Salt Typhoon and the New Era of State-Sponsored Cyber Warfare

Introduction

In late 2024, American officials made a stunning disclosure: Chinese government-linked hackers had infiltrated at least nine major US telecommunications companies — including Verizon, AT&T, T-Mobile, Lumen, Spectrum, and others — and had maintained persistent access to their networks for months or years. The attackers, a group the cybersecurity community calls Salt Typhoon, had done something extraordinarily consequential: they had accessed the systems that US law enforcement and intelligence agencies use for court-authorized wiretaps.

By August 2025, the FBI reported that Salt Typhoon had targeted organizations in over 80 countries. At least 600 organizations worldwide had been notified that the group had active interest in their systems. The phone conversations of senior US officials — including President Trump and Vice President Vance — had been potentially accessible to Chinese intelligence. Experts called it one of the most consequential espionage campaigns in American history.

Salt Typhoon is not an anomaly. It is a case study in the shape of modern state-sponsored cyber operations — persistent, patient, precisely targeted, and extraordinarily difficult to detect.

Who Is Salt Typhoon?

Salt Typhoon is believed to be operated by or affiliated with China’s Ministry of State Security (MSS) — the Chinese intelligence agency responsible for foreign intelligence gathering. The group has been active since at least 2019 and has previously been tracked under alternative designations including Earth Estries, GhostEmperor, FamousSparrow, and UNC2286.

The group specializes in what intelligence professionals call APT (Advanced Persistent Threat) operations — campaigns characterized by:

Long dwell times: Salt Typhoon maintained access to some telecom networks for months, possibly years, before detection. This patience enables collection of enormous amounts of intelligence without triggering the automated detections that rapid, aggressive attacks generate.

Living off the land: Rather than deploying distinctive malware, Salt Typhoon primarily uses legitimate administrative tools, stolen credentials, and built-in operating system capabilities. This makes detection extremely difficult because malicious activity is technically indistinguishable from legitimate administrative work.

Precision targeting: The group’s interest in telecommunications infrastructure is specifically focused on Lawful Intercept systems — the technical capabilities that allow governments to monitor communications under court orders. Access to these systems provides intelligence about who is being monitored, what is being captured, and potentially the content of those communications.

How the Attack Worked

Detailed forensic analysis of the Salt Typhoon intrusions, published in 2025, revealed the attack methodology:

Initial access: In most cases, the group obtained legitimate login credentials — through phishing, credential stuffing from previously stolen credential databases, or insider access. In one documented case, attackers exploited a Cisco router vulnerability (CVE-2023-20198) that had been in the NIST vulnerability database for seven years without being patched at the victim organization.

Lateral movement: Once inside, attackers moved laterally through the network using legitimate administrative tools (PowerShell, WMI, remote desktop, legitimate management software) to reach the highest-value targets — the Lawful Intercept infrastructure.

Persistence: Multiple persistence mechanisms were established, using modified legitimate software, scheduled tasks, and registry keys that survived reboots and routine security scans.

Exfiltration: Communications data and call records were exfiltrated through encrypted channels to attacker-controlled infrastructure, designed to blend with normal network traffic.

The sophistication of the operation reflects not just technical expertise but extensive institutional knowledge of how US telecommunications systems are architected, what their defensive gaps are, and what access provides the highest intelligence value.

Volt Typhoon: Infrastructure Positioning

Salt Typhoon’s espionage campaign exists alongside a parallel Chinese state-sponsored operation called Volt Typhoon — with a fundamentally different objective. While Salt Typhoon collects intelligence, Volt Typhoon appears to be pre-positioning access within US critical infrastructure — power grids, water systems, transportation networks — that could be activated during a future conflict.

CISA (Cybersecurity and Infrastructure Security Agency) and FBI issued a joint advisory in 2024 warning that Volt Typhoon had maintained access to some critical infrastructure networks for five or more years — not actively collecting data, but maintaining a foothold that could enable disruptive attacks during a Taiwan Strait contingency or other geopolitical crisis.

This distinction matters enormously for defensive strategy. Detecting and ejecting espionage actors (whose goal is to remain invisible) is challenging. Detecting actors who intend to remain invisible until they execute destructive attacks is even harder. The combination of Volt Typhoon’s infrastructure positioning and Salt Typhoon’s intelligence collection represents a comprehensive pre-conflict capability buildup that US security officials describe as unprecedented.

The Global Scale: 80 Countries, 600 Organizations

The FBI’s August 2025 assessment that Salt Typhoon had targeted organizations in over 80 countries put the campaign in global context. Telecom companies in Europe, Asia, and Latin America were targeted alongside US carriers. The group’s interest in Lawful Intercept systems is not limited to US surveillance capabilities — it extends to every country’s equivalent systems.

Notable targets outside the US included:

UK: BT Group reported investigating potential Salt Typhoon compromise of its network infrastructure in late 2024.

Canada: Canadian telecommunications security agencies issued warnings about Salt Typhoon activity targeting Canadian carriers.

Southeast Asia: Multiple carriers in Thailand, Vietnam, Indonesia, and Malaysia were targeted — reflecting the region’s strategic importance for monitoring Chinese overseas interests, Taiwanese business connections, and US military communications.

