Salt Typhoon: China Hacked 80 Countries and No One Got Them Out

Abhishek GautamMarch 8, 20267 min read

Salt Typhoon: China Hacked 80 Countries and No One Got Them Out

Quick summary

Salt Typhoon, a Chinese state APT group, has compromised at least 200 companies across 80 countries including US telecom giants. AT&T and Verizon cannot confirm the hackers are out.

What Is Salt Typhoon?

Salt Typhoon is an advanced persistent threat (APT) group attributed to China's Ministry of State Security. It specialises in long-term, silent access to telecommunications infrastructure — not for immediate data theft, but to pre-position inside systems that governments use for lawful interception of communications.

The FBI first publicly attributed Salt Typhoon to China in late 2024. By August 2025, the FBI confirmed the scope had expanded to over 80 countries and at least 200 companies. In April 2025, the FBI posted a $10 million bounty for information on individuals connected to the group.

How They Got In

Salt Typhoon exploited unpatched Cisco router vulnerabilities to gain initial access. From there they moved using living-off-the-land techniques — abusing legitimate system tools and administrator credentials rather than deploying custom malware that would trigger security alerts.

Living-off-the-land is particularly effective against telecom carriers because those carriers run complex, heterogeneous networks where unusual tool use is normal. An attacker using built-in network management commands looks identical to a network engineer doing routine maintenance.

Intrusions reportedly began as far back as 2019. Some of the compromised systems had been silently accessible for six or more years before detection.

Who They Targeted and Why

Salt Typhoon specifically targeted systems that US telecommunications companies maintain for lawful interception — the wiretapping infrastructure that US law enforcement agencies use under court orders to intercept criminal suspects. By compromising these systems, China gained visibility into who US agencies were monitoring.

The December 2025 intrusions went further: US House of Representatives committee systems were compromised. Data center giant Digital Realty and Comcast were confirmed as victims in the latest expansion.

This is not a financial crime. Salt Typhoon is not selling stolen data or ransoming companies. It is building persistent access to communications infrastructure that, in a conflict scenario, could be used for sabotage or to blind US surveillance capabilities at a critical moment.

The Scale of the Problem

Metric	Detail
Countries affected	80+
Companies compromised	200+
FBI bounty	$10 million
Original intrusion start	As early as 2019
US carriers confirmed	AT&T, Verizon (among others)
Confirmed new victims (late 2025)	Digital Realty, Comcast, House committees

The FBI stated in early 2025 that AT&T and Verizon had not been able to confirm Salt Typhoon was fully evicted from their networks. That is an extraordinary admission: two of the largest telecommunications companies in the United States cannot verify they have removed a foreign nation-state from their infrastructure.

Why Developers Should Care

If your application transmits data over US telecoms infrastructure, there is a non-zero probability that a nation-state adversary has had access to routing metadata — not necessarily the content of encrypted HTTPS traffic, but connection metadata: who connected to what, when, from where.

For high-sensitivity applications — financial services, healthcare data, anything with government contracts — the implication is that transport-layer encryption alone is not sufficient. Encrypt at the application layer. Assume the network is hostile. This is not paranoia; it is the situation the FBI has publicly described.

The Cisco vulnerability entry point is also a reminder that edge network devices are the highest-risk attack surface. Core application servers get patched. Routers and switches in telecom backbone infrastructure often do not. Any organisation running legacy Cisco IOS versions without active patch management should treat this as a direct threat model.

What China Gains

Access to lawful interception systems gives China three capabilities. First, it can identify which Chinese nationals or entities US agencies are monitoring, warning them before prosecution. Second, it can monitor US government communications about China policy made over compromised networks. Third, in a crisis scenario, it can disable or corrupt the telecommunications infrastructure US emergency responders and military communications depend on.

Salt Typhoon is not spying on individual citizens. It is mapping and maintaining access to the infrastructure of American power.

Key Takeaways

200 companies across 80 countries — confirmed Salt Typhoon compromise scope as of August 2025
Intrusions started as early as 2019 — the attackers had up to 6 years of silent access before detection
AT&T and Verizon cannot confirm eviction — two US telecoms giants have not cleared the network
$10 million FBI bounty — posted April 2025 for information on Salt Typhoon individuals
For developers: Encrypt at the application layer, not just transport. Assume routing metadata is observable by nation-state adversaries on US telecom infrastructure. Patch edge network devices — routers and switches are the entry point, not app servers.
What to watch: Whether the US Cyber Safety Review Board publishes a formal Salt Typhoon attribution report in 2026, which would trigger mandatory remediation requirements for US telecoms

FAQ

Frequently Asked Questions

What is Salt Typhoon?

Salt Typhoon is a Chinese state-sponsored hacking group attributed to China's Ministry of State Security. It specialises in long-term silent access to telecommunications infrastructure, specifically targeting the lawful interception systems that US law enforcement uses for court-ordered wiretapping. As of 2025, it has compromised at least 200 companies across 80 countries.

How did Salt Typhoon hack US telecoms?

Salt Typhoon gained initial access by exploiting unpatched Cisco router vulnerabilities at the network edge. Once inside, attackers used living-off-the-land techniques — legitimate system administration tools — to move laterally and maintain persistence without triggering security alerts. The approach is effective because telecom networks are large and complex, and legitimate network management activity looks similar to attacker behaviour.

Have AT&T and Verizon removed the Salt Typhoon hackers?

The FBI has stated that AT&T and Verizon could not confirm Salt Typhoon was fully evicted from their networks as of early 2025. This means the intrusions may still be active inside the infrastructure of the two largest US telecom carriers. Digital Realty and Comcast were confirmed as additional victims in late 2025.

Why did China hack telecom infrastructure instead of stealing data directly?

Salt Typhoon targeted lawful interception systems — the wiretapping infrastructure US law enforcement uses under court orders. Accessing these systems tells China which Chinese nationals US agencies are currently monitoring, potentially allowing China to warn them before prosecution. It also pre-positions China to disable or disrupt US telecommunications infrastructure in a conflict scenario, which is more valuable than individual data theft.

What should developers do in response to Salt Typhoon?

Implement application-layer encryption rather than relying solely on transport-layer TLS, since routing metadata is observable even through encrypted connections. Prioritise patching edge network devices (routers, switches) which are the confirmed entry point. For high-sensitivity applications, treat the network as hostile by design and minimise metadata leakage. Organisations with US government contracts should review their telecom vendor relationships.

Free Weekly Briefing

The AI & Dev Briefing

One honest email a week — what actually matters in AI and software engineering. No noise, no sponsored content. Read by developers across 30+ countries.

No spam. Unsubscribe anytime.