A joint cybersecurity advisory from 13 countries has revealed that the China-linked hacking group known as Salt Typhoon launched a sweeping campaign targeting global telecommunications providers and critical infrastructure.
The group uses router exploitation, credential theft, and long-term persistence techniques, compromising hundreds of organizations across more than 80 countries, raising concerns about global espionage and surveillance.
Salt Typhoon is an advanced persistent threat (APT) actor active since at least 2019. The group focuses on infiltrating telecommunications, government, transportation, lodging, and military infrastructure. According to the advisory, the attackers gained access by exploiting known vulnerabilities in network edge devices, modifying routers, and maintaining persistence by altering configurations.
The operation has been traced back to three Chinese technology companies, known as Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd., that provide cyber-related services to Chinese intelligence agencies.
The joint alert was co-signed by cybersecurity authorities from Australia, Canada, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, New Zealand, Poland, Spain, the U.K., and the U.S. Together, they warn that the campaign allows Beijing to track global communications and movements at an unprecedented scale.
While other ransomware groups focus on financial extortion, Salt Typhoon’s primary motive appears to be espionage and surveillance.
Previous advisories have linked Chinese APT groups to theft of trade secrets, intellectual property, and sensitive defense data. Salt Typhoon overlaps with activity tracked under different names, including GhostEmperor, Operator Panda, RedMike, and UNC5807.
Their emphasis on intelligence collection also aligns with a recent New York Times report suggesting that China-linked hackers may have "stolen information from nearly every American." While details of the breach remain undisclosed, the report shows Salt Typhoon’s aggressive expansion and massive data-gathering efforts.
Salt Typhoon has demonstrated technical sophistication in multiple areas, including:
The attackers’ tactics indicate an intimate familiarity with telecom-grade infrastructure. Additionally, their ability to blend persistence mechanisms into legitimate router functions makes detection difficult and remediation costly.
“These APT actors are exploiting vulnerabilities in the large backbone routers of telecommunications providers—specifically provider edge and customer edge routers that often lack visibility and are difficult to monitor—to gain and maintain persistent access, particularly in telecommunications, government, transportation, lodging, and defense networks. They often modify router firmware and configurations to evade detection and establish long-term footholds,” the joint advisory stated.
“Active since at least 2019, these actors conducted a significant cyber-espionage campaign, breaching global telecommunications privacy and security norms,” said Brett Leatherman, head of the FBI’s Cyber Division.
An ecosystem of contractors, academics, and other facilitators is at the heart of Chinese cyber espionage," John Hultquist, Chief Analyst at Google Threat Intelligence Group, told The Hacker News.
The Dutch intelligence services (MIVD and AIVD) also noted that while Salt Typhoon’s activity in the Netherlands was not as severe as in the U.S., smaller ISPs and hosting providers were targeted.
Telecommunications networks are highly attractive espionage targets since compromising backbone routers and ISP infrastructure allows attackers to monitor voice and data communications, collect geolocation and movement patterns, capture authentication credentials from privileged accounts, and ultimately pivot into sensitive environments like government, healthcare, and defense networks.
Salt Typhoon’s targeting of hospitality and transportation sectors also raises concerns about individual surveillance. Data from hotel networks and airline systems can reveal where people are, who they are meeting, and how they move globally.
According to the New York Times report, the strategic intent behind such operations is to create a comprehensive intelligence map of individuals, organizations, and governments.
Organizations across industries, including healthcare, edge devices, ISPs, and third-party providers must all be treated as potential entry points.
As international advisories make clear, organizations must implement coordinated action and proactive patching. Staying compliant with HIPAA and other security frameworks helps organizations protect their internal systems, and scrutinize every layer of connectivity that sensitive data passes through.
Related: Chinese cyber-espionage group hacks at least 8 major US telecom networks
HIPAA applies when telecommunications data contains protected health information (PHI), like when calls are related to healthcare services.
No, they must have specific measures to handle PHI securely, including entering into business associate agreements with covered entities. To better protect sensitive data, HIPAA compliant email solutions, like Paubox, offer encrypted, secure communication that prevents data exposure and upholds federal regulations.
Learn more: HIPAA Compliant Email: The Definitive Guide