What is Salt Typhoon?

Salt Typhoon is a Chinese Ministry of State Security-linked advanced persistent threat (APT) group, also tracked as GhostEmperor, FamousSparrow, UNC2286, and Earth Estries. It is responsible for the worst telecom hack in U.S. history, compromising nine U.S. carriers and breaching CALEA lawful intercept systems.

Which U.S. telecom companies did Salt Typhoon hack?

Nine U.S. telecommunications companies were confirmed compromised, including Verizon, AT&T, T-Mobile, Spectrum (Charter), Lumen Technologies, Consolidated Communications, and Windstream, plus two additional unnamed carriers.

What did Salt Typhoon access inside U.S. telecom networks?

Salt Typhoon accessed CALEA lawful intercept systems (wiretap infrastructure), call detail records spanning millions of Americans, real-time audio calls, private communications of political figures including Donald Trump and JD Vance, and U.S. law enforcement surveillance target lists.

Is Salt Typhoon still active?

Yes. As of March 2026, Salt Typhoon remains active. The FBI confirmed in August 2025 it had hacked 200+ companies across 80 countries. In December 2025, intrusions were detected in U.S. House of Representatives committee systems. Norway, the United Kingdom, the Netherlands, Italy, Canada, Brazil, Australia, New Zealand, and Japan have all disclosed Salt Typhoon activity or confirmed warnings. In February 2026, Singapore confirmed all four of its major telecoms were breached — attributed to UNC3886, a related China-aligned APT cluster. Full eviction from all networks has not been confirmed.

What is the difference between Salt Typhoon and UNC3886?

Salt Typhoon is tracked as UNC2286 by Mandiant/Google and as G1045 by MITRE ATT&CK. UNC3886 is a separate China-aligned APT cluster also tracked by Mandiant, known for exploiting zero-day vulnerabilities in network edge devices such as Fortinet, VMware, and Cisco routers. While both groups target telecom infrastructure for signals intelligence and share overlapping TTPs and strategic goals aligned with Chinese intelligence priorities, they are tracked as distinct clusters. The Singapore Operation Cyber Guardian breach (February 2026) was attributed to UNC3886, not Salt Typhoon, though the campaigns are thematically and strategically aligned.

What malware does Salt Typhoon use?

Salt Typhoon uses GhostSpider (a modular memory-resident backdoor), Demodex (a Windows kernel-mode rootkit), SNAPPYBEE/Deed RAT (a shared Chinese APT modular backdoor), Masol RAT (cross-platform Linux backdoor), SparrowDoor, CrowDoor, and extensive living-off-the-land tooling including WMIC.exe and PsExec.

Salt Typhoon | Threat Actor Profile

A Chinese Ministry of State Security-linked APT that compromised nine U.S. telecommunications carriers, breached the CALEA lawful intercept infrastructure used by federal law enforcement, and collected call records spanning millions of Americans — including real-time audio of senior government officials. Senate Intelligence Committee chairman Mark Warner called it "the worst telecom hack in our nation's history — by far." FCC Chair Brendan Carr described it as "the worst cyber intrusion in our nation's history."

attributed originChina

suspected sponsorMinistry of State Security (MSS)

first observed~2019

primary motivationSignals intelligence / espionage

primary targetsTelecoms, Government, Military, Satellite

confirmed u.s. carriers9 confirmed

mitre att&ck groupG1045

target regions80+ countries, 6 continents

fbi bounty$10 million

Overview

Salt Typhoon is one of the operationally significant Chinese state-sponsored threat actors ever documented. While the U.S. Treasury's January 2025 sanctions named Sichuan Juxinhe Network Technology Co. as directly involved, full public attribution to a specific MSS bureau or unit has not been declassified. The group's targeting profile, tooling, and operational patience align precisely with Chinese intelligence collection priorities — signals intelligence against U.S. government officials, law enforcement targets, and policy makers. The name "Salt Typhoon" was assigned by Microsoft; the U.S. government adopted the same designation in its official advisories. Other well-documented MSS-linked clusters operating in parallel include APT41 (Silver Dragon), which combines state espionage with financially motivated cybercrime, APT10 (Stone Panda), known for managed service provider supply chain intrusions, and Earth Lusca, which overlaps with Salt Typhoon's Southeast Asian targeting geography.

