Salt Typhoon: What IT Leaders Need to Know About the Telecom Espionage Campaign

Salt Typhoon has become one of the most important cyber espionage stories for IT and security leaders to understand. State-sponsored cyber espionage poses significant risks to national security and critical infrastructure. The U.S. government has confirmed the existence of an ongoing investigation into the Salt Typhoon hacks, and the campaign has raised urgent questions about the privacy of communications, the resilience of telecom systems, and the exposure of sensitive data across public and private networks. Salt Typhoon is considered one of the major incidents in cybersecurity history due to its unprecedented scale and impact on both government and private sector entities. The campaign has also had significant implications for foreign affairs, as it has targeted diplomatic communications and international strategic interests. This guide is intended for IT and security leaders who need to understand the risks, technical details, and organizational responses to Salt Typhoon, as it represents a critical threat to both public and private sector communications infrastructure.

In early October 2024, media outlets reported that PRC state-sponsored hackers infiltrated United States telecommunications companies. In September 2024, reports first emerged that a severe cyberattack had compromised U.S. telecommunications systems. By late 2024, U.S. officials said the scope was broader than first understood, and in late 2024, U.S. officials announced that hackers affiliated with Salt Typhoon had accessed the computer systems of nine U.S. telecommunications companies.

The People’s Republic of China (PRC) is assessed as the most active and persistent cyber threat to U.S. institutions. Salt Typhoon is attributed to China’s Ministry of State Security, with China’s Ministry operating the group behind these sophisticated attacks. Chinese spies, acting as state-sponsored actors, are responsible for Salt Typhoon’s focus on espionage and data theft targeting foreign government institutions, critical infrastructure, and private sector organizations worldwide. The implications of state-sponsored cyber espionage extend beyond immediate data theft, affecting international relations and national security policies. Salt Typhoon has infiltrated over 200 targets in over 80 countries, focusing on counterintelligence and the theft of key corporate intellectual property. Salt Typhoon and Volt Typhoon are both Chinese state-backed cyber espionage groups known for targeting critical infrastructure and sensitive data. During the administration of President Donald Trump, concerns about Chinese hacking activities led to heightened U.S. government responses and public statements emphasizing the national security risks posed by these campaigns.

Salt Typhoon is widely described as a PRC-linked espionage operation focused on long-term access, intelligence collection, and persistent access inside high-value communications infrastructure. State-sponsored cyber actors often employ sophisticated techniques to infiltrate networks and evade detection. Salt Typhoon employed advanced malware with obfuscation techniques to remain undetected for extended periods.

The campaign is also part of a wider pattern. Salt Typhoon is part of a broader syndicate of state-backed groups tied to different military and intelligence arms of China’s central government. The Salt Typhoon attacks have been described as the most egregious national security breach in U.S. history by a nation-state hacking group. That language reflects the scale of the compromise, which impacted a large number of users and systems, and the fact that communications infrastructure sits at the center of government, business, and law enforcement operations. The full extent of the breach remains unclear, with an unknown number of compromised systems or victims potentially affected.

Salt Typhoon represents a new era of cyber risk for global telecommunications networks and critical infrastructure. As a state-backed hacking group linked to China, Salt Typhoon has orchestrated a multi-year espionage campaign targeting telecom operators and the backbone of communications infrastructure. Their operations have demonstrated a high degree of sophistication, leveraging advanced techniques to gain unauthorized access to sensitive data and maintain persistent access within targeted networks. Security agencies, including the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), have assessed that Salt Typhoon has likely compromised major companies such as Comcast and Digital Realty. This underscores the group’s ability to infiltrate and remain undetected within critical infrastructure, posing a direct threat to national security. For infrastructure security agencies and cybersecurity experts, Salt Typhoon’s campaign highlights the urgent need to strengthen defenses across telecommunications networks and ensure that both public and private sector companies are prepared to counter persistent, state-sponsored adversaries.

