RedMike Hackers Breached 1000+ Cisco Devices and Gained Admin Access
Recent cybersecurity research has revealed that the Chinese state-backed hacker group “Salt Typhoon” (also known as “RedMike”) compromised more than 1,000 vulnerable Cisco devices worldwide between December 2024 and January 2025, exploiting them for their operations.
This cyber-espionage campaign primarily targeted telecommunications companies and universities, underscoring the global threat posed by state-sponsored cyber actors.
How Did the Attack Happen?
Researchers discovered that Salt Typhoon exploited two major vulnerabilities in Cisco IOS XE software:
🔹 CVE-2023-20198 – This vulnerability allowed attackers to gain initial access to Cisco devices via the web interface.
🔹 CVE-2023-20273 – This enabled attackers to escalate their privileges and gain full root-level control over the system.
Once inside the compromised devices, the hackers set up GRE tunnels (Generic Routing Encapsulation) to ensure persistent and covert access to the networks.
By leveraging GRE tunnels, cybercriminals were able to:
✅ Bypass firewalls and intrusion detection systems
✅ Stealthily extract sensitive data (data exfiltration)
✅ Maintain long-term control over the infected systems
Which Organizations Were Targeted?
According to researchers, telecommunication providers were the primary targets, but universities also suffered significant exposure.
🛜 Telecommunications Providers:
- A U.S.-based subsidiary of a British telecom provider
- A South African telecommunications company
- Internet service providers (ISPs) in Italy and Thailand
🏫 Universities:
- United States: University of California, Los Angeles (UCLA)
- Netherlands: Delft University of Technology (TU Delft)
- Leading universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Thailand, and Vietnam
These targets were strategically chosen due to their involvement in cutting-edge research in telecommunications, engineering, and advanced technologies.
Strategic Objectives of “Salt Typhoon”
🔍 Intercept confidential communications – Stealing government or corporate secrets in real-time.
⚠ Disrupt essential services – Sabotaging communications during geopolitical crises.
🛠 Manipulate data flows – Using information for propaganda or intelligence purposes.
Reports also indicate that Salt Typhoon hackers have shown interest in U.S. political figures and key information systems.
How to Defend Against Such Attacks?
To mitigate cyber threats, organizations must adopt strict security measures, including:
🔄 Updating Cisco devices immediately – Patch vulnerabilities CVE-2023-20198 and CVE-2023-20273.
🚫 Restricting access to web interfaces – Protect publicly exposed user interfaces from unauthorized access.
🛡 Monitoring unauthorized GRE tunnels – Detect suspicious traffic and unexpected configuration changes.
🔐 Enforcing end-to-end encryption – Secure sensitive communications with strong encryption protocols.
U.S. agencies such as the FBI and CISA emphasize the importance of using encrypted messaging applications to prevent data interception by attackers.
International Response and Global Cooperation
The U.S. Treasury Department recently sanctioned Sichuan Juxinhe Network Technology Co., Ltd., a Chinese firm linked to Salt Typhoon. This highlights a firm stance against state-backed cyber espionage.
However, experts stress that national measures alone are not enough – strengthening international cybersecurity cooperation is crucial to combating persistent cyber threats.
Conclusion
🔴 The Salt Typhoon hacking campaign against Cisco devices reflects a growing trend of state-backed actors targeting unpatched infrastructure.
🔴 Their methods indicate that state-sponsored cybercriminals exploit outdated devices as entry points into critical systems.
🔴 Organizations must remain vigilant and proactive against evolving cyber threats.
✅ Cybersecurity is an ongoing process. Regular system updates, constant monitoring of unknown threats, and adherence to international security standards are essential for protecting against such sophisticated attacks. 🛡