The group is distinguished by its focus on telecommunications infrastructure rather than end-user devices. By gaining persistent access to backbone networks that carry voice and data traffic, Salt Typhoon positioned itself to intercept communications at scale without ever touching the phones or computers of individual targets. The CALEA breach was particularly alarming: it gave the group access to the same systems U.S. law enforcement uses to conduct court-ordered wiretaps — meaning Salt Typhoon could read the list of who the FBI and DOJ were legally surveilling. Senator Maria Cantwell described it plainly: "These systems became an open door for Chinese intelligence."

Senator Mark Warner, chairman of the Senate Intelligence Committee, put the scale in perspective: "This is massive, and we have a particularly vulnerable system. Unlike some European countries where you might have a single telco, our networks are a hodgepodge of old networks." He warned that purging the hackers could require replacing "literally thousands and thousands and thousands of pieces of equipment across the country."

Cisco Talos confirmed in February 2025 that Salt Typhoon maintained access to at least one victim network for over three years before discovery. As of early 2026, the FBI has confirmed the group hacked at least 200 companies across 80+ countries, with 600+ organizations formally notified of potential compromise. The Cyber Safety Review Board, which was actively investigating the breach, was disbanded by the Trump administration in January 2025 before completing its work. CISA has since taken over the investigation. Salt Typhoon operates within a broader cluster of Chinese state-sponsored groups — including Volt Typhoon, which focuses on pre-positioning inside U.S. critical infrastructure for potential wartime disruption, and Storm-0558, which breached Microsoft Exchange to steal U.S. government emails. Understanding all three is essential to the full picture of China's cyber posture. Not sure which threat actors are targeting your sector? Use the NoHacky industry threat scanner to find out.

critical

The Cyber Safety Review Board was actively investigating Salt Typhoon when the Trump administration disbanded all DHS advisory committees on January 20, 2025 — before the investigation could be completed. CISA has taken over the inquiry. As of December 2025, the FCC moved to reverse cybersecurity rules adopted specifically in response to the Salt Typhoon breach. In February 2026, Senator Cantwell disclosed that AT&T and Verizon each hired Mandiant for security assessments but that Mandiant had not provided the resulting reports to the committee. In March 2026, reporting emerged that China-linked actors breached the FBI's Digital Collection System Network — the same platform used to manage FISA warrants and active wiretap surveillance — with CISA and NSA engaged in the investigation. Full eviction of Salt Typhoon from all affected networks has not been publicly confirmed.

Campaign Timeline

~2019

Salt Typhoon begins operations against telecom targets, confirmed by FBI Cybersecurity Division Director Brett Leatherman in August 2025. Some exploited vulnerabilities date to patches released as early as 2018 that carriers never applied.

October 2023

Cisco discloses CVE-2023-20198 (CVSS 10.0), a critical authentication bypass in IOS XE. Thousands of devices are compromised before the patch arrives. Salt Typhoon exploitation confirmed. The group also exploits vulnerabilities in Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887), Fortinet, and Sophos Firewall products.

March–December 2024

Salt Typhoon lurks inside a U.S. state Army National Guard network for nine months, stealing sensitive military and law enforcement data. Disclosed in a DHS memo declassified in July 2025.

September 2024

Wall Street Journal first reports Chinese hackers have compromised major U.S. telecom networks. Scope not yet understood. The U.S. government, alerted by industry, begins to grasp the seriousness of the intrusion.

October 2024

U.S. officials confirm Salt Typhoon breached ISP systems used for CALEA lawful intercept wiretapping. The personal communications of Donald Trump and JD Vance were accessed; staff from the Kamala Harris 2024 campaign were also targeted.

