The Chinese state-sponsored APT actor known as Salt Typhoon has been observed exploiting two known vulnerabilities in Cisco devices in recent attacks against telecommunications providers, Recorded Future reports.

Believed to be operated by China’s Ministry of State Security (MSS) and tracked as Salt Typhoon, RedMike, Earth Estrie, FamousSparrow, and Ghost Emperor, the APT was blamed for last year’s hacking of nine US telecommunications companies and its members were sanctioned by the US.

According to Recorded Future, despite public disclosure and sanctions, Salt Typhoon has continued to target telecom providers, as well as universities in multiple countries, exploiting vulnerable internet-facing devices for initial access.

Specifically, the group targeted Cisco switches and routers vulnerable to CVE-2023-20198 and CVE-2023-20273, two critical issues in the IOS XE platform that were disclosed in October 2023, after they had been exploited as zero-days.

Since early December 2024, “RedMike has attempted to exploit over 1,000 internet-facing Cisco network devices worldwide,” likely using a list of devices associated with telecom providers’ networks, Recorded Future notes in a fresh report (PDF).

“More than half of the Cisco devices targeted by RedMike were in the US, South America, and India. The remaining devices spanned over 100 other countries,” the cybersecurity firm says.

Recorded Future identified targeted devices in the networks of telecom organizations in the US, South Africa, and Myanmar, as well as universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the US, and Vietnam.

Known victims include the US-based affiliate of a UK telecoms provider, a US ISP and telecoms provider, South African and Thailand telecoms providers, an Italian ISP, UCLA, Utah Tech, Loyola Marymount University, California State University, Sebelas Maret and Negeri Malang universities, University of Malaya, and Technische Universiteit Delft.

The APT exploited the flaws to create a privileged account on the vulnerable devices, which was then used to add a generic routing encapsulation (GRE) tunnel to obtain persistent access, bypass firewalls, and avoid detection when exfiltrating data.

According to Recorded Future, there are over 12,000 Cisco network devices that have web UIs accessible from the internet, which suggests that Salt Typhoon’s activity was likely targeted, especially considering the APT’s focus on telecoms organizations.

“Organizations, particularly those in the telecommunications industry, must prioritize remediating exposed network devices, as unpatched systems remain a key initial access vector for Chinese state-sponsored threat activity groups. Network administrators should implement strict access controls, disable unnecessary web UI exposure, and monitor for unauthorized configuration changes,” Recorded Future notes.

Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job

Related: CISA Warns of Old jQuery Vulnerability Linked to Chinese APT

Related: FBI Tells Telecom Firms to Boost Security Following Chinese Hacking

Related: Japan Links Chinese Hacker MirrorFace to Dozens of Cyberattacks Targeting Security and Tech Data