日本語
한국어
Tiếng Việt
简体中文
International intelligence agencies, spearheaded by the FBI, have officially classified the “Salt Typhoon” cyber campaign as a national defense crisis. This urgent declaration follows the discovery of widespread infiltration into global telecommunications networks by what are identified as Chinese state-backed hackers. The revelations expose one of the most extensive espionage operations ever uncovered, impacting critical infrastructure across more than 80 countries.
The Salt Typhoon actors systematically compromised core routers and management systems that underpin the world’s internet traffic. This sophisticated breach enabled the theft of sensitive data from millions, the surveillance of communications, and a silent undermining of global network integrity over an extended period.
“This isn’t merely a cyber intrusion; it’s the weaponization of our essential communications infrastructure,” stated a senior intelligence official deeply involved in the ongoing investigation.
On August 27, 2025, a joint advisory was issued by key U.S. agencies—the FBI, Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Department of Defense Cyber Crime Center—in collaboration with a broad coalition of international partners from Europe, North America, Japan, and Australia. This advisory, far from a routine bulletin, provided extensive technical guidance for network defenders to detect and eliminate the threat. Its release underscored a critical shift: telecommunications networks are now recognized as battlegrounds in a broader struggle for national security.
The Anatomy of the Salt Typhoon Campaign
The methods employed by Salt Typhoon reveal a disturbing level of patience and sophistication, hallmarks of state-backed Chinese hacking groups known for their long-game strategies. This was a methodical espionage operation, not a quick opportunistic strike.
1. Initial Infiltration Points
- Attackers gained entry by exploiting widely known vulnerabilities in networking equipment, including Ivanti Connect Secure (CVE-2024-21887), Palo Alto PAN-OS (CVE-2024-3400), and Cisco IOS XE (CVE-2023-20198 chained with CVE-2023-20273).
- Investigators found no evidence of zero-day exploits, indicating that the success of the attacks stemmed from organizations failing to apply critical security patches. Negligence, rather than novel attack methods, provided the entry points.
- This highlights a persistent challenge: while adversaries display patience, a relaxed approach to cybersecurity among some Western IT managers remains a significant vulnerability.
2. Persistent Access at the Core
- Once inside, Salt Typhoon operators skillfully altered access control lists, established new privileged accounts, and enabled remote management on unusual high-numbered ports.
- They activated hidden services, such as the IOS XR SSH listener on port 57722, ensuring discreet, long-term access.
- These actions allowed them to maintain persistence and remain undetected for months, and in some cases, even years.
3. Data Collection and Lateral Movement
- The attackers mirrored network traffic using SPAN, RSPAN, and ERSPAN to covertly monitor communications.
- Administrator credentials were harvested from TACACS+ packets.
- They then moved laterally across provider-to-provider links into downstream networks, exfiltrating data through GRE and IPsec tunnels designed to mimic legitimate traffic.
4. Strategic Objectives
The campaign’s focus was not financial gain. Instead, Salt Typhoon targeted critical sectors: telecom carriers, government systems, transportation hubs, lodging networks, and even military infrastructure. The clear objective was continuous surveillance of individuals, communications, and movements worldwide.
The FBI has already alerted hundreds of U.S. organizations impacted by the campaign, which spans over 80 countries, making Salt Typhoon one of the most significant espionage operations publicly disclosed.
Coordinated Response: FBI and Allies Counter Salt Typhoon
The August 27 joint advisory serves as a comprehensive battle plan for cybersecurity defenders, offering highly specific indicators of compromise, hunting techniques, and mitigation strategies to detect and evict Salt Typhoon operators.
Detection and Hunting Tactics
- Organizations are urged to monitor for suspicious patterns like high-port SSH services ending in “22”, double-encoded requests targeting Cisco IOS XE, and packet captures with unusual names such as “tac.pcap”.
- Administrators must also look for unexplained network tunnels, redirections of TACACS+ traffic, or the sudden, unauthorized creation of privileged accounts.
Indicators and Rules for Defense
The advisory provides a robust set of indicators of compromise, including IP addresses traced back to 2021, YARA rules for Salt Typhoon’s custom tools, and Snort rules specifically targeting malicious privilege escalation attempts. This unprecedented level of public technical detail underscores the severe nature of the campaign.
