The FBI has confirmed that a Chinese state-sponsored hacking group, dubbed “Salt Typhoon,” has infiltrated over 200 US companies, marking one of the most significant cyber espionage campaigns in history. This sophisticated operation, linked to China’s Ministry of State Security (MSS), has targeted telecommunications giants, government officials, and critical infrastructure, raising alarms about the vulnerability of US data networks.
The Scale of the Salt Typhoon Campaign
Salt Typhoon’s campaign, ongoing since at least 2020, has compromised major US telecom providers, including AT&T, Verizon, Lumen, Charter Communications, and Windstream. The hackers accessed call records, metadata, and even real-time communications of high-profile individuals, including political figures like President-elect Donald Trump and Vice President-elect JD Vance. The breach extended globally, affecting companies in 80 countries and targeting critical infrastructure across 13 nations, predominantly in Asia.
The FBI’s cyber chief, Brett Leatherman, described the operation as “broad and significant,” noting that the hackers siphoned sensitive network traffic through compromised routers and switches. This allowed Chinese operatives to map communication patterns, access court-ordered wiretap systems, and potentially identify US surveillance targets, posing a severe counterintelligence threat.
Tactics and Techniques
Salt Typhoon employs advanced techniques, including the use of a Windows kernel-mode rootkit called Demodex, which grants remote control over targeted servers. The group’s operations are highly organized, with distinct teams focusing on different regions and industries, showcasing a clear division of labor. Their ability to maintain persistent access—sometimes for years—highlights their stealth and sophistication.
The hackers exploited vulnerabilities in outdated routers and internet-connected devices, creating botnets to conceal their activities. This mirrors tactics used by other Chinese hacking groups like Flax Typhoon and Volt Typhoon, which targeted similar infrastructure for espionage and potential disruption.
Impact on US Infrastructure
The breach’s impact is staggering. Salt Typhoon accessed private portals used by law enforcement for court-ordered surveillance, potentially compromising ongoing investigations. The hackers also infiltrated the US National Guard network in at least one state for nearly a year, raising concerns about military data security. The sheer volume of stolen metadata could provide China with unprecedented insights into US communication networks, though classified communications reportedly remained secure.
Senator Mark Warner called this “the worst telecommunications hack in our nation’s history,” emphasizing the need to replace thousands of compromised devices to fully expel the hackers. The scale of the operation dwarfs previous cyberattacks like SolarWinds or Colonial Pipeline, underscoring the growing threat of state-sponsored cyber espionage.
Government and Industry Response
In response, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) issued a joint advisory in December 2024, offering technical guidance to secure telecom systems. Recommendations include patching vulnerabilities, hardening network devices, and using end-to-end encrypted messaging apps like Signal to protect communications. Despite these efforts, fully removing Salt Typhoon from compromised systems remains a challenge, with some estimates suggesting mitigation could take until mid-2025.
The White House has held briefings with telecom leaders to coordinate defenses, while the House Committee on Homeland Security requested documents from the Department of Homeland Security (DHS) to assess the federal response. In April 2025, the FBI announced a $10 million bounty for information on Salt Typhoon operatives, signaling a hardline stance against the group.
Implications for Cybersecurity
The Salt Typhoon campaign exposes critical vulnerabilities in US telecommunications infrastructure. Experts warn that reliance on outdated equipment and weak security practices, such as default credentials and unpatched systems, enabled the hackers’ success. John Terrill, CSO at Phosphorus, noted that these issues plague not only telecoms but also the broader supply chain, amplifying the risk to critical infrastructure.
For the average American, the risk of personal data exposure is low, but the breach’s implications for national security are profound. The ability of foreign actors to access law enforcement wiretap systems could undermine counterintelligence efforts, while stolen intellectual property threatens corporate competitiveness.
Protecting Yourself and Your Organization
To mitigate risks from Salt Typhoon and similar threats, individuals and organizations should:
-
Update Devices: Regularly apply firmware and security patches to smartphones, routers, and IoT devices.
-
Use Encryption: Adopt end-to-end encrypted apps like Signal or FaceTime for sensitive communications.
-
Enable Two-Factor Authentication: Strengthen account security with 2FA on critical platforms.
-
Monitor Networks: Organizations should implement robust monitoring and patch management to detect intrusions early.
The Salt Typhoon hacking campaign is a wake-up call for the US, highlighting the urgent need for stronger cybersecurity measures across public and private sectors. As China’s cyber capabilities grow, the FBI and its partners face an uphill battle to secure the nation’s digital infrastructure. By prioritizing encryption, regular updates, and proactive monitoring, individuals and organizations can help safeguard against this evolving threat.
