Product Code Database
Example Keywords: sail -library $64-176
   » » Wiki: Salt Typhoon
Tag Wiki 'Salt Typhoon'.
Tag

Salt Typhoon
Search for typhoon salt
 (

 C O N T E N T S 
Rank: 100%
Bluestar Bluestar Bluestar Bluestar Blackstar
  1. Wiki
  2. Comments
  3. Media

Salt Typhoon is an advanced persistent threat actor believed to be operated by 's Ministry of State Security (MSS) which has conducted high-profile campaigns, particularly against the . The group's operations place an emphasis on counterintelligence targets in the United States and of key corporate intellectual property. The group has infiltrated over 200 targets in over 80 countries. Former NSA analyst Terry Dunlap has described the group as a "component of China's 100-Year Strategy."

Organization and attribution
Salt Typhoon is widely understood to be operated by China's Ministry of State Security (MSS), its foreign intelligence service and . The Chinese embassy in denied all allegations, saying it was "unfounded and irresponsible smears and slanders".

According to , the group is a "well-organized group with a clear division of labor" whereby attacks targeting different regions and industries are launched by distinct actors, suggesting the group consists of various teams, "further highlighting the complexity of the group's operations." The were reported to have commenced since at least 2023.

History
2023 to 2024: Telecommunication Hacks
In September 2024, reports first emerged that a severe cyberattack had compromised U.S. telecommunications systems. US officials stated that the campaign was likely underway for one to two years prior to its discovery, with several dozen countries compromised in the hack, including those in and the . The campaign was reportedly "intended as a Chinese espionage program focused on key government officials and key corporate intellectual."

In late 2024 U.S. officials announced that affiliated with Salt Typhoon had accessed the computer systems of nine U.S. telecommunications companies, later acknowledged to include , AT&T, , Spectrum, Lumen, Consolidated Communications, and Windstream. The attack targeted U.S. networks, particularly core network components, including routers manufactured by , which route large portions of the Internet. In October 2024, U.S. officials revealed that the group had compromised internet service provider (ISP) systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized .

The hackers were able to access of users calls and , including date and time stamps, source and destination , and phone numbers from over a million users; most of which were located in the Washington D.C. metro area. In some cases, the hackers were able to obtain audio recordings of telephone calls made by high-profile individuals. Such individuals reportedly included staff of the Kamala Harris 2024 presidential campaign, as well as phones belonging to and . According to deputy national security advisor , a "large number" of the individuals whose data was directly accessed were "government targets of interest."

In March 2025, the United States House Committee on Homeland Security requested that the Department of Homeland Security (DHS) turn over documents on the federal government's response to the hacking.

The second Trump administration fired all members of the Cyber Safety Review Board before it could complete its investigation of the intrusion. In April 2025, the Federal Bureau of Investigation (FBI) announced a US$10 million bounty for information on individuals associated with Salt Typhoon.

2024 to 2025: National Guard Networks
On June 11 2025, the DHS published a report entitled Salt Typhoon: Data Theft Likely Signals Expanded Targeting. In the report, the agency describes how the threat actor group compromised the network of an unnamed US state's Army National Guard.

In August 2025, the FBI stated that Salt Typhoon has hacked at least 200 companies across 80 countries.

Targets
According to The New York Times, Salt Typhoon is unique in focusing primarily on counterintelligence targets. In addition to U.S. Internet service providers, the cybersecurity firm says Salt Typhoon has previously broken into hotels and government agencies worldwide. An unnamed Canadian telecom company was breached in February 2025. In June 2025, Viasat (a US telecom) was named as a victim of Salt Typhoon.

Tactics, techniques, and procedures
Salt Typhoon reportedly employs a Windows kernel-mode , Demodex (name given by ), to gain remote control over their targeted servers. They demonstrate a high level of sophistication and use anti-forensic and anti-analysis techniques to evade detection.

Initial access
To gain initial access into their targets, the group has been observed exploiting known vulnerabilities in firewalls, routers, and VPN products:

+
Connect Secure and Ivanti Policy Secure web-component command injection vulnerability
Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection.
Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation
Cisco IOS XE web user interface authentication bypass
Cisco IOS and IOS XE smart install remote code execution
Microsoft Exchange Server Server-Side Request Forgery Vulnerability (ProxyLogon)
Sophos Firewall Code Injection Vulnerability
FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability
Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability

Persistence
Salt Typhoon employs many techniques to maintain access to their targets and avoid detection.

  • Modifying access-control lists (ACLs) to add IP addresses.
  • Exposing services such as , RDP, or to facilitate remote access or data exfiltration. The services are run on both standard and non-standard ports to help evade detection. The group has also been observed adding keys to existing SSH services.
  • Creating tunnels over protocols, such as Generic Routing Encapsulation (GRE) or , on network devices.
  • Running commands inside of Linux containers on Cisco networking devices via Guest Shell. This allows the threat actor to stage tools, process data, and move laterally through the network undetected as the activities inside the container are not generally monitored.
  • Using open source multi-hop pivoting tools to relay commands from command and control servers

Affiliations
Salt Typhoon is aided by a number of companies that work closely with Chinese intelligence services to provide cyber services, including:

  • Sichuan Juxinhe Network Technology Co. Ltd.
  • Beijing Huanyu Tianqiong Information Technology Co., Ltd.
  • Sichuan Zhixin Ruijie Network Technology Co., Ltd.

On January 17, 2025 the U.S. Department of the Treasury announced sanctions against Sichuan Juxinhe Network Technology Co., LTD. The statement accused Sichuan Juxinhe of having direct involvement with Salt Typhoon and that the group was responsible for breaching multiple U.S. telecommunication and internet service provider companies.

Name
Salt Typhoon is the name assigned by Microsoft and is the one most widely used to describe the group. The group has also variously been called:

See also
  • Cyberwarfare and China
  • Chinese information operations and information warfare
  • Chinese espionage in the United States

: , , , , , , ,
Page 1 of 1
1
Page 1 of 1
1

Account

Social:
Pages:  ..   .. 
Items:  .. 
Click to view the UPC Scavenger App on google play.

Navigation

General: Atom Feed Atom Feed  .. 
Help:  ..   .. 
Category:  ..   .. 
Media:  ..   .. 
Posts:  ..   ..   .. 

Statistics

Page:  .. 
Summary:  .. 
1 Tags
10/10 Page Rank
5 Page Refs
1s Time