Chinese state-sponsored hackers systematically infiltrated dozens of telecommunications networks across the United States and internationally by exploiting vulnerabilities in Cisco networking equipment, according to cybersecurity researchers tracking the campaign. The Salt Typhoon group, linked to Chinese intelligence operations, compromised critical infrastructure by targeting unpatched devices, including switches and routers that serve as gateways to broader telecommunications environments.
The attackers primarily gained unauthorized access through stolen credentials, exploiting both zero-day vulnerabilities and previously disclosed security flaws. In one documented case, hackers utilized a seven-year-old software vulnerability in Cisco router firmware that remained unpatched because of inadequate security maintenance.
Vulnerable features such as Smart Install in Cisco IOS and IOS XE systems facilitated arbitrary code execution and device manipulation, allowing attackers to reload systems and cause denial of service conditions across affected networks.
Telecommunications providers in the United States, South Africa, and other countries experienced significant escalation in attack frequency and severity. The intrusions bypassed traditional perimeter security measures by directly compromising network hardware, granting attackers persistent access to monitor communications traffic.
Attackers bypassed perimeter defenses by compromising network hardware directly, establishing persistent access to monitor telecommunications traffic across multiple countries.
The hackers deployed sophisticated tools, including KV Botnet malware on compromised small office/home office routers, effectively masking their activities and avoiding detection by security monitoring systems.
A critical factor promoting these widespread breaches was poor patch management practices across the telecommunications sector. Cisco vulnerabilities disclosed in 2018 remained unpatched in many providers’ equipment, creating persistent security gaps that threat actors systematically exploited. Major telecommunications companies including AT&T, Verizon, and T-Mobile were among the providers affected by these intrusions.
Legacy hardware and outdated firmware presented recurring vulnerabilities, with attackers requiring no new software flaws to execute successful campaigns against major telecommunications infrastructure.
The cyberattacks allowed sustained espionage operations within telecom networks, potentially compromising national security through interception and manipulation of massive communications volumes. The attackers gained access to lawful intercept systems used by law enforcement for surveillance purposes, creating significant security concerns for intelligence operations. Malicious payloads injected into compromised devices facilitated command execution, traffic redirection, and exfiltration of sensitive network data.
Attribution to Chinese state-sponsored actors was established through malware signatures, infrastructure overlaps, and consistent targeting patterns that aligned with previous campaigns by known government-affiliated cyber units, demonstrating sophisticated knowledge of telecommunications protocols and Cisco device architectures.
