Chinese Hackers Target More US ISPs and Universities in Salt Typhoon

Cybersecurity threats continue to evolve, and organizations worldwide must remain vigilant. Recent reports from security researchers at Recorded Future highlight a resurgence of activity by Salt Typhoon, a state-sponsored threat actor based in China. This group has become notorious for targeting telecommunications providers and educational institutions across various countries, including the United States, the United Kingdom, South Africa, and others. The implications of these attacks underscore the critical need for enhanced cybersecurity measures within vulnerable sectors.

Table of Contents

• Salt Typhoon Activity Overview
• Sectors Under Attack
• Exploited Vulnerabilities in Cisco Devices
• Ongoing Threats and Mitigation Measures

Salt Typhoon Activity Overview

The recent activities of the Chinese state-sponsored group Salt Typhoon indicate a deliberate strategy aimed at breaching the defenses of key infrastructure providers. Evidence suggests that they have successfully infiltrated multiple networks, exploiting known vulnerabilities and launching sophisticated cyber-attacks. Their most recent operations were registered between December 2024 and January 2025, demonstrating a sustained level of activity and commitment to their campaign of cyber espionage.

Sectors Under Attack

Salt Typhoon’s focus remains on a select group of organizations, primarily comprising:

• **Telecommunications**: Including US internet service providers and a UK telecom affiliate.
• **Educational Institutions**: Various universities across several countries such as Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherlands, Thailand, Vietnam, and the United States.
• **International Providers**: Telecom firms in South Africa, Thailand, and an ISP in Italy are also on their radar.

This targeted approach not only amplifies the risks faced by these sectors but also raises red flags concerning the safety of sensitive data and national security.

Exploited Vulnerabilities in Cisco Devices

Recent investigations revealed that Salt Typhoon is capitalizing on vulnerabilities in Cisco’s IOS software, which powers a vast number of routers and switches globally. Cybersecurity experts identified that over 12,000 Cisco devices are exposed to potential risks due to their connection to the internet. The specific vulnerabilities being exploited include:

• **Web Interface Flaws**: Targeting internet-exposed web interfaces that facilitate unauthorized access.
• **Root Privileges Exploitation**: Allowing the attackers to gain complete control over the devices.
• **Unpatched N-day Vulnerabilities**: Utilizing weaknesses for which exploits and proofs of concept are already available.

These factors make it easier for cybercriminals to breach defenses and execute their malicious goals.

Ongoing Threats and Mitigation Measures

The consistent attacks orchestrated by Salt Typhoon serve as a clear reminder that organizations must prioritize their security postures. Levi Gundert, head of Recorded Future’s Insikt Group, emphasizes the gravity of the situation, stating, “They’re super active, and they continue to be super active.” This assertion underlines the aggressive tactics employed by the group and the urgent requirement for effective countermeasures.

Cisco has publicly stated that all known vulnerabilities executed by Salt Typhoon have been patched. Users are urged to apply these patches promptly to mitigate their risk exposure. Organizations can take several steps to bolster their defenses, including:

• **Regular Patch Management**: Ensuring that all devices are updated with the latest security patches.
• **Vulnerability Assessments**: Conducting routine assessments to identify and remediate potential vulnerabilities.
• **Enhanced Monitoring**: Implementing advanced monitoring solutions to detect suspicious activities in real-time.

The ongoing threat posed by groups like Salt Typhoon highlights the necessity for resilient cybersecurity practices. With cybercriminals continuously probing for vulnerabilities, proactive measures are essential to safeguard sensitive information and protect vital infrastructure.

For more insights into the Salt Typhoon attacks and their broader impact, you can explore additional readings on the [Salt Typhoon attacks](https://www.techradar.com/pro/security/salt-typhoon-attacks-may-have-hit-more-us-firms-than-previously-thought) and learn about the best practices for enhancing your security measures by checking out our guide to the [best password managers](https://www.techradar.com/best/password-manager) and [best authenticator apps](https://www.techradar.com/best/best-authenticator-apps).