Comprehensive Mitigation Guidance
Defenders are advised to implement a holistic response. Key recommendations include isolating management planes on dedicated networks, enforcing strong authentication protocols, mandating public-key login for administrators, and conducting coordinated eviction operations. Partial remediation is strongly discouraged, as it risks alerting intruders without fully removing them, potentially driving them deeper into the network.
A United Global Coalition Against Cyber Espionage
The significance of this announcement is amplified by the broad coalition behind it. Beyond the FBI, NSA, and CISA, the advisory was co-signed by intelligence and cybersecurity agencies from Canada, Japan, the United Kingdom, Germany, and other allied nations. This represents one of the most extensive international responses to a cyber campaign in history.
As one senior European intelligence official articulated, “This was not just an attack on the United States. This was an attack on global trust in our communications systems.”
Salt Typhoon: A National Defense Imperative and the Role of Standards
Telecommunications networks are more than commercial assets; they are the lifelines of modern economies and the nervous system of national defense. They are also among the 16 critical infrastructure sectors slated for enhanced cybersecurity standardization by U.S. regulators.
The Department of Defense is leading this charge, with new defense solicitations requiring Cybersecurity Maturity Model Certification (CMMC) compliance starting in October. Other critical sectors are expected to follow swiftly. The rationale is clear: if adversaries can invisibly monitor traffic, steal administrator credentials, and reroute data flows, they are not just stealing information—they are actively reshaping the battlespace.
The advisory unequivocally links Salt Typhoon to Chinese intelligence services and technology firms that directly support the People’s Liberation Army and the Ministry of State Security. This is not cybercrime for financial gain; it is state-directed espionage designed to alter the balance of global power.
For the United States, the implications necessitate immediate action. The Department of Defense’s elevated requirements across its supply base, particularly the CMMC framework, are vital for survival. The same techniques used to compromise telecom networks could be—and likely will be—deployed against defense contractors and their subcontractors if robust standards are not enforced and verified.
Urgent Call to Action for Leaders
The Salt Typhoon campaign delivers a stark lesson: hesitation is perilous. Executives, CISOs, and network operators must treat this as an urgent call to arms.
- Patch Exploited Vulnerabilities: Immediately address Ivanti 2024-21887, Palo Alto PAN-OS 2024-3400, and Cisco IOS XE 2023-20198 and 2023-20273. Disable Smart Install and upgrade to supported releases.
- Isolate Management Planes: Restrict protocols like SSH, HTTPS, SNMP, TACACS+, and RADIUS to hardened management networks with explicit access controls.
- Eliminate Weak Credentials: Enforce SNMPv3, mandate multifactor authentication (MFA), require public-key login for administrators, and remove all default credentials.
- Actively Hunt for Anomalies: Thoroughly investigate high-port SSH services, unexplained mirroring sessions, or any evidence of suspicious packet captures, such as “tac.pcap.” Treat these as critical security incidents.
- Plan Coordinated Evictions: Assume the presence of multiple backdoors. Collect comprehensive evidence, coordinate all actions, and eradicate the threat simultaneously across all affected systems. Anything less risks merely signaling awareness without achieving true security.
Recommendations for Individuals
While individuals cannot secure national backbone routers, they can significantly reduce their personal risk surface:
- Set account PINs and port-out locks with mobile carriers.
- Enable multifactor authentication across all online accounts, avoiding sole reliance on SMS for MFA.
- Activate SIM-swap protections where available.
- Proactively monitor for any suspicious activity on your accounts or devices.
For those employed in the defense sector, the personal responsibility is even greater: push your organization to confirm CMMC readiness immediately. Waiting for an audit or, worse, a breach, is no longer an option.
The Time for Action is Now
Salt Typhoon represents a clear declaration from Beijing: the battle for cyberspace is global, relentless, and intricately linked to national defense. This is not about a single intrusion but the insidious weaponization of the internet itself.
The FBI and its partners have illuminated this profound threat and provided the necessary tools to combat it. The onus now falls on leaders across all sectors to act decisively. Those who delay risk finding their networks transformed into someone else’s surveillance system. Those who act swiftly will play a crucial role in safeguarding not only their enterprises but the security of their nations.