The Salt Typhoon campaign stands out for its relentless focus on counterintelligence and its use of highly sophisticated tactics, techniques, and procedures. The group has exploited vulnerabilities in communications sector hardware and software — such as MikroTik routers — to gain initial access to targeted systems. Once inside, Salt Typhoon deploys custom malware, including the Demodex rootkit, to achieve remote control over servers and evade detection by traditional security tools. Their ability to maintain access to compromised systems is further enhanced by partnerships with companies that provide cyber services to Chinese intelligence services, blurring the line between private enterprise and state-sponsored activity. According to Deputy National Security Advisor Anne Neuberger, Salt Typhoon’s attacks have resulted in the compromise of sensitive data, including phone calls and text messages, from high-value targets. This campaign demonstrates the urgent need for organizations to adopt advanced cybersecurity measures, as the attackers’ ability to evade detection and maintain persistent access poses a significant risk to national security and the integrity of critical communications infrastructure.

The core issue for defenders is how deeply Salt Typhoon reached into telecommunications networks. In October 2024, U.S. officials revealed that the group had compromised internet service provider systems used to fulfill CALEA requests. Reuters also reported that investigators believed the attackers accessed infrastructure used by telecom providers to cooperate with court-authorized U.S. requests for communications data. As part of their operation, the attackers were able to intercept and monitor sensitive telephone calls, raising concerns about the security of high-profile communications.

The Salt Typhoon attacks targeted U.S. broadband networks, particularly core network components, including routers manufactured by Cisco. Salt Typhoon attackers disrupted service by reconfiguring vital protocols, intercepting communications, and gaining unauthorized access to network management systems. This resulted in a significant data breach, impacting privacy and national security by exposing sensitive information to unauthorized parties.

For telecommunications companies, the campaign became a test of detection, containment, and public accountability. The U.S. government has confirmed the existence of an ongoing investigation into the hacks targeting telecommunications companies. Congress has expressed concerns over the breaches and has called on U.S. companies and federal agencies to provide information about the incident. In March 2025, the United States House Committee on Homeland Security requested that the Department of Homeland Security turn over documents on the federal government’s response to the hacking. The ranking member of the Senate Committee on Homeland Security and Governmental Affairs has also played a key role in overseeing the investigation, requesting briefings and participating in hearings on the Salt Typhoon campaign.

In December 2024, Verizon and AT&T announced that they had contained the incident and that the threat actor no longer had access to their networks. Reuters reported that AT&T said it detected no current nation-state activity in its networks, while Verizon said it had contained the activities associated with the incident.

Regulatory bodies, including the Federal Communications Commission (FCC), have heightened scrutiny of affected telecommunications operators following the cyber incidents. In January 2025, outgoing FCC Chair Jessica Rosenworcel called Salt Typhoon a clarion call and the FCC moved toward requiring telecom carriers to adopt cyber risk management plans. Other countries have also responded to or been affected by the Salt Typhoon campaign, highlighting the global scope of the threat.

The broader lesson is that communications networks are now squarely in the path of geopolitical cyber operations. State-sponsored cyber espionage campaigns often target critical infrastructure to gain strategic advantages. Notably, state-sponsored cyberattacks like Salt Typhoon have also targeted transportation sectors, highlighting the vulnerability of airports, airlines, and transit systems to disruptions and data breaches. The U.S. government has expressed concerns over the privacy of communications and the security of critical infrastructure due to state-sponsored cyber activities.

The Cybersecurity and Infrastructure Security Agency (CISA) is responsible for coordinating risk management activities with the communications sector. CISA has been involved in notifying hundreds of organizations about potential compromises related to the cyberattacks. CISA has initiated outreach to potential victims when it believes their networks are compromised, according to its notification process.

The U.S. government has established Cyber Unified Coordination Groups (Cyber UCGs) to coordinate responses to significant cyber incidents. The Cyber Safety Review Board (CSRB) is charged with examining significant cyber incidents and agency responses to improve operations. Congress may choose to examine the operations and authorities of the Cyber Safety Review Board in response to the cyber incidents.

The most troubling element of the Salt Typhoon hacks is the breadth of the espionage value they produced. The hackers were able to access metadata of users' calls and text messages, including date and time stamps, source and destination IP addresses, and phone numbers from over a million users. The FBI later said the operation involved theft of call data logs, a limited number of private communications involving identified victims, and select information subject to court-ordered U.S. law enforcement requests.

