Alarm bells for South African networks as China targets telcos

Cyberattacks by the Chinese hacking group Salt Typhoon on American telecommunications firms and global satellite provider Viasat have raised questions about whether South African telcos may also have been targeted.

Salt Typhoon is an advanced persistent threat actor believed to be operated by China’s Ministry of State Security, which this year breached an as-yet unnamed Canadian telco and Viasat.

This was after the FBI and U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed a Wall Street Journal report last year that Salt Typhoon had breached network operator systems.

U.S. officials later confirmed that Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream were victims of the attack.

The FBI and CISA said they identified malicious activity targeting the sector, immediately notified affected companies, rendered technical assistance, and rapidly shared information to help other potential victims.

The attack primarily targeted core network components, including Cisco routers, which are responsible for routing large portions of the Internet.

Following the initial reports in October 2024, U.S. officials confirmed that Salt Typhoon had compromised Internet service provider systems used to fulfil lawful wiretapping requests authorised by court order.

These are similar to systems employed in South Africa for operators to comply with RICA — the Regulation of Interception of Communications and Provision of Communication-Related Information Act.

In June 2025, the Canadian Centre for Cyber Security and the FBI confirmed that Salt Typhoon was targeting Canadian telcos and had breached an unnamed telecommunications provider in February.

Similar to the U.S. attacks, the state-sponsored hacking group exploited a critical security flaw in Cisco’s internetworking operating system, IOS XE.

According to the bug’s description in the Common Vulnerabilities and Exposures (CVE) database, it allowed remote, unauthenticated attackers to create arbitrary accounts and gain administrator-level privileges.

Cisco first disclosed the security flaw in October 2023, when it also revealed that it was a zero-day vulnerability which attackers had already exploited to hack over 10,000 devices.

Around the same time Canada announced that it had been targeted, Viasat revealed that Salt Typhoon had also breached its systems.

South African operators respond

MyBroadband contacted South Africa’s major mobile network operators to ask whether they had detected or been the victim of an attack similar to what their American counterparts were describing.

Telkom and MTN provided feedback, Vodacom declined to comment, and Cell C and Rain did not respond by publication.

“Telkom has conducted an internal review, and at this stage, there is no indication of compromise within our environment, including our core network infrastructure,” a Telkom spokesperson told MyBroadband.

“Our security monitoring and controls have not detected any suspicious activity linked to the Cisco IOS XE vulnerability or the referenced threat actor.”

When asked whether they had detected any attacks targeting the South African telecommunications industry, Telkom said it does not comment on incidents affecting other organisations.

However, without naming the company, it broadly noted the ransomware attack Cell C suffered. “We have not observed any evidence suggesting a connection to the Cisco IOS XE exploit or the Salt Typhoon group,” it said.

“We remain highly vigilant and continue to proactively monitor our systems for any indicators of compromise or emerging threats, in line with our commitment to ensuring the safety and integrity of our network and customer data.”

MTN told MyBroadband that it had not detected any cyberattack by the Salt Typhoon hacking group.

Vodacom said it closely monitors and takes any threat to telecommunications providers seriously, but does not comment on specific enquiries like the Salt Typhoon matter.

“As you will fully appreciate, cyber security is one of our top priorities, and if we identify any specific threats, we always investigate and take immediate action.”