China’s Salt Typhoon cyberspies continue their years-long hacking campaign targeting critical industries around the world, according to a joint security alert from cyber and law enforcement agencies across 13 countries.
The USA’s FBI and CISA first alerted the public about Salt Typhoon’s “significant cyber espionage campaign” late last year, and later warned the Chinese snoops’ telco intrusions allowed them to geo-locate millions of subscribers, monitor their internet traffic, and “record their phone calls – with victims reportedly including “President Donald Trump and Vice President JD Vance.”
It now appears that the hacking activities extended far beyond American telecommunications and federal networks.
“Active since at least 2019, these actors conducted a significant cyber-espionage campaign, breaching global telecommunications privacy and security norms,” FBI cyber division boss Brett Leatherman said on Wednesday in a video message announcing the joint advisory.
Earlier in the day, Leatherman told media outlets that Salt Typhoon targeted more than 600 organizations across 80 countries.
The 37-page advisory includes indicators of compromise associated with Chinese government spies seen as recently as June, and says targeted sectors include, but are not limited to telecommunications, government, transportation, lodging, and military infrastructure networks.
“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” the US and its allies warned. “These actors often modify routers to maintain persistent, long-term access to networks.”
>
> Salt Typhoon is a persistent actor. Even if one method of access is thwarted, they are going to keep trying to get in
>
>
>
The international coalition also called out three China-based entities affiliated with Salt Typhoon – Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology – that it accused of providing cyber products and services to China’s Ministry of State Security and People’s Liberation Army.
In January, the US issued “sanctions on one of the three, Sichuan Juxinhe Network Technology, which it said was affiliated with Salt Typhoon.
The advisory lists CVEs that Salt Typhoon commonly exploits to gain initial access. These include:
>
> * CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulneraspithobility, commonly chained with an authentication bypass bug tracked as CVE-2023-46805.
> * CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
> * CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root)
> * CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability
> * CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerability
>
>
>
So network defenders should prioritize patching these, if you haven’t already done so.
It also describes tools and techniques that Salt Typhoon uses to maintain network persistence, move laterally across devices, capture traffic containing credentials, and abuse peering connections to steal sensitive information.
In addition to the four US agencies (FBI, CISA, National Security Agency, and Department of Defense Cyber Crime Center), the UK’s National Cyber Security Centre plus government agencies in Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain also co-issued the security alert.
“Wow, that is a lot of seals on the alert,” Annie Fixler, director of the Center on Cyber and Technology Innovation at the national security think tank Foundation for Defense of Democracies, told The Register.
“This type of joint alert from so many partners speaks to the importance of the information and the level of confidence in the attribution,” she continued. It is an important signal that the United States and its partners are united in their concerns about malicious Chinese state-sponsored cyber operations.”
It also indicates that any claims of successfully booting the snoops off of networks “should always be viewed with at least some skepticism,” Fixler added. “In the case of Salt Typhoon, given the longevity and sophistication of the penetration, a healthy dose of skepticism is necessary to any claims of quick fixes. Salt Typhoon is a persistent actor. Even if one method of access is thwarted, they are going to keep trying to get in.”
Google’s Mandiant incident response team was part of the clean-up crew called in to help telco companies globally rid their networks of Salt Typhoon.
“Though there are many Chinese cyber espionage actors regularly targeting the sector, this actor’s familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection,” Google Threat Intelligence Group chief analyst John Hultquist told The Register.
“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” he said. “Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
In addition to the international governments’ joint alert, CrowdStrike researchers late last week warned that Salt Typhoon (it tracks this crew as Murky Panda) has escalated its cyberespionage across government, tech, academic, legal and professional services in North America over the first half of 2025.
A CrowdStrike spokesperson told The Register that the security shop has documented over a dozen cases of hacking activity attributed to this group since late spring. ®
**Get our** Tech Resources
Earlier in the day, Leatherman told media outlets that Salt Typhoon targeted more than 600 organizations across 80 countries.
Salt Typhoon is a persistent actor.
In January, the US issued “sanctions on one of the three, Sichuan Juxinhe Network Technology, which it said was affiliated with Salt Typhoon.
