommunications](https://www.verizon.com/about/news/verizon-provides-update-salt-typhoon-matter) [organizations globally, with some outlets reporting that Salt Typhoon compromised at least 80](https://www.politico.com/newsletters/national-security-daily/2024/12/12/we-need-to-talk-about-salt-typhoon-00183727) [organizations. SaltTyphoon used its access to telecommunications providers to snoop on US lawful](https://www.darkreading.com/cyber-risk/salt-typhoon-apt-subverts-law-enforcement-wiretapping) [intercept targets and intercept](https://www.darkreading.com/cyber-risk/salt-typhoon-apt-subverts-law-enforcement-wiretapping) the communications of significant US political figures. The effect of Salt Typhoon’s intrusions has reached the highest levels of the US government: Cybersecurity experts have [briefed](https://www.reuters.com/world/us/us-agencies-brief-senators-chinese-salt-typhoon-telecom-hacking-2024-12-04/) the US Senate, CISA recently [issued](https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure) guidance on hardening telecommunications infrastructure, and CISA and the FBI issued a joint [warning encouraging the use of encrypted end-to-end messaging](https://www.forbes.com/sites/zakdoffman/2024/12/06/fbi-warns-iphone-and-android-users-stop-sending-texts/) applications for sensitive communications. Insikt Group tracks Salt Typhoon-aligned activity as RedMike. Salt Typhoon is a group name given by Microsoft Threat Intelligence; at this time, Microsoft has not published publicly available technical details of the group's activity. The only public information Microsoft has shared confirms an [overlap](https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming) [with two existing threat activity group names: GhostEmperor (Kaspersky) and FamousSparrow (ESET).](https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/) On January 17, 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) [sanctioned Sichuan-based cybersecurity company Sichuan Juxinhe Network Technology Co., Ltd. for](https://home.treasury.gov/news/press-releases/jy2792) their direct involvement with RedMike activity. OFAC stated that Sichuan Juxinhe Network Technology Co., Ltd. had direct involvement in exploiting US telecommunications and internet service provider companies. According to OFAC, China’s Ministry of State Security (MSS) has maintained strong ties with multiple computer network exploitation companies, including Sichuan Juxinhe. 2 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Technical Analysis #### Cisco IOS XE Web UI Exploitation Using Recorded Future Network Intelligence, Insikt Group identified that since early December 2024, RedMike has attempted to exploit over 1,000 internet-facing Cisco network devices worldwide, primarily those associated with telecommunications providers, using a combination of two privilege escalation vulnerabilities: CVE-2023-20198 and CVE-2023-20273. When successfully compromised, the group uses the new privileged user account to change the device's configuration and adds a GRE tunnel for persistent access and data exfiltration. The privilege escalation vulnerability CVE-2023-20198 was found in the Cisco IOS XE software web UI feature, version sixteen and earlier, and [published by Cisco in October 2023. Attackers exploit this](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) vulnerability to gain initial access to the device and issue a privilege 15 command to create a local user and password. Following this, the attacker uses the new local account to access the device and exploits an associated privilege escalation vulnerability, CVE-2023-20273, to gain root user privileges. **_Figure 1: RedMike Cisco network device exploitation infrastructure (Source: Recorded Future)_** 3 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- More than half of the Cisco devices targeted by RedMike were in the US, South America, and India. The remaining devices spanned over 100 other countries. Although the selected devices are primarily associated with telecommunications providers, thirteen were linked to universities across Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the US, and Vietnam. Often involved in cutting-edge research, universities are prime targets for Chinese state-sponsored threat activity groups to acquire valuable research data and intellectual property. Previous examples include APT40, which has [targeted](https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a) universities for biomedical, robotics, and maritime research; RedGolf (APT41) [for](https://www.justice.gov/archives/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer) [medical research; and RedBravo (APT31), which has directly targeted academics. China’s](https://www.reuters.com/technology/cybersecurity/apt31-chinese-hacking-group-behind-global-cyberespionage-campaign-2024-03-26/) cyber strategy [aligns](https://go.recordedfuture.com/hubfs/reports/cta-2023-1107.pdf) with its broader economic and military goals, making universities high-value targets for long-term intelligence-gathering and technology acquisition. RedMike possibly targeted the following universities to access research in areas related to telecommunications, engineering, and technology, particularly at institutions like [UCLA](https://wireless.ee.ucla.edu/research/) and [TU Delft.](https://www.tudelft.nl/onderwijs/opleidingen/masters/ee/msc-electrical-engineering/track-wireless-communication-and-sensing/related-research/) - University