The breadth of targeting reflects a systematic effort to build global telecommunications intelligence collection capability rather than a opportunistic attack against a single target.

The Policy Response: Too Little, Too Late?

US government response to the Salt Typhoon revelation has been extensive but criticized by many security experts as inadequate to the scale of the problem.

The FCC (Federal Communications Commission) proposed new cybersecurity rules for US telecommunications carriers in December 2024 — requiring carriers to certify that they have implemented security measures to protect against unauthorized access to wiretap systems. The rules would mandate annual security plan updates and create obligations to report breaches.

The CISA issued updated guidance on telecommunications security hardening, with specific recommendations for protecting Lawful Intercept systems. The NSA published guidance on network device security that directly addresses the Cisco router vulnerabilities exploited by Salt Typhoon.

Congressional hearings revealed a troubling reality: the Lawful Intercept systems that Salt Typhoon accessed were designed in the 1990s, under the Communications Assistance for Law Enforcement Act (CALEA), at a time when the threat model did not include sophisticated state adversaries targeting the surveillance infrastructure itself. The security architecture of these systems was not designed for the 2025 threat environment.

Experts testified that US telecommunications networks remain vulnerable despite the disclosed intrusions — a statement that prompted intense political controversy but is consistent with the technical reality that remediating persistent, sophisticated adversary access takes time.

Attribution Challenges: The State-Sponsored Hacking Problem

The Salt Typhoon case illustrates a fundamental challenge in cybersecurity: attribution — the process of identifying who is behind an attack — is technically and politically complex.

Technical attribution relies on indicators including:

• Malware characteristics and code similarity to known threat actor tools
• Infrastructure reuse (IP addresses, domains used in previous campaigns)
• Operational patterns (working hours consistent with specific time zones, target selection matching known geopolitical interests)
• OPSEC mistakes that reveal attacker identities or locations

Political attribution — officially naming a state as responsible — involves weighing the confidence of technical evidence against diplomatic, intelligence, and policy considerations. The US government formally attributed Salt Typhoon to China; China denied involvement.

The attribution challenge creates a fundamental asymmetry in state-sponsored cyber operations: attackers who are careful can maintain plausible deniability, preventing victims from taking the kind of political and diplomatic responses that would be triggered by a conventional military attack. This asymmetry has made state-sponsored cyber operations a preferred tool of statecraft — providing intelligence collection and infrastructure access at geopolitical costs far below those of equivalent conventional operations.

What Organizations Can Do: Lessons from Salt Typhoon

The Salt Typhoon campaign offers several concrete lessons for organizations managing network security:

Patch promptly: The Cisco vulnerability exploited in one Salt Typhoon intrusion had been publicly known for seven years. Patch management — particularly for internet-facing network devices — is the most high-impact basic defensive practice. The percentage of organizations that fall victim to attacks exploiting known, patched vulnerabilities remains embarrassingly high.

Audit authentication: Salt Typhoon gained access primarily through stolen credentials. Multi-factor authentication, privileged access management, and credential monitoring (alerting when credentials appear in breach databases) are essential controls.

Network segmentation: The ability to move laterally from initial access to high-value targets like Lawful Intercept systems reflects inadequate network segmentation. Critical systems should be isolated in network segments that require additional authentication to access — not reachable through standard administrative credentials.

Behavioral monitoring: Traditional signature-based security tools are ineffective against “living off the land” attacks that use legitimate tools. Behavioral analytics — detecting anomalous activity patterns even when individual tools are legitimate — is essential for identifying sophisticated persistent threats.

Assume compromise: The security posture of “assume breach” — planning on the assumption that sophisticated adversaries may already be present in the network — changes security priorities from perimeter defense to limiting damage, accelerating detection, and simplifying remediation.

The Bigger Picture: Cyber as a Domain of Great Power Competition

Salt Typhoon and Volt Typhoon are not isolated incidents — they are the visible tip of a comprehensive, multi-year effort to achieve cyber superiority as a component of great power competition.

The US, China, Russia, Iran, North Korea, and others all operate state-sponsored cyber programs with offensive capabilities. What distinguishes the current moment is scale, sophistication, and the integration of cyber operations into broader strategic competition — not as a supplement to conventional military force but as a primary instrument of statecraft.

The implications for every organization — government, military, commercial, critical infrastructure — are that state-sponsored threat actors represent a fundamentally different risk profile than criminal attackers. State actors have more resources, more patience, more sophisticated tradecraft, and more specific, often non-financial objectives. The defensive posture required to resist state-sponsored APT campaigns is significantly more demanding than what is required to resist opportunistic criminal attacks.

Conclusion

Salt Typhoon represents a watershed moment in the history of cyber conflict — not because state-sponsored hacking is new, but because the scale, precision, and strategic consequences of this particular campaign are unprecedented. The response from governments, telecommunications companies, and security teams will shape the security of global telecommunications infrastructure for years.

The lesson is not that better technology alone can solve this problem. The Salt Typhoon operation succeeded partly because a seven-year-old vulnerability went unpatched at a major telecommunications company. The most sophisticated cyber defense in the world cannot compensate for basic security hygiene failures. Fundamentals matter — at every level from the board to the network operations center.