Salt Typhoon: China Hacked 80 Countries and No One Got Them Out
Quick summary
Salt Typhoon, a Chinese state APT group, has compromised at least 200 companies across 80 countries including US telecom giants. AT&T and Verizon cannot confirm the hackers are out.
Salt Typhoon, a hacking group tied to China's Ministry of State Security, has now compromised at least 200 companies across 80 countries. AT&T and Verizon have not been able to confirm the attackers have been fully removed from their networks.
What Is Salt Typhoon?
Salt Typhoon is an advanced persistent threat (APT) group attributed to China's Ministry of State Security. It specialises in long-term, silent access to telecommunications infrastructure — not for immediate data theft, but to pre-position inside systems that governments use for lawful interception of communications.
The FBI first publicly attributed Salt Typhoon to China in late 2024. By August 2025, the FBI confirmed the scope had expanded to over 80 countries and at least 200 companies. In April 2025, the FBI posted a $10 million bounty for information on individuals connected to the group.
How They Got In
Salt Typhoon exploited unpatched Cisco router vulnerabilities to gain initial access. From there they moved using living-off-the-land techniques — abusing legitimate system tools and administrator credentials rather than deploying custom malware that would trigger security alerts.
Living-off-the-land is particularly effective against telecom carriers because those carriers run complex, heterogeneous networks where unusual tool use is normal. An attacker using built-in network management commands looks identical to a network engineer doing routine maintenance.
Intrusions reportedly began as far back as 2019. Some of the compromised systems had been silently accessible for six or more years before detection.
Who They Targeted and Why
Salt Typhoon specifically targeted systems that US telecommunications companies maintain for lawful interception — the wiretapping infrastructure that US law enforcement agencies use under court orders to intercept criminal suspects. By compromising these systems, China gained visibility into who US agencies were monitoring.
The December 2025 intrusions went further: US House of Representatives committee systems were compromised. Data center giant Digital Realty and Comcast were confirmed as victims in the latest expansion.
This is not a financial crime. Salt Typhoon is not selling stolen data or ransoming companies. It is building persistent access to communications infrastructure that, in a conflict scenario, could be used for sabotage or to blind US surveillance capabilities at a critical moment.
The Scale of the Problem
| Metric | Detail |
|---|---|
| Countries affected | 80+ |
| Companies compromised | 200+ |
| FBI bounty | $10 million |
| Original intrusion start | As early as 2019 |
| US carriers confirmed | AT&T, Verizon (among others) |
| Confirmed new victims (late 2025) | Digital Realty, Comcast, House committees |
The FBI stated in early 2025 that AT&T and Verizon had not been able to confirm Salt Typhoon was fully evicted from their networks. That is an extraordinary admission: two of the largest telecommunications companies in the United States cannot verify they have removed a foreign nation-state from their infrastructure.
Why Developers Should Care
If your application transmits data over US telecoms infrastructure, there is a non-zero probability that a nation-state adversary has had access to routing metadata — not necessarily the content of encrypted HTTPS traffic, but connection metadata: who connected to what, when, from where.
For high-sensitivity applications — financial services, healthcare data, anything with government contracts — the implication is that transport-layer encryption alone is not sufficient. Encrypt at the application layer. Assume the network is hostile. This is not paranoia; it is the situation the FBI has publicly described.
The Cisco vulnerability entry point is also a reminder that edge network devices are the highest-risk attack surface. Core application servers get patched. Routers and switches in telecom backbone infrastructure often do not. Any organisation running legacy Cisco IOS versions without active patch management should treat this as a direct threat model.
What China Gains
Access to lawful interception systems gives China three capabilities. First, it can identify which Chinese nationals or entities US agencies are monitoring, warning them before prosecution. Second, it can monitor US government communications about China policy made over compromised networks. Third, in a crisis scenario, it can disable or corrupt the telecommunications infrastructure US emergency responders and military communications depend on.
Salt Typhoon is not spying on individual citizens. It is mapping and maintaining access to the infrastructure of American power.
Key Takeaways
- 200 companies across 80 countries — confirmed Salt Typhoon compromise scope as of August 2025
- Intrusions started as early as 2019 — the attackers had up to 6 years of silent access before detection
- AT&T and Verizon cannot confirm eviction — two US telecoms giants have not cleared the network
- $10 million FBI bounty — posted April 2025 for information on Salt Typhoon individuals
- For developers: Encrypt at the application layer, not just transport. Assume routing metadata is observable by nation-state adversaries on US telecom infrastructure. Patch edge network devices — routers and switches are the entry point, not app servers.
- What to watch: Whether the US Cyber Safety Review Board publishes a formal Salt Typhoon attribution report in 2026, which would trigger mandatory remediation requirements for US telecoms
More on Cybersecurity
All posts →CyberStrikeAI Compromised 600+ FortiGate Devices in 55 Countries — What Dev and Ops Teams Must Do Now
An AI-powered attack tool breached 600+ Fortinet FortiGate firewalls across 55 countries in weeks. How it happened, why default credentials and exposed management ports are the real story, and four actions every team should take in March 2026.
China Hacked 53 Organisations Using Google Sheets as Its Command-and-Control Server. Google Just Shut It Down.
Chinese espionage group UNC2814 used Google Sheets to hide C2 traffic as normal cloud document activity. Mandiant caught it. Here is how the attack worked.
1,100 Ships Were Sent Fake GPS Signals. Their Navigation Said They Were at Airports and Nuclear Plants.
Since late February 2026, GPS jamming and spoofing in the Strait of Hormuz has hit over 1,100 vessels. Ships' positions appeared on land, at airports, and over nuclear sites. What it means for global shipping, timing systems, and why developers should care.
India vs China AI Race 2026: Who's Winning? Humanoid Robots, Summits, and the Real Numbers
India hosted the world's largest AI summit; China's humanoid robots performed in front of a billion viewers. Both say they're winning the AI race. Here's the honest breakdown — India vs China AI 2026.
Written by
Abhishek Gautam
Full Stack Developer & Software Engineer based in Delhi, India. Building web applications and SaaS products with React, Next.js, Node.js, and TypeScript. 8+ projects deployed across 7+ countries.
Free Weekly Briefing
The AI & Dev Briefing
One honest email a week — what actually matters in AI and software engineering. No noise, no sponsored content. Read by developers across 30+ countries.
No spam. Unsubscribe anytime.