of California, Los Angeles (UCLA) — US - California State University, Office of the Chancellor (CENIC) — US - Loyola Marymount University — US - Utah Tech University — US - Universidad de La Punta — Argentina - Islamic University of Technology (IUT) — Bangladesh - Universitas Sebelas Maret — Indonesia - Universitas Negeri Malang — Indonesia - University of Malaya — Malaysia - Universidad Nacional Autonoma — Mexico - Technische Universiteit Delft — The Netherlands - Sripatum University — Thailand - University of Medicine and Pharmacy at Ho Chi Minh City — Vietnam 4 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- **_Figure 2: Geographical spread of Cisco devices targeted by RedMike (Source: Recorded Future)_** RedMike’s scanning and exploitation activity occurred on six different occasions from December 2024 to January 2025. - 2024-12-04 - 2024-12-24 - 2024-12-10 - 2025-01-13 - 2024-12-17 - 2025-01-23 Network administrators operating a Cisco network device with IOS XE software web UI exposed to the internet can use the dates mentioned and advice in the mitigations section to identify potential RedMike exploitation activity. Using internet scanning data, Insikt Group identified more than 12,000 Cisco network devices with their web UIs exposed to the internet. Although over 1,000 Cisco devices were targeted, Insikt Group assesses that this activity was likely focussed, given that this number only represents 8% of the exposed devices and that RedMike engaged in periodic reconnaissance activity, selecting devices linked to telecommunications providers. #### Compromised Telecommunications Provider Devices Using Recorded Future Network Intelligence, Insikt Group observed seven compromised Cisco network devices communicating with RedMike infrastructure. These include devices associated with: - A US-based affiliate of a UK telecommunications provider 5 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- - A US internet service provider (ISP) and telecommunications company - A South African telecommunications provider - An Italian ISP - A large Thailand telecommunications provider RedMike configured GRE tunnels between the compromised Cisco devices and their infrastructure. GRE is a tunneling protocol used to encapsulate various network layer protocols inside point-to-point connections. It is a standard feature that can be configured on Cisco network devices. It is commonly used to create virtual private networks (VPNs), enable interoperability between different network types, and transport multicast or non-IP traffic over IP networks. Threat activity groups use GRE tunnels to maintain persistence by establishing covert communication channels that bypass firewalls and intrusion detection systems. These tunnels also facilitate stealthy data exfiltration by encapsulating stolen data within GRE packets, potentially bypassing network monitoring. #### Reconnaissance of Myanmar Telecommunications Provider In mid-December 2024, RedMike, from the same infrastructure that exploited the Cisco network devices, performed reconnaissance against multiple infrastructure assets operated by a Myanmar-based telecommunications provider, Mytel, likely including their corporate mail server. ## Mitigations - Prioritize applying available security patches and updates to network devices exposed to the internet. - Avoid exposing administration interfaces or non-essential services on public-facing appliances directly to the internet, particularly for end-of-life devices. - Monitor for network device configuration changes. - Monitor network traffic for protocols not implemented in your network, such as GRE. - Use the advanced query feature in Recorded Future to monitor for actively exploited technology within your stack and set alerts to notify you of any at-risk assets. #### Cisco IOS XE Software Device-Specific Remediation [●​ Check system logs for the presence of any of the following log messages where the user could](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z) be cisco_tac_admin, cisco_support, or any configured local user that is unknown to the network administrator: - %SYS-5-CONFIG_P: Configured programmatically by process ``` SEP_webui_wsma_http from console as user on line ``` - %SEC_LOGIN-5-WEBLOGIN_SUCCESS: Login Success [user: user] [Source: ``` source_IP_address] at 03:42:13 UTC Wed Oct 11 2023 ``` 6 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Outlook Despite significant media coverage and US sanctions, Insikt Group expects RedMike to continue targeting telecommunications providers in the US and globally due to the amount and high value of communications data that traverses these networks. This is highlighted by RedMike’s previous targeting of US lawful intercept operations and the communications of significant US political figures via these intrusions. While espionage operations are not intended to disrupt their target networks, the discovery of such a wide-ranging infiltration of US critical infrastructure has further degraded US-China relations, evidenced, for example, by the Biden administration [banning China Telecom's remaining operations in](https://web.archive.org/web/20241227060307/https://www.nytimes.com/2024/12/16/us/politics/biden-administration-retaliation-china-hack.html) the US. The US Congress has primarily focused on the security lapses at the telecommunications [companies themselves, such as the presence of outdated](https://www.washingtonpost.com/national-security/2024/11/21/salt-typhoon-china-hack-telecom/) [routers