OTTAWA – Canadian telecommunications companies and their customers have become the latest targets in a suspected global cyberespionage campaign, with the Canadian Centre for Cyber Security (CCCS) and the U.S. Federal Bureau of Investigation (FBI) issuing a joint warning. They attribute the ongoing malicious activity to “Salt Typhoon,” an advanced persistent threat (APT) group widely believed to be linked to Chinese state-sponsored operations.
According to the warning issued Friday, three network devices belonging to an unnamed Canadian telecommunications company were compromised by Salt Typhoon hackers in mid-February. The attackers exploited a known Cisco device vulnerability (CVE-2023-20198) to access running configuration files and then modified at least one to establish a Generic Routing Encapsulation (GRE) tunnel. Retired senior telecommunications network engineer L. Rossi explained that a GRE tunnel acts like a “secret, private tunnel” that can siphon traffic from the telecom’s device to the hacker’s router, enabling the interception of communications or pilfering of sensitive information through methods like “traffic mirroring” or “man-in-the-middle” attacks.
Janny Bender Asselin of CCCS stated that the People’s Republic of China (PRC) presents “the most sophisticated and active cyber threat to Canada,” a sentiment echoed in their National Cyber Threat Assessment 2025-26. Telecommunication service providers are considered prime targets for state-sponsored cyber threat actors like Salt Typhoon due to the vast amounts of customer data they collect, including client information, locations, and device data. While current targeting extends beyond the telecom sector, other “targets of concern” for cyberespionage include all levels of Canadian government, organizations partnered with government entities, universities and labs engaged in sensitive research, and individuals or organizations perceived as threats by China, particularly those advocating for Taiwan and Hong Kong independence or Chinese democracy.
The information sought by these cyber threat actors includes data that can provide economic and diplomatic advantages, such as bulk customer data, information on high-value targets like government officials, geolocating and tracking individuals, monitoring phone calls, and intercepting SMS messages. Such infiltrations also expose critical infrastructures to potential network attacks, disruptions, or even destruction of IT systems, especially during periods of heightened geopolitical tensions. The CCCS assesses that these attacks against Canadian organizations, including telecom service providers and their clients, are likely to continue over the next two years, urging all critical infrastructure sectors to review their cybersecurity posture.
In response to the allegations, a spokesperson for the Embassy of the People’s Republic of China in Canada issued a statement to Metroland Media, denying China’s involvement in the Salt Typhoon cyberespionage campaign. The spokesperson labeled the claims “fabricated false information” designed to discredit China, asserting, “China firmly opposes this and will never accept it” and urging Canada to “immediately stop its unwarranted accusations… and cease politicizing and stigmatizing cybersecurity issues.”