Exploitation of Cisco Flaw in Salt Typhoon's Cyberattack on Canadian Telecom Firms

A significant cybersecurity incident unfolded when Salt Typhoon, a notorious threat actor group, exploited a critical vulnerability in Cisco’s IOS XE software, identified as CVE-2023-20198. This flaw allowed attackers to create unauthorized accounts with admin-level privileges, posing a substantial risk to global network security. Disclosed in October 2023, the vulnerability has been a focal point for cyber espionage, particularly impacting Canadian telecommunications firms. Salt Typhoon’s sophisticated methods, including zero-day exploits—previously unknown vulnerabilities—and living-off-the-land techniques, which involve using existing software tools for malicious purposes, have enabled them to infiltrate networks and conduct extensive surveillance. This highlights the urgent need for robust cybersecurity measures (Cyber Centre).

Exploitation of Cisco Flaw in Salt Typhoon’s Cyberattack on Canadian Telecom Firms

Overview of the Cisco Vulnerability

The CVE-2023-20198 vulnerability in Cisco IOS XE is a critical security flaw that allows remote, unauthenticated attackers to create arbitrary accounts and gain admin-level privileges. This vulnerability was first disclosed in October 2023 and has since been exploited by threat actors, including the Salt Typhoon group, to compromise over 10,000 devices globally. The flaw is particularly dangerous as it enables attackers to infiltrate networks without needing legitimate credentials, making it a prime target for state-sponsored cyber espionage activities.

Methods of Exploitation

Salt Typhoon has employed various methods to exploit the CVE-2023-20198 vulnerability. The group has been known to use a combination of zero-day exploits and stolen credentials to gain access to vulnerable Cisco devices. In some instances, they have leveraged the flaw to retrieve running configuration files from compromised devices and modify them to establish GRE tunnels. These tunnels facilitate the collection of network traffic, allowing the attackers to conduct extensive surveillance and data exfiltration.

Additionally, Salt Typhoon has been observed using living-off-the-land (LOTL) techniques, which involve utilizing legitimate network tools and processes to carry out their attacks. This approach helps them evade detection by blending their activities with normal network operations. By exploiting the CVE-2023-20198 vulnerability, Salt Typhoon can create backdoors and maintain persistent access to compromised networks.

Impact on Canadian Telecommunications

The exploitation of the Cisco vulnerability by Salt Typhoon has had significant repercussions for Canadian telecommunications firms. In February 2025, the group successfully breached a Canadian telecom provider, exploiting the CVE-2023-20198 flaw to gain unauthorized access to critical network infrastructure. This breach allowed the attackers to intercept and manipulate network traffic, posing a severe threat to the confidentiality and integrity of communications within the affected networks.

The Canadian Centre for Cyber Security and the FBI have confirmed that Salt Typhoon’s activities are part of a broader cyber espionage campaign targeting telecommunications providers globally. The group’s focus on Canadian firms highlights the strategic importance of these targets in the context of international cyber warfare. The compromised networks not only jeopardize the security of Canadian communications but also have the potential to disrupt critical services and infrastructure.

Defensive Measures and Mitigation Strategies

In response to the threat posed by Salt Typhoon, cybersecurity experts have recommended several mitigation strategies to protect against the exploitation of the CVE-2023-20198 vulnerability. These measures include:

1. Patching and Updates: Organizations are advised to promptly apply security patches and updates released by Cisco to address the vulnerability. Keeping systems up-to-date is crucial in preventing exploitation by threat actors.

2. Network Segmentation: Implementing network segmentation can limit the lateral movement of attackers within a compromised network. By isolating critical systems and data, organizations can reduce the impact of a potential breach.

3. Access Controls: Strengthening access controls by enforcing strong authentication mechanisms and limiting administrative privileges can help prevent unauthorized access to network devices.

4. Monitoring and Detection: Continuous monitoring of network traffic and device logs can aid in the early detection of suspicious activities. Implementing intrusion detection and prevention systems (IDPS) can provide an additional layer of security.

5. Employee Training: Educating employees about cybersecurity best practices and the risks associated with phishing and social engineering attacks can reduce the likelihood of credential theft and unauthorized access.

Broader Implications for Global Cybersecurity

The exploitation of the Cisco vulnerability by Salt Typhoon underscores the broader implications for global cybersecurity. The incident highlights the vulnerabilities inherent in widely used network infrastructure and the potential for state-sponsored actors to exploit these weaknesses for geopolitical gain. As telecommunications networks form the backbone of modern communication, their security is paramount to national security and economic stability.

The Salt Typhoon campaign serves as a reminder of the evolving threat landscape and the need for continuous vigilance and adaptation in cybersecurity strategies. Organizations must prioritize the security of their network infrastructure and collaborate with industry partners and government agencies to share threat intelligence and develop effective countermeasures.

In conclusion, the exploitation of the CVE-2023-20198 vulnerability by Salt Typhoon represents a significant challenge for Canadian telecommunications firms and the broader cybersecurity community. By understanding the methods and impact of these attacks, organizations can better prepare and defend against future threats.

Final Thoughts

The Salt Typhoon cyberattack on Canadian telecom firms via the Cisco vulnerability underscores the critical importance of cybersecurity vigilance. This incident not only highlights the vulnerabilities in widely used network infrastructure but also the strategic targeting by state-sponsored actors for geopolitical gain. The broader implications for global cybersecurity are profound, as telecommunications networks are integral to national security and economic stability. Organizations must prioritize securing their network infrastructure and collaborate with industry partners and government agencies to share threat intelligence and develop effective countermeasures (Nextgov).

References

• Bleeping Computer. (2023). Canada says Salt Typhoon hacked telecom firm via Cisco flaw. https://www.bleepingcomputer.com/news/security/canada-says-salt-typhoon-hacked-telecom-firm-via-cisco-flaw/
• Cyber Centre. (2023). Cyber threat bulletin: PRC cyber actors target telecommunications companies in global cyberespionage campaign. https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-prc-cyber-actors-target-telecommunications-companies-global-cyberespionage-campaign
• Nextgov. (2025). Salt Typhoon hackers exploited stolen credentials and 7-year-old software flaw in Cisco systems. https://www.nextgov.com/cybersecurity/2025/02/salt-typhoon-hackers-exploited-stolen-credentials-and-7-year-old-software-flaw-cisco-systems/403146/