Chinese state-sponsored cyber actors known as Salt Typhoon have been identified targeting telecommunications companies across Canada as part of a sustained global espionage campaign.
The Canadian Centre for Cyber Security (Cyber Centre) issued a warning this week after collaborating with US authorities, including the FBI, to attribute the activity to the China-aligned group. Investigators found that Salt Typhoon successfully compromised multiple network devices belonging to a Canadian telecom operator earlier this year.
In February, security teams discovered that the attackers had not only gained access to three network appliances but had actively altered configuration files to create GRE tunnels. Those tunnels function as covert channels, allowing attackers to siphon traffic and maintain a hidden conduit through which to move data or access other systems.
This is not an isolated breach. The intrusions form part of a broader intelligence-collection operation that has previously infiltrated major telecommunications providers around the world.
Canadian businesses caught in the crosshairs
The Cyber Centre’s investigation indicates Salt Typhoon’s activity extends beyond telecom operators and reaches across multiple Canadian industries. Their method is consistent: compromise one organization’s systems, then use that foothold to harvest sensitive information or pivot into connected networks.
In some incidents, attackers focused on mapping network architecture and cataloguing vulnerabilities—efforts that likely serve future targeting and exploitation. Analysts warn these incursions are likely to continue for at least the next two years, with both telecom providers and their customers remaining high-value targets.
For many smaller Canadian businesses, the risk is indirect: they may be targeted not for their own data but because they are customers or partners of larger, more attractive victims. A compromised supplier or service provider can create pathways into otherwise well-defended organizations.
The intelligence goldmine of telecoms
Telecommunications networks are particularly valuable to intelligence-focused adversaries. They carry voice and messaging traffic, location signals, and large volumes of personal and corporate data—information that can enable long-term surveillance and targeted operations.
Access to telecom infrastructure can allow attackers to track individuals’ movements, intercept communications, and collect metadata at scale, often without the target’s awareness. The technical tactics are frequently familiar—exploiting vulnerabilities in routers, switches, or network management systems—but the scale, persistence, and focus on intelligence collection have intensified.
Providers face a difficult task: protecting sprawling infrastructures with numerous potential entry points while defending against adversaries with considerable resources and patience.
Salt Typhoon: A global campaign unmasked
The recent Canadian findings follow prior investigations that linked the same actor to breaches at several major global telecoms firms, including incidents affecting US wireless carriers. Stolen information has reportedly included both customer records and private communications belonging to government and political figures.
Whereas earlier state-aligned intrusions often prioritized intellectual property or financial data, these operations demonstrate a clear shift toward targeted intelligence gathering on specific individuals and institutions of interest.
The Cyber Centre highlighted the cascading risk: when a telecom provider is breached, every organization or person relying on that provider can be exposed. This multiplier effect dramatically increases the scope and potential impact of a single compromise.
The vulnerability at the edge
Canada’s National Cyber Threat Assessment for 2025–2026 notes a growing emphasis by threat actors on edge devices—routers, firewalls, VPN gateways and similar infrastructure that form the perimeter between internal networks and the internet.
Edge devices are attractive targets because they control traffic flows and, if compromised, provide attackers the capacity to monitor, modify or exfiltrate data. In severe cases, an edge compromise can serve as a beachhead for deeper network intrusion. Salt Typhoon’s activity in Canada matches this pattern, exploiting known vulnerabilities in perimeter devices to establish persistent access.
Despite public reporting and guidance about these attack methods, breaches continue. That persistence suggests that some organizations struggle to apply timely patches and robust controls or that adversaries continually refine their tactics to evade detection.
Facing the threat of sophisticated hackers like Salt Typhoon
The Cyber Centre has urged Canadian organizations—especially telecom providers—to take immediate steps to harden networks and prioritize the security of edge devices that are sometimes overlooked. Key measures include promptly applying security patches, enforcing multi-factor authentication for administrative accounts, and establishing continuous monitoring for anomalous traffic that may indicate compromise.
Telecommunications firms are also advised to perform comprehensive security audits, strengthen network segmentation to restrict lateral movement, and adopt strict controls around privileged access. These practices reduce the blast radius if an initial compromise occurs and make it harder for attackers to exploit a single breach.
This campaign underscores that critical infrastructure is increasingly a focus of international espionage, with telecom networks among the most valuable targets. The incidents serve as a reminder that cybersecurity is a matter of national security and requires sustained attention from both public and private sectors.
(Photo credit: Tim Foster)
Want to learn more about cybersecurity and cloud technology from industry leaders? Consider attending Cyber Security & Cloud Expo, which convenes events in Amsterdam, California, and London and brings together experts across security, cloud, IoT, blockchain, and AI. The conference program offers panels, technical sessions, and vendor briefings focused on protecting critical infrastructure and improving organizational resilience.
Explore other upcoming enterprise technology events and webinars powered by TechForge.