The Canadian Centre for Cyber Security and the U.S. Federal Bureau of Investigation (FBI) have issued an advisory warning of cyber attacks mounted by the China-linked Salt Typhoon actors to breach major global telecommunications providers as part of a cyber espionage campaign.
The attackers exploited a critical Cisco IOS XE software (CVE-2023-20198, CVSS score: 10.0) to access configuration files from three network devices registered to a Canadian telecommunications company in mid-February 2025.
The threat actors are also said to have modified at least one of the files to configure a Generic Routing Encapsulation (GRE) tunnel, enabling traffic collection from the network. The name of the targeted company was not disclosed.
Stating that the targeting likely goes beyond the telecommunications sector, the agencies said the targeting of Canadian devices may permit the threat actors to collect information from the compromised networks and use them as leverage to breach additional devices.
“In some cases, we assess that the threat actors’ activities were very likely limited to network reconnaissance,” per the alert.
The agencies further pointed out that edge network devices continue to be an attractive target for Chinese state-sponsored threat actors looking to breach and maintain persistent access to telecom service providers.
The findings dovetail with an earlier report from Recorded Future that detailed the exploitation of CVE-2023-20198 and CVE-2023-20273 to infiltrate telecom and internet firms in the U.S., South Africa, and Italy, and leveraging the footholds to set up GRE tunnels for long-term access and data exfiltration.
U.K. NCSC Warns of SHOE RACK and UMBRELLA STAND Malware Targeting Fortinet Devices
The development comes as the U.K. National Cyber Security Centre (NCSC) revealed two different malware families dubbed SHOE RACK and UMBRELLA STAND that have been found targeting FortiGate 100D series firewalls made by Fortinet.
While SHOE RACK is a post-exploitation tool for remote shell access and TCP tunneling through a compromised device, UMBRELLA STAND is designed to run shell commands issued from an attacker-controlled server.
Interestingly, SHOE RACK is partly based on a publicly available tool named reverse_shell, which, coincidentally, has also been repurposed by a China-nexus threat cluster called PurpleHaze to devise a Windows implant codenamed GoReShell. It’s currently not clear if these activities are related.
The NCSC said it identified some similarities between UMBRELLA STAND and COATHANGER, a backdoor that was previously put to use by Chinese state-backed hackers in a cyber attack aimed at a Dutch armed forces network.