Those details explain why officials treated this as more than an ordinary telecom breach. Cyber espionage activities can lead to significant data breaches, impacting both governmental and private sector entities. In some cases, officials said the attackers targeted individuals involved in government or political activity, and Reuters reported that U.S. authorities believed very senior political figures were affected.

In January 2025, the U.S. government sanctioned a PRC-based individual and cybersecurity company for their alleged role in enabling the Salt Typhoon hacks. In January 2025, the U.S. government sanctioned a PRC-based individual and cybersecurity company for their alleged role in enabling the cyberattacks. Treasury identified Yin Kecheng and Sichuan Juxinhe Network Technology Co., LTD., and tied Juxinhe directly to the Salt Typhoon group through the Office of Foreign Assets Control.

In April 2025, the Federal Bureau of Investigation announced a US$10 million bounty for information on individuals associated with Salt Typhoon.

Salt Typhoon belongs in the category of significant cyber incidents because it combined espionage, infrastructure access, and long dwell time. In June 2025, the DHS published a report entitled Salt Typhoon: Data Theft Likely Signals Expanded Targeting. In August 2025, the FBI stated that Salt Typhoon has hacked at least 200 companies across 80 countries. In December 2025, intrusions were detected in several United States House of Representatives committees and later attributed to Salt Typhoon. (U.S. Senate Committee on Commerce)

The latest development came by late summer 2025, when CISA, the National Security Agency, the FBI, and international partners issued broader guidance describing PRC state-sponsored compromises of telecom and internet service provider networks worldwide. That guidance showed the campaign was no longer just a U.S. telecom story. It had become a global access and surveillance problem. (CISA)

The U.S. government response has mixed public attribution, sanctions, regulatory pressure, and defensive guidance. The deputy national security advisor Anne Neuberger briefed lawmakers and said officials had identified additional victims as the investigation expanded. Congress, regulators, intelligence agencies, and law enforcement all treated the campaign as a major national security event.

Federal agencies also pushed practical mitigations. Organizations should implement Zero Trust Architecture to minimize lateral movement and reduce attack surfaces. Identity and Access Management (IAM) should enforce least-privilege principles and multi-factor authentication (MFA) to reduce opportunities for unauthorized access, making a robust secure IAM framework central to defending communications infrastructure. Real-time threat intelligence tools provide consistent monitoring of network traffic for anomalous patterns, allowing for immediate response to potential intrusions, and advanced anomaly detection in cybersecurity helps surface subtle signals in large, complex environments. Advanced monitoring systems, such as machine learning-enhanced SIEM platforms, improve event detection and response efficacy.

For telecom operators, mandatory incident reporting ensures timely responses to emerging threats and enhances overall cybersecurity posture. Cross-border intelligence sharing allows operators to exchange best practices and real-time threat indicators to enhance security. Organizations should adopt industry frameworks, such as ISO/IEC 27001 and NIST SP 800-53, to bolster security and operational resilience, and pair them with disciplined user access management practices. Enhanced vulnerability management involves continuous assessments and accelerated patch deployment strategies to address exploitable weaknesses.

A modern access strategy matters here too. For example, EveryKey supports passwordless access through proximity and presence, helping organizations reduce reliance on static credentials and tighten identity verification around devices and applications. In a climate where telecom and government targets are dealing with sophisticated access abuse, approaches that continuously confirm identity fit naturally alongside Zero Trust architecture.

Salt Typhoon is widely attributed to China’s Ministry of State Security (MSS), the agency responsible for foreign intelligence and internal security operations. Investigations have linked the group’s activities to Sichuan Juxinhe Network Technology Co., LTD, a company accused of facilitating breaches of multiple U.S. telecommunications and internet service provider companies. While the Chinese government has categorically denied any involvement, dismissing the allegations as “unfounded and irresponsible,” the U.S. government has taken decisive action by sanctioning Sichuan Juxinhe for its direct role in supporting Salt Typhoon’s operations. This attribution underscores the complex and evolving nature of state-sponsored cyber threats, where companies can serve as proxies for intelligence agencies, and where the lines between government and private sector involvement in cyber operations are increasingly blurred. The ongoing confrontation between the U.S. government and Chinese state security over Salt Typhoon highlights the geopolitical stakes of modern cyber espionage.