Late 2024

Nine U.S. telecom companies confirmed compromised: Verizon, AT&T, T-Mobile, Spectrum (Charter), Lumen, Consolidated Communications, Windstream, and two others. CISA and FBI issue joint advisory urging encrypted communications. Senate Intelligence Committee Chairman Mark Warner calls it "the worst telecom hack in our nation's history — by far." In December, AT&T and Verizon announce they believe they have contained the intrusion — though neither confirms no data was stolen.

January 2025

U.S. Treasury sanctions Sichuan Juxinhe Network Technology Co. for direct involvement with Salt Typhoon. Recorded Future identifies 1,000+ compromised Cisco devices across six continents. The Trump administration, on January 20, disbands all DHS advisory committees including the Cyber Safety Review Board, halting its active Salt Typhoon investigation. Senator Ron Wyden calls the move "a massive gift to the Chinese spies."

February 2025

Cisco Talos confirms Salt Typhoon maintained access to one environment for over three years. An unnamed Canadian telecom confirmed breached. A Darktrace report documents attempted Salt Typhoon intrusion at a European telecommunications organization using DLL sideloading and SNAPPYBEE (Deed RAT).

April 2025

FBI announces a $10 million bounty for information identifying individuals behind Salt Typhoon — among the highest rewards ever offered for cybercriminals. The Rewards for Justice program is accepting anonymous tips via Signal and the dark web.

June 2025

Viasat, a U.S. satellite communications provider, confirmed as a Salt Typhoon victim — marking escalation beyond terrestrial telecom targets. The group compromised Viasat's internal systems by abusing remote management links tied to ground infrastructure.

August 2025

FBI confirms 200+ companies hacked across 80+ countries. Multi-agency joint advisory (25 agencies) details full TTPs and confirms targets span telecommunications, government, transportation, lodging, and military infrastructure. 600+ organizations formally notified. Advisory co-signed by Canada, UK, Germany, Japan, and other allied nations' cyber directorates.

October 2025

Australian Security Intelligence Organisation director-general Mike Burgess warns that Salt Typhoon and Volt Typhoon have probed Australian critical infrastructure including telecommunications networks.

November 2025

FCC acknowledges Salt Typhoon vulnerabilities "are still being exploited." Senate Commerce Committee holds hearing; experts testify that telecom companies have failed to prove hackers have been fully evicted. FCC subsequently moves to reverse cybersecurity rules adopted specifically in response to the Salt Typhoon breach.

December 2025

Salt Typhoon intrusions detected in several U.S. House of Representatives committee systems — including a congressional email hack attributed to the group and reported by the Financial Times in January 2026.

February 2026

Norway's Police Security Service (PST) publicly confirms Salt Typhoon targeted multiple Norwegian organizations — the first European government to officially disclose an attack. Singapore confirms all four major telecommunications providers — Singtel, StarHub, M1, and Simba Telecom — were breached in what officials called the country's largest ever coordinated cyber incident response, codenamed Operation Cyber Guardian. The cleanup required more than 100 personnel from government, military, intelligence, and industry working for 11 months. Singapore's government attributed the attack to UNC3886, a China-aligned APT cluster tracked separately from Salt Typhoon (UNC2286) by Mandiant/Google. UNC3886 exploited zero-day vulnerabilities in network edge devices and deployed custom rootkits for long-term persistence. The operation's overlap with Salt Typhoon TTPs — targeting telecom backbone infrastructure for signals intelligence — reflects the broader Chinese APT ecosystem operating under shared tasking priorities. Senator Cantwell sends a letter to Commerce Committee Chairman Ted Cruz demanding AT&T and Verizon CEOs testify, disclosing that both companies hired Mandiant for security assessments but that Mandiant had not provided its reports. Czech cybersecurity officials report Salt Typhoon-related incidents in Finland and Poland.

