Protect Telecom Networks from Chinese State Actors Now

Image credit: Photo by Rebecca Wang / CC BY 4.0

Security teams need to know—CISA dropped an advisory with the FBI and some international partners about Salt Typhoon. They’re these Chinese state actors hitting telecom networks globally, even Canadian ones. They’re exploiting CVE-2023-20198 in Cisco IOS XE, a bug that lets them bypass authentication and nab running configs, then they chain it with other vulnerabilities for deeper access. Pretty sneaky, right? They’re even tweaking device configs to create GRE tunnels for traffic siphoning—stealth mode on.

The scope is massive—they’re targeting telecoms hard, but guess what? They’re also aiming at government, transportation, and hospitality sectors. Compromised devices become pivot points into other networks, and they’re pros at evading detection by tampering with ACLs, creating SSH backdoors, and covering their tracks (like clearing logs). Mid-2025 is the advisory’s active compromise timeline—so buckle up, this campaign’s ongoing and evolving.

What’s especially worrying? By accessing core telecom infrastructure, China gets a close-up view to intercept and mess with global communications traffic. Enterprise, consumer, government traffic—all through these compromised routers. Essentially, they’re setting up a surveillance network by compromising data-carrying infrastructure globally.

Bottom line, you got Cisco devices? Patch CVE-2023-20198 immediately, and watch for config changes or new tunnel interfaces. Agencies released IOCs and detection guidance but—look—these actors are persistent and stealthy. Assume a breach mindset. Start hunting for signs they might already be in your setup, especially if you’re in telecom or critical infrastructure.