In a stark reminder of growing global cyber threats, Canadian and U.S. authorities have issued a joint warning about a state-sponsored cyber espionage campaign linked to China. The advisory highlights a coordinated effort by a group known as “Salt Typhoon” to infiltrate major telecommunications providers, including a confirmed breach involving a Canadian telecom company earlier this year.
According to the Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI), the hackers exploited a critical vulnerability in Cisco’s widely used IOS XE software (CVE-2023-20198), which has received the maximum severity rating of 10.0 on the CVSS scale. In mid-February 2025, Salt Typhoon actors accessed sensitive configuration files from three network devices belonging to the unnamed Canadian telecom firm.
Investigators found that at least one of the compromised files had been modified to establish a Generic Routing Encapsulation (GRE) tunnel—a tactic that enables attackers to reroute and monitor network traffic covertly.
Beyond Telecom: A Broader Threat
Though the affected company’s identity remains undisclosed, officials warn that the scope of the threat likely extends beyond the telecommunications sector. The compromised Canadian devices could potentially serve as stepping stones for broader attacks on other infrastructure or enterprises.
“In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance,” the advisory noted, signaling that the full extent of the breach may still be under assessment.
Edge network devices, such as those targeted in this attack, are particularly vulnerable due to their external-facing nature. The agencies underscored that Chinese state-sponsored groups have consistently shown interest in such systems to maintain long-term, undetected access to critical networks.
These findings echo a recent report by cyber intelligence firm Recorded Future, which revealed similar exploitation of vulnerabilities in the U.S., South Africa, and Italy. In those cases, attackers used the same Cisco vulnerabilities to infiltrate networks and deploy GRE tunnels, enabling persistent access and potential data exfiltration.
New Malware Threats Target Fortinet Devices
Meanwhile, across the Atlantic, the U.K.’s National Cyber Security Centre (NCSC) has flagged two newly identified malware strains—SHOE RACK and UMBRELLA STAND—targeting Fortinet’s FortiGate 100D series firewalls. These tools are reportedly part of another cyber campaign attributed to Chinese state-linked actors.
SHOE RACK, a post-exploitation toolkit, is capable of establishing remote shell access and tunneling traffic through compromised devices. Its design is reportedly based on a publicly available reverse_shell script, which has also been weaponized by a China-affiliated hacking group known as PurpleHaze. That group recently adapted the tool into a Windows-based implant called GoReShell.
The second malware, UMBRELLA STAND, allows hackers to issue shell commands remotely from attacker-controlled servers. The NCSC said it shares similarities with COATHANGER, a backdoor previously used in a breach of a Dutch military network by Chinese actors.
A Growing Web of State-Sponsored Cyber Intrusions
These developments underscore the increasing sophistication and coordination of state-sponsored cyber operations—particularly those linked to China. From North America to Europe and Africa, a growing number of countries are grappling with advanced persistent threats that blur the lines between espionage, sabotage, and cyber warfare.
As the cyber landscape evolves, authorities urge organizations, especially those in critical infrastructure sectors, to patch known vulnerabilities and strengthen their defensive postures.
For now, experts warn that the activity attributed to Salt Typhoon and other state-backed actors is likely to persist—and possibly escalate—in the coming months.