“In the case of Salt Typhoon, given the longevity and sophistication of the penetration, a healthy dose of skepticism is necessary to any claims of quick fixes.
Google’s Mandiant incident response team was part of the clean-up crew called in to help telco companies globally rid their networks of Salt Typhoon.
China’s Salt Typhoon cyberspies continue their years-long hacking campaign targeting critical industries around the world, according to a joint security alert from cyber and law enforcement agencies across 13 countries.
The USA’s FBI and CISA first alerted the public about Salt Typhoon’s “significant cyber espionage campaign” late last year, and later warned the Chinese snoops’ telco intrusions allowed them to geo-locate millions of subscribers, monitor their internet traffic, and “record their phone calls – with victims reportedly including “President Donald Trump and Vice President JD Vance.”
It now appears that the hacking activities extended far beyond American telecommunications and federal networks.
“Active since at least 2019, these actors conducted a significant cyber-espionage campaign, breaching global telecommunications privacy and security norms,” FBI cyber division boss Brett Leatherman said on Wednesday in a video message announcing the joint advisory.
Earlier in the day, Leatherman told media outlets that Salt Typhoon targeted more than 600 organizations across 80 countries.
The 37-page advisory includes indicators of compromise associated with Chinese government spies seen as recently as June, and says targeted sectors include, but are not limited to telecommunications, government, transportation, lodging, and military infrastructure networks.
“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” the US and its allies warned. “These actors often modify routers to maintain persistent, long-term access to networks.”
Salt Typhoon is a persistent actor. Even if one method of access is thwarted, they are going to keep trying to get in
The international coalition also called out three China-based entities affiliated with Salt Typhoon – Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology – that it accused of providing cyber products and services to China’s Ministry of State Security and People’s Liberation Army.
In January, the US issued “sanctions on one of the three, Sichuan Juxinhe Network Technology, which it said was affiliated with Salt Typhoon.
The advisory lists CVEs that Salt Typhoon commonly exploits to gain initial access. These include:
- CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulneraspithobility, commonly chained with an authentication bypass bug tracked as CVE-2023-46805.
- CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
- CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface post-authentication command injection/privilege escalation (commonly chained with CVE-2023-20198 for initial access to achieve code execution as root)
- CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability
- CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerability
So network defenders should prioritize patching these, if you haven’t already done so.
It also describes tools and techniques that Salt Typhoon uses to maintain network persistence, move laterally across devices, capture traffic containing credentials, and abuse peering connections to steal sensitive information.
In addition to the four US agencies (FBI, CISA, National Security Agency, and Department of Defense Cyber Crime Center), the UK’s National Cyber Security Centre plus government agencies in Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain also co-issued the security alert.
“Wow, that is a lot of seals on the alert,” Annie Fixler, director of the Center on Cyber and Technology Innovation at the national security think tank Foundation for Defense of Democracies, told The Register.
“This type of joint alert from so many partners speaks to the importance of the information and the level of confidence in the attribution,” she continued. It is an important signal that the United States and its partners are united in their concerns about malicious Chinese state-sponsored cyber operations.”
It also indicates that any claims of successfully booting the snoops off of networks “should always be viewed with at least some skepticism,” Fixler added. “In the case of Salt Typhoon, given the longevity and sophistication of the penetration, a healthy dose of skepticism is necessary to any claims of quick fixes. Salt Typhoon is a persistent actor. Even if one method of access is thwarted, they are going to keep trying to get in.”
Google’s Mandiant incident response team was part of the clean-up crew called in to help telco companies globally rid their networks of Salt Typhoon.
“Though there are many Chinese cyber espionage actors regularly targeting the sector, this actor’s familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection,” Google Threat Intelligence Group chief analyst John Hultquist told The Register.
“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” he said. “Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
In addition to the international governments’ joint alert, CrowdStrike researchers late last week warned that Salt Typhoon (it tracks this crew as Murky Panda) has escalated its cyberespionage across government, tech, academic, legal and professional services in North America over the first half of 2025.
A CrowdStrike spokesperson told The Register that the security shop has documented over a dozen cases of hacking activity attributed to this group since late spring. ®
Get our Tech Resources