March 2026

At RSA Conference 2026 (March 23–26, San Francisco), the panel titled "Inside the Hunt for China's Typhoons: Disrupt, Deter, and Defend" — originally billed as a behind-the-scenes look at joint FBI, NSA, and private-sector operations against Beijing's espionage campaigns — runs without any federal government speakers after CISA, FBI, and NSA withdraw from the entire conference following RSAC's appointment of former CISA Director Jen Easterly as CEO. The panel proceeds with only private-sector participants and a literal empty chair on stage. Separately, reporting emerges that China-linked actors breached the FBI's Digital Collection System Network — the platform used to manage FISA warrants and pen register/trap-and-trace surveillance — with CISA and NSA engaged in the investigation.

Target Profile

Salt Typhoon focuses primarily on telecommunications infrastructure rather than end-user systems. The strategic value is access to communications at scale — intercepting traffic in transit rather than compromising individual endpoints. The August 2025 CISA advisory confirmed the group targets networks globally across sectors including "telecommunications, government, transportation, lodging and military infrastructure networks." Salt Typhoon is not the only threat actor with a fixation on telecoms: Scattered Spider has separately targeted carriers using social engineering and SIM-swapping, representing a completely different entry vector into the same high-value sector.

Telecommunications carriers: Nine U.S. carriers confirmed, plus Canadian providers (confirmed February 2025), all four Singapore telecoms (breached by UNC3886, a related China-aligned APT cluster, confirmed February 2026), and providers in Norway, the United Kingdom, Italy, the Netherlands, Brazil, South Africa, Myanmar, and across Asia, Africa, and Europe. New Zealand confirmed Salt Typhoon activity spanning government, transportation, lodging, and military networks, not just telecoms. Cisco routers at universities in Argentina, Mexico, Bangladesh, Indonesia, Malaysia, and Thailand were targeted. The group targets network backbone infrastructure, routing equipment, and CALEA-compliant intercept systems. Early reporting also documented supply chain intrusion techniques including malicious payloads embedded in firmware updates and telecom equipment.
Government and political targets: Communications of senior U.S. government officials accessed in real time. Confirmed targets included Donald Trump, JD Vance, and staff from the Kamala Harris 2024 presidential campaign. State Department officials were also targeted. U.S. House of Representatives committee systems were compromised in December 2025.
Military and defense: A U.S. state Army National Guard network was compromised for nine months (March–December 2024). The CISA advisory explicitly names military infrastructure networks as targets, with analysts noting Salt Typhoon is pre-positioning to slow U.S. military mobilization in the event of conflict over Taiwan — a mission it shares with Volt Typhoon, whose destructive pre-positioning operations target a different layer of the same critical infrastructure.
Satellite communications: Viasat breach confirmed in June 2025, extending reach beyond terrestrial networks through abuse of remote management links tied to ground infrastructure.
Transportation and lodging: Confirmed in the August 2025 multi-agency advisory. ESET has documented prior Salt Typhoon intrusions at hotels and government agencies worldwide, providing intelligence on the movements of targets.
Global scope: 200+ companies hacked across 80+ countries, with 600+ organizations formally notified by the FBI. Countries with confirmed or disclosed activity include Canada, the United Kingdom, Norway, the Netherlands, Italy, Brazil, South Africa, Myanmar, Bangladesh, Indonesia, Malaysia, Thailand, Argentina, Mexico, India, Taiwan, Philippines, Afghanistan, Eswatini, New Zealand, Japan, Australia, and others. Czech cybersecurity officials reported related incidents in Finland and Poland. Dutch authorities noted targeted smaller internet providers and web hosts via routers, though core internal networks were not compromised.

Tactics, Techniques & Procedures

Salt Typhoon's TTPs were formally documented in the August 2025 multi-agency advisory (CISA AA25-239A), co-signed by 25 agencies across allied nations. The group's operational signature is its patience: it prioritizes long-term undetected access over rapid exploitation, routinely maintaining footholds for years before detection. All technique IDs below link to NoHacky's MITRE ATT&CK reference library where available.

