Chinese Hackers Exploit Cisco Flaws to Breach Global Telecoms, FBI Warns

Chinese state-sponsored hackers are exploiting long-known flaws in network equipment to infiltrate telecom operators and critical infrastructure worldwide, according to a joint advisory from the Five Eyes alliance, European cyber agencies, and Japan.

The group, commonly tracked as Salt Typhoon, has targeted at least nine U.S. telecom firms and more than 200 American organizations across 80 countries. Beyond telecoms, the hackers also strike transport and lodging sectors to track communications and movement globally, the FBI told The Washington Post.

Salt Typhoon operatives, often private contractors working for China’s Ministry of State Security or the People’s Liberation Army, have been linked to companies such as Sichuan Juxinhe Network Technology and Huanyu Tianqiong Information Technology.

Investigators emphasize the attackers rarely need cutting-edge exploits. Instead, they rely on publicly documented vulnerabilities in widely deployed gear. A key vector remains CVE-2018-0171, a flaw in Cisco’s discontinued Smart Install feature that enables no-touch deployment. Despite repeated warnings since 2018, many organizations have failed to disable it.

The hackers also target Ivanti gateways and Palo Alto Networks’ operating systems. Techniques include adding their own IPs to access control lists, creating backdoor accounts with admin privileges, and re-routing services to nonstandard ports to evade detection.

Salt Typhoon also deploys embedded packet capture tools to steal credentials from authentication protocols such as RADIUS and TACACS+, and abuses outdated versions of SNMP to alter device configurations.

Although U.S. telecoms say they have expelled intruders, officials remain skeptical, citing the hackers’ ability to mask activity as local traffic and erase logs.

The FBI warned that the campaign is ongoing and adaptive: “Just because it was secure six months ago does not mean it is now.”