When the Chinese The hacker group, known as Salt Typhoon, was revealed last fall that they had deeply penetrated the major US telecommunications companies-to violate no less than nine of the telephone transport and access to Americans’ texts and calls in real time Get-because the Hacking Campaign Treated as a Four Alarm Brand by the US Government. But even after the high-profile exposure of the hackers, they continued to break into the telecommunications networks worldwide, including more in the US.

Cybersecurity firm researchers revealed in a report on Wednesday night that Salt Typhoon violates five telecommunications and Internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecommunications include one US Internet service provider and telecommunications firm and another subsidiary in the US of a British telecommunications, according to the company analysts, although they refused to name the victims of Wired.

“They are super active, and they still remain superactive,” says Levi Gundert, which leads the research team of the Future, known as Insikt Group. “I think there’s just a general undervaluation for how aggressive they are to convert telecommunications networks into Swiss cheese.”

To perform this latest campaign of invaders, Salt typhoon has recorded future tracks under its own name, Redmike, rather than the typhoon handle created by Microsoft-the Internet-exposed web interfaces of Cisco’s iOS software , which runs on the network Giant’s routers and switches. The hackers have used two different vulnerabilities in the code of those devices, one of which provides initial access, and another that provides root privileges, giving the hackers full control of an often powerful equipment with access to the network of a victim.

“Every time you are embedded in communication networks on infrastructure such as routers, you have the keys of the kingdom in which you have access to and observe and note,” says Gunert.

Recorded future has found over 12,000 Cisco devices whose web interfaces have been exposed online, saying that the hackers have targeted more than a thousand of the devices installed in networks worldwide. This appears to have focused on a smaller part of telecommunications and university networks whose Cisco devices have successfully utilized them. For the selected targets, Salt Typhoon configured the chopped Cisco devices to join the hackers’ own command-and-control servers via generic routing cutting, or GRE-tunnels-a protocol used to private communication channels on to set-used the connections to maintain their access and steal data.

When Wired reached out to Cisco for comment, the company pointed out a security advice that published it in 2023 about vulnerabilities in the web interface of its iOS software. “We urge clients to follow recommendations that are in advice and upgrading to the available upgrade is fixed software release,” a spokesman wrote in a statement.

Hacking Network devices as access points to target victims – often by exploiting well -known vulnerabilities that have failed to plaster the owners of devices – has become a standard operating procedure for salt typhoon and other Chinese hacking groups. This is partly because these network appliances do not have much of the security controls and monitoring software that has been expanded to more traditional computer devices such as servers and computers. Future notes recorded in his report that sophisticated Chinese spying teams targeted those vulnerable network devices for at least five years as a primary intrusion technique.