mitre id	technique	description
T1190	Exploit Public-Facing Application	Primary initial access via Cisco IOS XE CVE-2023-20198 (CVSS 10.0), Ivanti Connect Secure VPN (CVE-2023-46805, CVE-2024-21887), Fortinet FortiClient EMS, Sophos Firewall, and Microsoft Exchange. Some exploited vulnerabilities had patches available for seven years or more at the time of compromise.
T1078	Valid Accounts	Leverages compromised credentials after initial access. Investigators found credential reuse across network appliances and failure to adopt multi-factor authentication for privileged network administrator accounts at multiple carriers.
T1036	Masquerading	Implants and traffic designed to blend into legitimate network management activity. GhostSpider communicates via instructions concealed in HTTP headers and cookies. SNAPPYBEE and other tools are shared with other Chinese APT groups to complicate attribution.
T1557	Adversary-in-the-Middle	Positions within carrier backbone to intercept voice calls, SMS, and data in transit — including CALEA lawful intercept traffic. Confirmed real-time audio interception of senior officials.
T1083	File and Directory Discovery	Systematic enumeration of CALEA intercept target lists to identify who law enforcement was monitoring — effectively reading the FBI's active wiretap warrant list.
T1071	Application Layer Protocol	Uses GRE tunnels on compromised routers to pull data through network infrastructure. C2 traffic concealed in legitimate HTTP headers and cookies to evade detection within high-traffic carrier environments.
T1133	External Remote Services	Maintains persistence via legitimate remote access pathways. Also exposes SSH, RDP, and FTP services on both standard and non-standard ports to facilitate remote access or data exfiltration.
T1098	Account Manipulation	Modifies access-control lists (ACLs) to add attacker-controlled IP addresses, ensuring persistent network-layer access that survives device reboots and configuration changes.
T1014	Rootkit	Deploys Demodex, a Windows kernel-mode rootkit identified by Kaspersky Lab, to gain remote control over targeted servers while evading standard forensic analysis and anti-virus detection.
T1027	Obfuscated Files or Information	GhostSpider resides solely in memory to avoid disk-based detection. Extensive use of living-off-the-land binaries (WMIC.exe, PsExec, PowerShell) for lateral movement to minimize custom malware artifacts on disk.

Known Campaigns

U.S. Telecom CALEA Breach2019–2025

Multi-year infiltration of nine U.S. telecommunications carriers culminating in confirmed access to CALEA lawful intercept systems. The FBI confirmed real-time audio interception of senior U.S. officials and access to law enforcement surveillance target lists. Call records spanning millions of Americans were collected. Fewer than 150 direct victims were individually notified, but Warner warned "that number could go up dramatically." AT&T and Verizon announced containment in December 2024, though neither confirmed data was not stolen.

Read NoHacky briefing

U.S. National Guard Network IntrusionMarch–December 2024

Disclosed in a DHS memo declassified in July 2025: Salt Typhoon lurked inside a U.S. state Army National Guard network for nine months, exfiltrating sensitive military and law enforcement data undetected. Between January and March 2024, the group also exfiltrated configuration files from at least two U.S. state government agencies.

Global Carrier Expansion2024–2026

Following exposure of U.S. operations, confirmed expansion to Canadian telecommunications providers, Norwegian networks, the United Kingdom (senior officials' call records and messages reportedly exposed), the Netherlands (smaller ISPs and web hosts targeted via routers), Italy, Brazil, South Africa, Myanmar, and carriers across 80+ countries. New Zealand confirmed Salt Typhoon activity spanning not just telecom but also government, transportation, lodging, and military networks. Japan, Australia, and Czech Republic issued warnings. Czech officials disclosed related incidents in Finland and Poland. Recorded Future identified over 1,000 compromised Cisco devices across six continents and tracked targeting of Cisco routers at universities in Argentina, Mexico, Bangladesh, Indonesia, Malaysia, and Thailand. 600+ organizations formally notified by the FBI. Canada confirmed multiple top telecom firms hacked and warned that targeting extended beyond the telecom sector. The Canadian government also confirmed several Cisco routers at one major carrier were hacked to extract data.