The long-term significance of the Salt Typhoon attacks is that they exploited systemic weaknesses in communications infrastructure. The Salt Typhoon attacks exploited systemic vulnerabilities and compromised critical communications infrastructure worldwide. The demand for stronger telecom protections is likely to continue as officials and private-sector defenders assess how the attackers exploited telecom systems, evaded detection, and maintained access for over a year.

The campaign also shows why defenders need to think beyond human users. Telecom, cloud, and ISP environments are full of privileged accounts, service relationships, and hidden dependencies. When attackers gain access to those layers, they can move through government systems, private sector infrastructure, and connected service providers with far less friction than most organizations expect.

At its core, this was a case of high-value data exfiltration and covert collection. The compromised data reportedly included call metadata, text message metadata, law-enforcement-related records, and a limited number of private communications. That kind of access is especially dangerous because it supports counterintelligence analysis, targeting, pattern-of-life mapping, and follow-on intrusion planning.

Investing in quantum-safe encryption methods ensures long-term confidentiality against future threats. Blockchain technology can enhance secure data exchange and integrity in cybersecurity frameworks. Those longer-term ideas will matter for some sectors, but the immediate priority for most organizations is still simpler: harden access, reduce privileged exposure, segment networks, log aggressively, and assume that communications infrastructure is an active espionage target.

The Salt Typhoon campaign has unfolded over several years, with initial signs of activity detected as early as 2023. By September 2024, reports surfaced of a major cyberattack compromising U.S. telecommunications systems, quickly attributed to Salt Typhoon. In October 2024, it became clear that the group had gained access to the computer systems of nine major U.S. telecommunications companies, including industry leaders like Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. The campaign has continued to evolve, with the latest developments in 2025 revealing that Salt Typhoon has expanded its reach to include data center operators and residential internet providers, further threatening critical infrastructure and telecommunications networks. The Federal Communications Commission (FCC) and other government agencies have responded with increased oversight and regulatory action, but the campaign’s ongoing nature highlights the need for continued vigilance and collaboration between government agencies, telecommunications companies, and the private sector to defend against future attacks and safeguard essential systems.

Salt Typhoon is a reminder that cyber espionage against telecom networks is no longer a niche issue. It is a national security issue, a critical infrastructure issue, and a board-level risk issue. The campaign affected telecommunications firms, internet service providers, government targets, and connected organizations well beyond the initial victim set.

For IT leaders, the takeaway is clear. Treat communications networks and identity systems as strategic assets. Reduce unnecessary access. Improve monitoring. Enforce MFA. Review privileged paths. Assume sophisticated threat actors will try to persist quietly. The organizations that respond well to Salt Typhoon will be the ones that make access harder to abuse and visibility easier to act on, with identity security strategies that keep users and devices under continuous verification.

Salt Typhoon is attributed to China's Ministry of State Security and is known for executing high-profile cyber espionage campaigns targeting critical infrastructure, particularly in the United States. The group employed advanced malware with obfuscation techniques to remain undetected for extended periods and is part of a broader syndicate of state-backed groups tied to different military and intelligence arms of China's central government. Salt Typhoon is a PRC-linked cyber espionage campaign tied by U.S. officials to intrusions into U.S. telecommunications and internet service provider environments, with activity focused on surveillance, intelligence collection, and long-term access.

It shows how threat actors can exploit telecom and ISP infrastructure to gain unauthorized access, collect sensitive data, and maintain persistent access in environments that support both enterprise and government communications.

Officials said the attackers stole call data logs, some private communications, and information tied to lawful U.S. law enforcement requests. Reporting also indicated the hackers accessed metadata tied to calls and text messages from over a million users.

The FBI, CISA, ODNI, Treasury, DHS, and the FCC have all been involved in public attribution, sanctions, regulatory scrutiny, technical guidance, and congressional oversight connected to Salt Typhoon.

Organizations should implement Zero Trust Architecture, strengthen IAM and MFA, improve network visibility, accelerate vulnerability management, segment critical systems, and tighten incident reporting and response processes.