Despite recent sanctions imposed by the US government, the Chinese government-linked hacking group Salt Typhoon continues to compromise telecommunications providers, according to a report by threat intelligence firm Recorded Future. The group, also tracked as "RedMike," breached five telecom firms between December 2024 and January 2025, exploiting vulnerabilities in Cisco devices to gain unauthorized access.

The hacking group made headlines last September after it was revealed that Salt Typhoon had infiltrated several US phone and internet giants, including AT&T and Verizon, to gain access to the private communications of senior US government officials and political figures. The group also hacked into systems used by law enforcement agencies for court-authorized collection of customer data, potentially accessing sensitive information such as the identities of Chinese targets of US surveillance.

Recorded Future declined to name the latest victims of Salt Typhoon's attacks, but revealed that they include a US-based affiliate of a prominent UK telecommunications provider, a US internet service provider, and telecom companies in Italy, South Africa, and Thailand. The hackers also performed reconnaissance on multiple infrastructure assets operated by Myanmar-based telecommunications provider Mytel.

To carry out these attacks, Salt Typhoon exploited two vulnerabilities (tracked as CVE-20232-0198 and CVE-2023-20273) to compromise unpatched Cisco devices running Cisco IOS XE software. The hacking group has attempted to compromise more than 1,000 Cisco devices globally, focusing particularly on devices associated with telecommunications providers' networks, according to Recorded Future.

Recorded Future also observed Salt Typhoon targeting devices associated with universities, including the University of California and Utah Tech. The researchers believe the hacking group "possibly targeted these universities to access research in areas related to telecommunications, engineering, and technology."

In January, the US Treasury Department sanctioned a China-based cybersecurity company known as Sichuan Juxinhe Network Technology, which it says is directly linked to Salt Typhoon. However, Recorded Future's researchers expect Salt Typhoon to continue targeting telecommunications providers in the US and elsewhere, despite this action.

The continued activity of Salt Typhoon raises concerns about the effectiveness of sanctions in deterring state-sponsored hacking groups. It also highlights the need for telecommunications providers to prioritize cybersecurity and patch vulnerabilities in their systems to prevent such attacks.

The ongoing targeting of telecom providers by Salt Typhoon also has broader implications for national security and global cybersecurity. As the group continues to exploit vulnerabilities and gain unauthorized access to sensitive information, it poses a significant threat to the integrity of communication networks and the privacy of individuals.

In conclusion, the report by Recorded Future serves as a stark reminder of the persistent threat posed by state-sponsored hacking groups like Salt Typhoon. Despite sanctions and international pressure, these groups continue to operate with impunity, highlighting the need for a concerted global effort to combat cyber threats and protect critical infrastructure.