Earth Estries Southeast Asia Operations2023–2025

Documented by Trend Micro as "Campaign Beta": long-term espionage against Southeast Asian telecommunications and government networks using GhostSpider and Demodex. Separately, "Campaign Alpha" targeted the Taiwanese government and chemical producers using Demodex and SNAPPYBEE. Over 20 confirmed compromised organizations across telecoms, consulting, chemical, transportation, government, and NGO sectors. Trend Micro assessed the group operates with a clear division of labor, with different teams handling different regional targets and C2 infrastructure.

Viasat Satellite Compromise2025

Confirmed breach of Viasat, a U.S. satellite communications provider, by abusing remote management links tied to ground infrastructure. Represents a strategic escalation beyond terrestrial telecom infrastructure and demonstrates the group's intent to achieve comprehensive communications intercept capability across terrestrial and orbital systems.

U.S. Congressional System IntrusionDecember 2025

Intrusions detected in several U.S. House of Representatives committee systems in December 2025. The Financial Times reported in January 2026 that Salt Typhoon hacked email systems of U.S. Congressional Committee staff, marking a direct pivot from telecommunications infrastructure to legislative branch targets.

Tools & Malware

Salt Typhoon operates with an unusually broad malware arsenal — a mix of proprietary tools and payloads shared across Chinese APT groups via what Trend Micro assesses may be malware-as-a-service (MaaS) platforms. The group assigns different tools to different campaigns and regional targets, and its C2 infrastructure appears to be managed by separate teams, reflecting a high degree of organizational sophistication.

GhostSpider: A highly modular, memory-resident backdoor first identified by Trend Micro in November 2024, used primarily in Southeast Asian telecom intrusions. Loaded via DLL hijacking and registered as a service using legitimate regsvr32.exe. Communicates with C2 servers by hiding instructions inside HTTP headers and cookies. Each functional module is deployed independently, meaning analysts observing one instance may see a completely different capability set from another. Designed for long-term espionage operations where stealth takes precedence over speed. Source: Trend Micro, November 2024.
Demodex: A Windows kernel-mode rootkit named by Kaspersky Lab. Provides persistent, low-level access and uses advanced anti-forensic and anti-analysis techniques to remain undetected. Confirmed across multiple Salt Typhoon campaigns. Shared C2 infrastructure with SparrowDoor and CrowDoor has been observed, enabling Trend Micro to link campaigns attributed to Earth Estries/GhostEmperor/FamousSparrow with high confidence.
SNAPPYBEE (Deed RAT): A modular backdoor shared across multiple Chinese APT groups — a hallmark of MaaS distribution, also used by Bronze Starlight and other clusters within the China-nexus ecosystem. Supports data exfiltration, system monitoring, credential theft via TrillClient stealer integration, and remote command execution. Deployed primarily in campaigns targeting Taiwanese government and chemical sector targets. Source: Trend Micro, November 2024.
Masol RAT: A cross-platform backdoor first observed targeting Southeast Asian government Linux servers in 2020. Evolved over time to target multiple operating systems. Initially unattributed; Trend Micro confirmed Earth Estries deployment in 2024. Source: Trend Micro, November 2024.
SparrowDoor: A modular backdoor providing remote access and C2 communication, used for lateral movement. Shared C2 infrastructure with Demodex and CrowDoor confirms it as part of the same cluster. Associated with early FamousSparrow intrusions at hotels and government networks.
CrowDoor: A data exfiltration-focused malware identified in Trend Micro's Earth Estries research. Shares C2 infrastructure with SparrowDoor and Demodex.
Custom IOS XE implants: Post-exploitation backdoors deployed following CVE-2023-20198 exploitation. Configured GRE tunnels to pull data through compromised routers. Designed to persist across reboots and evade standard network monitoring. Recorded Future documented 1,000+ compromised Cisco devices across six continents. For the latest Cisco-specific threat context, see Interlock's exploitation of the Cisco FMC zero-day — a different threat actor using the same device category as an attack surface.
Living-off-the-land tooling: Extensive use of native binaries — WMIC.exe, PsExec, PowerShell — for lateral movement. NeoReGeorg tunneling tool, Cobalt Strike, and open-source reverse proxy frpc also confirmed. The preference for legitimate tools over custom malware significantly complicates detection within high-traffic carrier environments. Source: CISA AA25-239A, August 2025; SC Media, November 2024.

