Cybersecurity Alert: Chinese Hackers Targeting Global Telecoms
As cyber threats continue to evolve, a recent advisory from the Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) highlights a significant vulnerability in global telecommunications networks. The advisory warns of cyber attacks conducted by a group linked to China, known as Salt Typhoon, who have aimed to breach key telecommunications providers as part of a broader cyber espionage initiative.
Exploiting Vulnerabilities in Cisco Systems
In mid-February 2025, the Salt Typhoon actors exploited a critical vulnerability in Cisco software, specifically the Cisco IOS XE (CVE-2023-20198), which carries a maximum CVSS score of 10.0. This vulnerability enabled the attackers to access configuration files from three distinct network devices belonging to an undisclosed Canadian telecommunications company.
One of the more alarming aspects of this breach is that the attackers modified at least one of these configuration files to set up a Generic Routing Encapsulation (GRE) tunnel. This modification facilitated the collection of network traffic, raising concerns about the potential for long-term data interception and manipulation.
Broader Implications for the Telecommunications Sector
According to the agencies involved, the implications of these attacks extend well beyond the targeted telecommunications company. The compromised Canadian devices may serve as gateways for the Salt Typhoon actors to gather sensitive information not only from the initial targets but also from a wider range of devices within the network. This positioning could significantly enhance the threat actors’ ability to launch further attacks.
The advisory notes, "In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance." This statement indicates that the attackers may have been gathering intelligence rather than immediately executing further malicious actions, suggesting a methodical approach to cyber espionage.
Ongoing Threats to Network Devices
Historically, network devices have been attractive targets for state-sponsored actors, particularly those backed by the Chinese government. The ongoing interest in telecommunications service providers underscores the importance of maintaining robust cybersecurity measures. The FBI and the Canadian Centre for Cyber Security emphasized in their advisory that edge network devices are especially vulnerable, calling for heightened awareness and protective measures within the telecommunications sector.
These findings align with insights from previous reports by Recorded Future, which documented how vulnerabilities such as CVE-2023-20198 and CVE-2023-20273 were exploited to infiltrate telecommunications and internet service providers across several countries, including the United States, South Africa, and Italy. The attackers employed similar GRE tunneling techniques to establish long-term access for data exfiltration.
New Malware Threats: SHOE RACK and UMBRELLA STAND
Adding to these cybersecurity concerns, the U.K. National Cyber Security Centre (NCSC) recently reported on two malware families named SHOE RACK and UMBRELLA STAND. These have been identified targeting FortiGate 100D series firewalls manufactured by Fortinet.
The SHOE RACK malware functions as a post-exploitation tool, granting attackers remote shell access and facilitating TCP tunneling through compromised devices. In contrast, UMBRELLA STAND is designed to execute shell commands sourced from an attacker-controlled server, indicating a sophisticated level of control for potential malicious actors.
Interestingly, SHOE RACK draws some capabilities from a publicly available tool called reverse_shell, which has also been utilized by a separate China-linked threat cluster known as PurpleHaze to develop a Windows implant named GoReShell. Although the connections between these groups have not been confirmed, the similarities raise important questions about the interlinked nature of cyber threats.
The NCSC has also noted resemblances between UMBRELLA STAND and another backdoor called COATHANGER, which was previously employed by state-sponsored hackers in a cyber attack targeting Dutch military networks. This series of malware developments underscores the complexity and sophistication of the current cyber threat landscape.
Final Thoughts
With the increasing severity and frequency of cyber attacks, particularly from state-sponsored actors, it is imperative that organizations prioritize cybersecurity measures. The ongoing developments involving Salt Typhoon, alongside new malware like SHOE RACK and UMBRELLA STAND, serve as stark reminders of the persistent threats facing global telecommunications networks and the need for robust defense mechanisms.
