China's Salt Typhoon Is Back To Hacking Telecom Companies And Universities

Salt Typhoon—two words that would irk numerous United States government officials, cyber security firms, and business executives.

The reason?

In September 2024, it was found that this advanced persistent threat actor had breached at least eight U.S. phone and internet giants, including AT&T and Verizon, in a bid to gain access to the private data and communications of U.S. government officials, law enforcement agencies, and prominent political figures.

The group is believed to be backed by China's Ministry of State Security (MSS).

As such, the hackers got a hold of private information such as call logs, timestamps, phone numbers, and even location data, with the belief that more than a million people, mostly in the Washington, D.C., area, were affected. As per reports, the activity likely hit telecom firms across the globe and compromised at least 80 organizations.

As per an FBI investigation, it was revealed the compromised political figures included then-presidential candidates Kamala Harris and Donald Trump, who is the current President of the U.S.

At the same time, telecom companies drew massive criticism for not informing customers about the incident and opting to only notify high-value targets.

Either way, the FBI told the press that the Chinese state-sponsored hackers are yet to be fully evicted from the telecom networks, and according to a report by threat intelligence firm Recorded Future, the bad actor’s bad actions persist.

Recorded Future tracks the group under the name RedMike, instead of Salt Typhoon—which is a name given to the group by Microsoft.

Salt Typhoon continues to compromise telecom providers in the U.S. despite sanctions imposed on the group, breaching at least five telecom companies between December 2024 and January 2025.

“They’re super active, and they continue to be super active,” said Levi Gundert, who leads Recorded Future's research team known as Insikt Group. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”


While the researchers didn’t mention any names for telecommunication providers, they did observe seven compromised Cisco network devices communicating with Salt Typhoon (RedMike) infrastructure—a US-based affiliate of a UK telecommunications provider, a US internet service provider (ISP) and telecommunications company, a South African telecommunications provider, an Italian ISP, and a large Thailand telecommunications provider.

Other potentially affected parties include U.S. universities, where the plan was to access research areas related to telecom and allied technology. Universities in other countries were also targeted, including Argentina, Bangladesh, Thailand, etc.

Recorded Future mentioned the following universities:
 

• University of California, Los Angeles (UCLA) — US

• California State University, Office of the Chancellor (CENIC) — US

• Loyola Marymount University — US

• Utah Tech University — US

• Universidad de La Punta — Argentina

• Islamic University of Technology (IUT) — Bangladesh

• Universitas Sebelas Maret — Indonesia

• Universitas Negeri Malang — Indonesia

• University of Malaya — Malaysia

• Universidad Nacional Autonoma — Mexico

• Technische Universiteit Delft — The Netherlands

• Sripatum University — Thailand

• University of Medicine and Pharmacy at Ho Chi Minh City — Vietnam

As such, the group tried to exploit vulnerabilities in at least 1,000 Cisco devices (from more than 12,000 whose web interfaces were exposed online) to gain access to higher-level privileges enabling them to alter configuration settings granting them permission for persistent access to connected networks.

Out of these devices, more than half were located in the U.S., South America, and India. The remaining devices were spread across over 100 countries.


While most U.S. universities didn’t respond with comments, a CSU spokesperson said, “The protection of the personal information and proprietary data of California State University’s students, faculty, and staff is among our highest priorities. The CSU has security measures in place to reduce the likelihood of cyber incidents, but should one occur, immediate action is taken to reduce further exposure.”

“Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,” added Gundert.

Do you think telecom providers should be held accountable for such major lapses in cyber security? Do you think telecom companies should be held to higher standards to ensure their networks are secure?

Let us know in the comments below!