Analysts hunting for Salt Typhoon malware samples can use REMnux v8 with AI-assisted malware analysis to triage GhostSpider and Demodex artifacts — particularly useful given both tools' heavy use of obfuscation and anti-analysis techniques.

confirmed initial access vulnerabilities (partial)

CVECVE-2023-20198 — Cisco IOS XE auth bypass (CVSS 10.0)

CVECVE-2023-46805 — Ivanti Connect Secure authentication bypass

CVECVE-2024-21887 — Ivanti Connect Secure command injection

vendorFortinet FortiClient EMS — unpatched vulnerabilities

vendorSophos Firewall — unpatched vulnerabilities

vendorMicrosoft Exchange — unpatched on-premises deployments

Mitigation & Defense

The August 2025 CISA Advisory AA25-239A — co-signed by 25 agencies across allied nations including Canada, the UK, Germany, and Japan — is the most comprehensive public guidance available. It covers indicators of compromise from August 2021 through June 2025, custom software documentation, and actionable threat hunting guidance. Notably, the FCC moved in November 2025 to reverse cybersecurity rules adopted specifically after Salt Typhoon was disclosed, making voluntary hardening measures more important than ever.

Patch edge devices immediately: Cisco IOS XE, Ivanti Connect Secure, Fortinet, Sophos Firewall, and other network edge devices must be patched within 24–48 hours of disclosure. Investigators found carriers running equipment with patches available for seven years or more that had never been applied. Salt Typhoon exploits these gaps faster than defenders typically patch.
Audit CALEA and lawful intercept systems: Organizations subject to CALEA compliance should conduct immediate audits of who has accessed intercept infrastructure and review access logs for anomalies dating back to 2019. Investigators found credential reuse across network appliances and absent multi-factor authentication on highly privileged accounts — basic failures that enabled the breach.
Network segmentation: Enforce strict segmentation between management plane, data plane, and lawful intercept systems. CISA AA25-239A specifically warns that Salt Typhoon exploits flat network architectures and leverages trusted connections between carrier networks to pivot into additional victims.
Encrypted communications: The FBI and CISA explicitly recommended end-to-end encrypted messaging apps — Signal, iMessage — for sensitive communications following the Salt Typhoon disclosure. This recommendation reflects the reality that carrier-level interception cannot be prevented at the device level without end-to-end encryption.
Monitor for GRE tunnels and ACL modifications: Deploy behavioral monitoring on network infrastructure devices, not just endpoints. Look for GRE tunnel configurations not in your baseline, unexpected ACL modifications adding unknown IP addresses, unusual CLI activity, and anomalous outbound connections on non-standard ports. CISA AA25-239A contains specific threat hunting queries for Salt Typhoon indicators.
Credential hygiene on network devices: Rotate all privileged credentials on network infrastructure. Eliminate credential reuse across appliances. Require MFA for all privileged network administrator accounts. Salt Typhoon maintains persistence through stolen admin credentials after initial exploitation.
Memory-based implant detection: Standard disk-based antivirus will not detect GhostSpider, which resides solely in memory. Deploy EDR solutions capable of detecting in-memory implants and obfuscated payloads, DLL sideloading, and suspicious use of regsvr32.exe for service registration.

analyst note

The U.S. Treasury's January 2025 sanctions against Sichuan Juxinhe Network Technology Co. are the clearest public attribution linking Salt Typhoon to a specific MSS-connected entity. Full declassified attribution to a specific MSS bureau or PLA unit has not been published. The Cyber Safety Review Board, which was actively investigating the breach and developing lessons-learned guidance, was disbanded by the Trump administration on January 20, 2025 before completing its work. CISA has taken over the investigation. Senator Ron Wyden described the disbandment as "a massive gift to the Chinese spies who targeted Trump, JD Vance and other top political figures."

Sources & Further Reading

— end of profile