The breach wasn’t sudden. It was slow, silent, and entirely preventable. In February 2025, Chinese state-backed hackers gained full access to Canada’s telecommunications infrastructure. Not a single firewall tripped. Not one alert sounded. The door had been left wide open since October 2023.
Cisco had flagged the issue early. The vulnerability, tracked as CVE-2023-20198, carried a maximum severity score of 10.0. It allowed remote access to core routers and switches running Cisco’s IOS XE software. Cisco issued a patch. They sent out alerts. They followed up. The Canadian telecom provider never installed the update.
Three backbone devices were compromised. These weren’t edge routers or consumer-grade boxes. These were the central arteries of Canada’s digital nervous system. The attackers used the flaw to extract configuration files and install GRE tunnels. That gave them a direct pipeline into the network. Every call, every text, every packet of data flowing through those systems could be mirrored and siphoned.
The group behind the breach is known as Salt Typhoon. It’s a Chinese state-sponsored operation with a long track record of targeting telecom infrastructure. The FBI and Canada’s Centre for Cyber Security confirmed the group’s involvement in a joint bulletin. They said the attackers “almost certainly” belong to the People’s Republic of China’s intelligence apparatus.
The breach wasn’t limited to passive surveillance. At least one of the compromised devices had its configuration altered to allow persistent access. That means the attackers didn’t just peek. They stayed. They watched. They collected. And they likely used the access to pivot into other systems.
The data exfiltration wasn’t theoretical. Investigators confirmed that traffic from the three backbone devices was being funneled directly to servers controlled by Chinese operators. The volume of data moved remains classified, but sources familiar with the investigation say it includes call metadata, SMS content, and internal routing information.
The Canadian company responsible for the compromised devices has not been named publicly. What is known is that the patch had been available for 16 months before the breach. The devices were still running outdated firmware in February 2025. That’s not oversight. That’s negligence.
The FBI has warned that similar vulnerabilities are being exploited globally. Salt Typhoon has already hit telecom firms in the United States, South Africa, and Italy. The group’s tactics are consistent. They exploit known flaws in edge devices, install GRE tunnels, and quietly siphon data for months or years.
The Canadian breach is now being used as a case study in what happens when warnings are ignored. The attackers didn’t need to break in. They were handed the keys. And for two years, they had unrestricted access to one of the most sensitive communication networks in the Western Hemisphere.
Sources
https://thehackernews.com/2025/06/china-linked-salt-typhoon-exploits.html
https://www.securityweek.com/chinas-salt-typhoon-hackers-target-canadian-telecom-firms/
https://eclypsium.com/blog/cve-2023-20198-cisco-salt-typhoon-viasat-canadian-telcos/