and a lack](https://www.nextgov.com/cybersecurity/2024/11/white-house-convened-telecom-leaders-details-chinese-espionage-hack-unfold/401277/?oref=ng-homepage-river#:~:text=Many%20of%20the%20breached%20systems%20were%20not%20properly%20equipped%20with%20logging%20mechanisms%20to%20monitor%20device%20activity%2C%20delaying%20investigators%E2%80%99%20attempts%20to%20piece%20together%20the%20digital%20sequencing%20that%20allowed%20the%20campaign%20to%20be%20carried%20out%2C%20the%20person%20added.) of monitoring capabilities, as exemplified by the activity observed by Insikt Group. US [sanctions on the entity behind RedMike’s activity — Sichuan Juxinhe Network Technology Co., Ltd.](https://home.treasury.gov/news/press-releases/jy2792) — followed in early 2025, most likely further straining US-China relations. In this case, the timeline of punitive action by the US government was almost certainly accelerated by the forthcoming change in administration compared with previous actions against Chinese state-sponsored threat activity groups, [which often take longer to become public (1, 2, 3). As the telecommunications industry and intelligence](https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived) communities begin to grasp the scale of RedMike’s intrusions and tackle the root causes, Insikt Group expects to see further technical details published. 7 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A: MITRE ATT&CK Techniques ##### Tactic: Technique ATT&CK Code Observable **Initial Access: Exploit Public-Facing** [T1190](https://attack.mitre.org/techniques/T1190/) RedMike has exploited Cisco network Application devices using CVE-2023-20198 for initial access. **Privilege Escalation: Exploitation for** [T1068](https://attack.mitre.org/techniques/T1068/) RedMike has exploited Cisco network Privilege Escalation devices using CVE-2023-20273 to gain root-level user privileges. **Command-and-Control: Protocol** [T1572](https://attack.mitre.org/techniques/T1572/) RedMike has configured GRE tunnels Tunneling between compromised Cisco network devices and attacker infrastructure. **Reconnaissance: Gather Victim** [T1590](https://attack.mitre.org/techniques/T1590/) RedMike undertook a reconnaissance of Network Information Myanmar-based telecommunications provider infrastructure. **Reconnaissance: Active Scanning** [T1595](https://attack.mitre.org/techniques/T1595/) RedMike has actively scanned 1,000s of Cisco network devices, attempting to exploit them with a combination of CVE-2023-20198 and CVE-2023-20273. 8 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) |Tactic: Technique|ATT&CK Code|Observable| |---|---|---| |Initial Access: Exploit Public-Facing Application|T1190|RedMike has exploited Cisco network devices using CVE-2023-20198 for initial access.| |Privilege Escalation: Exploitation for Privilege Escalation|T1068|RedMike has exploited Cisco network devices using CVE-2023-20273 to gain root-level user privileges.| |Command-and-Control: Protocol Tunneling|T1572|RedMike has configured GRE tunnels between compromised Cisco network devices and attacker infrastructure.| |Reconnaissance: Gather Victim Network Information|T1590|RedMike undertook a reconnaissance of Myanmar-based telecommunications provider infrastructure.| |Reconnaissance: Active Scanning|T1595|RedMike has actively scanned 1,000s of Cisco network devices, attempting to exploit them with a combination of CVE-2023-20198 and CVE-2023-20273.| ----- ## Appendix B: RedMike Diamond Model 9 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) ----- _Recorded Future reporting contains expressions of likelihood or probability consistent_ _with US Intelligence Community Directive (ICD) 203:_ _[Analytic Standards](https://irp.fas.org/dni/icd/icd-203.pdf)_ _(published_ _January 2, 2015). Recorded Future reporting also uses confidence level standards_ _[employed](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf)_ _by the US Intelligence Community to assess the quality and quantity of the_ _source information supporting our analytic judgments._ _About Insikt Group[® ]_ _Recorded Future’s Insikt Group, the company’s threat research division, comprises_ _analysts and security researchers with deep government, law enforcement, military, and_ _intelligence agency experience. Their mission is to produce intelligence that reduces risk_ _for customers, enables tangible outcomes, and prevents business disruption._ _About Recorded Future[® ]_ _Recorded Future is the world’s largest threat intelligence company. Recorded Future’s_ _Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,_ _and targets. Indexing the internet across the open web, dark web, and technical_ _sources, Recorded Future provides real-time visibility into an expanding attack surface_ _and threat landscape, empowering customers to act with speed and confidence to_ _reduce risk and securely drive business forward. Headquartered in Boston with offices_ _and employees around the world, Recorded Future works with over 1,800 businesses_ _and government organizations across more than 75 countries to provide real-time,_ _unbiased, and actionable intelligence._ _Learn more at recordedfuture.com_ _and government organizations across more than 75 countries to provide real-time,_ _unbiased, and actionable intelligence._ _Learn more at recordedfuture.com_ 10 ​ ​ ​ ​ ​ ​ CTA-CN-2025-0213 ​ ​ [Recorded Future[®] | www.recordedfuture.com](http://www.recordedfuture.com) -----