A Canadian telecommunications provider has been compromised by a cyberattack linked to Salt Typhoon, a hacking group believed to operate on behalf of the Chinese government. The breach exploited a critical Cisco vulnerability that had been patched more than a year earlier, raising concerns over unaddressed security gaps. The incident was confirmed by both Canadian and U.S. cybersecurity agencies in separate statements issued on Monday.
Exploited Vulnerability Was Known and Patched
The attackers used CVE-2023-20198, a vulnerability affecting Cisco networking equipment, as the entry point for the breach. The flaw, which carries a maximum severity rating of 10, allows attackers to take full control of affected devices. Cisco released a patch for the vulnerability in October 2023, shortly after security firm VulnCheck published details about its potential for widespread exploitation.
Despite the availability of the patch, the affected Canadian telecom failed to secure its systems, leaving three network devices vulnerable to attack. According to Canada’s Cyber Centre, the devices were breached in mid-February 2025. The attackers retrieved configuration files from the compromised hardware and altered at least one of them to establish a GRE tunnel—a type of network protocol often used for routing data—enabling remote traffic collection.
Salt Typhoon has previously been linked to similar cyberattacks targeting U.S.-based telecom giants such as Verizon and AT&T. In those cases, hackers allegedly accessed systems used for government wiretaps, as well as other internal network traffic. The Wall Street Journal, citing unnamed officials, reported that these intrusions remained undetected for several months, allowing extended surveillance capabilities.
Canadian and U.S. Agencies Confirm Espionage Activity
The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation both released advisories identifying Salt Typhoon as the likely actor behind the recent breach. The Cyber Centre’s statement said that the threat actors are “almost certainly PRC [People’s Republic of China] state-sponsored,” based on forensic evidence and overlaps with indicators found in earlier investigations.
Officials noted that the breach may not be isolated to the telecom sector. The Cyber Centre stated that indicators of compromise found in this case have also appeared in broader industry reports and other investigations. This suggests that the campaign may be targeting a wider array of Canadian infrastructure, potentially enabling further intrusions or surveillance activities through compromised network devices.
In its statement, the Cyber Centre emphasized that some of the hacking may have been limited to reconnaissance—gathering information about the victim’s network without immediately launching deeper attacks. Still, the agency warned that the breach could have facilitated unauthorized data collection or been used as a staging point for additional compromises. No specific company name was disclosed in the report.
Broader Security Concerns and Future Threats
The breach highlights ongoing issues with patch management in critical infrastructure. While the exploited Cisco vulnerability had been known and patched since October 2023, the compromised telecom provider had not applied the update by the time of the intrusion in February 2025. Both Canadian and U.S. officials have noted the serious risk posed by delayed patching of known vulnerabilities, especially those actively exploited by state-linked actors.
Cisco has previously confirmed that Salt Typhoon has used a range of vulnerabilities beyond CVE-2023-20198, including older flaws such as CVE-2018-0171 and newer ones like CVE-2024-20399. In a report released earlier this year, Cisco said the group had launched multiple campaigns exploiting unpatched devices in both public and private sector networks.
Canadian authorities have warned that espionage efforts by Chinese-linked groups are likely to continue. “China state hackers will almost certainly continue to target Canadian organizations as part of this espionage campaign,” the Cyber Centre stated, specifying that telecom companies and their clients remain high-priority targets. The advisory recommends that organizations review their patching procedures and implement stronger monitoring of network devices to guard against further attacks.