Skip to content

Chinese hackers exploit Cisco devices in 100 countries including India

  • by
  • 4 min read

Chinese state-sponsored threat group RedMike (aka Salt Typhoon) exploits critical vulnerabilities in over 1,000 unpatched Cisco network devices, primarily associated with global telecommunications providers, including in the United States, South Africa, Italy, Thailand, India, and about 100 other countries.

Researchers identified over 12,000 devices exposed to the internet. However, RedMike only targeted only 1,000 of these. This shows that the cybercriminals were after the intelligence and not disruption.

Throughout the attack, RedMike also targeted academic institutions, which are seen as valuable targets for intelligence gathering. Here’s a list of colleges and universities that are targeted:

  • University of California, Los Angeles (UCLA) – United States
  • California State University, Office of the Chancellor – United States
  • Loyola Marymount University – United States
  • Utah Tech University – United States
  • Universidad de La Punta – Argentina
  • Islamic University of Technology – Bangladesh
  • Universitas Sebelas Maret – Indonesia
  • University of Negeri Malang – Indonesia
  • University of Malaya – Malaysia
  • Universidad Nacional Autonoma – Mexico
  • Technische Universiteit Delft – The Netherlands
  • Sripatum University – Thailand
  • University of Medicine and Pharmacy at Ho Chi Minh City – Vietnam
This is an image of redmike salttyphoon india target cisco ss1
Victim map of the RedMike campaign. | Sources: Recorded Future

Research conducted at institutions like the University of California Los Angeles (UCLA) and Technische Universiteit Delft (TU Delft) in the Netherlands may have been of particular interest, as it pertains to advanced telecommunications and engineering fields, areas central to China’s broader strategic objectives.

“Unpatched public-facing appliances serve as direct entry points into an organization’s infrastructure. Sophisticated Chinese threat activity groups have shifted heavily toward exploiting these devices for initial access over the past five years,” researchers noticed.

RedMike, also known as the Microsoft-tracked group Salt Typhoon, has been linked to several high-profile in recent years, with this latest campaign further underlining the group’s persistent focus on the telecommunication sector.

The cyber attacks exploit two key privilege escalation vulnerabilities in Cisco’s IOS XE software — CVE-2023-20198 and CVE-2023-20273. These flaws allow attackers to gain initial access to vulnerable devices through Cisco’s web-based user interface, where they can elevate their privileges to root access.

After successfully compromising the devices, RedMike reconfigures the routers, installing a generic routing encapsulation (GRE) tunnel. This GRE tunnel serves as a covert communication channel, enabling persistent access to the device and facilitating data exfiltration.

This is an image of redmike salttyphoon india target cisco ss2
The attack flow explained. | Source: Recorded Future

Using GRE tunnels allows the threat actors to bypass traditional network security measures such as firewalls and intrusion detection systems.

Researchers noticed that RedMike didn’t target critical infrastructure not just for disruption, but for long-term intelligence-gathering. The group’s access to telecommunications networks allows them to monitor communications, manipulate data flows, and disrupt services in politically sensitive situations.

In addition to the exploitation of Cisco devices, RedMike also carried out reconnaissance against multiple assets belonging to a Myanmar-based telecommunications provider in mid-December 2024, suggesting that their focus is not limited to high-profile targets but also targets strategically valuable global infrastructure. Myanmar has also been in the news for Chinese-sponsored cyber scam operations and infrastructure.

Experts have urged network administrators to prioritise patching these vulnerabilities and to implement rigorous security measures, including monitoring for unauthorised configuration changes and disabling unnecessary web UI exposure. Further, organisations should consider limiting administrative access to these devices, ensuring that only authorised can interact with them.

Salt Typhoon is known to target anti-China countries, primarily the US. In December 2024, reports showed that Salt Typhoon hackers were trying to break into US telcos. Following this, US authorities issued an urgent set of guidelines for officials and politicians.

In the News: Fake FCI job ads used as bait for Xelera ransomware in India

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>