Salt Typhoon - The Chinese Telecom Hack

Brought to you by CYRIN

Cybersecurity 2025 began with the dramatic breaking news of the Chinese Telecom Hack. Although what has been called the Salt Typhoon attack made headlines around the globe, the issue in fact has a complicated history that has been gaining momentum for some time.

In December 2024, Federal cyber officials held a news briefing stating that Chinese hackers had launched large-scale attacks on several major United States telecom firms including AT&T, Verizon and T-Mobile. The FBI began investigating the “Salt Typhoon” attack in late spring, so the issue had been building for some time. The breach of the cellular data of thousands (possibly millions) of Americans was first revealed in November and was far from a small scale attack. In addition, early reports indicate that no one really knows how long the attackers have been in the systems and the scope of what they have been doing. According to Cybersecurity Dive, Federal officials said at the media briefing in early December that the attacks were “widespread and actively evolving and that officials still don’t know the full extent of damages caused by the global espionage campaign or what remains at risk.”

Unfortunately, there are no official reports indicating how or if the attacks were successful or in what way; if malware was installed; or what information the hackers were seeking and for what purpose. Cybersecurity Dive reports that authorities have confirmed that the group poses a “persistent threat,” and speculated again that “malicious activity is ongoing.” In terms of future risk, Jeff Greene from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted that it’s not yet known if the hackers have been completely ejected from the networks, and “we still don’t know the scope of what they’re doing.” In November the FBI and CISA issued a joint statement into the ongoing investigation into the hack orchestrated by the People’s Republic of China (PRC) hack and revealed that it was “broad and significant.”

Although CISA, the FBI, the National Security Agency and cyber authorities in Australia, Canada and New Zealand are still in the information gathering stage, and as of this writing have not released any official or definitive information, there has been hardening guidance designed to help telecom providers moving forward as details reveal themselves.

This sophisticated hack has raised the alarm as one of the largest in US history. In addition, the United States, Australia, Canada and New Zealand claim it is part of an intelligence operation conducted by “PRC affiliated threat actors.” Salt Typhoon has also attacked state entities in Southeast Asia since August of 2024. All in all, Salt Typhoon is considered “one of the most aggressive Chinese state hacker groups.”

Cybersecurity doesn’t always make the primetime nightly news, but due to the severity of the event, all the major television networks picked up the story. Homeland Security Secretary Alejandro Mayorkas admitted that the hack is a “very, very serious matter,” and “a very sophisticated hack” that was no doubt escalating for some time, with implications for intelligence being particularly alarming.

This breach targeted close to home. According to their representatives the FBI informed the presidential campaigns of Donald Trump and Kamala Harris in October that they were targeted as well as the office of Senate Majority Leader Chuck Schumer, D-N.Y.

As reported by PBS, Chinese hackers had infiltrated at least eight communications firms in the United States and over the last one to two years - quote - "dozens" of telecommunications companies across Asia and Europe, and the hack was ongoing, according to Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger.

Why Does This Matter?

The eight targeted US telecommunications firms are not the only ones struggling to defend their networks. Advanced Persistent Threats (APTs) possibly linked to Salt Typhoon have compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions as well. In 2022, a Chinese APT group called Daggerfly and Evasive Panda hacked systems at a telecommunications organization in Africa. Experts speculate that telecommunications networks are strategic targets for malicious actors, in part, as they can kickstart a geopolitical strategy. China’s infiltration of worldwide networks may be part of such a strategy to destabilize and gather sensitive information about a country’s citizens.

Dark Reading speculates that the Salt Typhoon attacks may lead to one positive outcome: encouraging citizens and governments to use encryption more widely. It’s certainly true that telecommunications providers – private and state-owned – require more robust security. “The global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens,” says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

Next Steps

Clearly, the large scale and sophisticated Salt Typhoon attack is of critical and ongoing concern to US officials; this is further complicated by the ongoing tensions between Washington and Beijing over cyber-espionage and other high-stakes national security issues.

The United States continues to be in conversation with House and Senate intelligence committees, and cybersecurity teams. Cybersecurity experts from Microsoft and Google-owned firm Mandiant are also assisting the investigation into the hack. People probing the attacks have been impressed by the skill, persistence and ability of Salt Typhoon hackers to embed in computer networks.

CYRIN Can Help

Training or lack of has consequences. According to some estimates, organizations can significantly reduce the cost of a breach by an average of $232,867 through cybersecurity training for their employees.

CYRIN can help on several fronts. For the education market, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

For industry we continue to work with our partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: Ralf Liebhold

Watch CYRIN: The Next-Generation Cyber Range


Learn More About How CYRIN Online Training Can Benefit You


You Might Also Read: 

Is Zero Trust The Future Of Cybersecurity?:  


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Tackling Cyber Threats In The Public Sector
TikTok Reprieved By Trump »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

MetaCompliance

MetaCompliance

MetaCompliance is a cyber security and compliance organisation that helps transform your company culture and safeguard your data and values.

Promon

Promon

Promon is an application security vendor providing Self-Protection abilities to Mobile apps and Desktop applications.

Nozomi Networks

Nozomi Networks

Nozomi Networks is a leader in Industrial Control System (ICS) cybersecurity, with a comprehensive platform to deliver real-time cybersecurity and operational visibility.

Fedco International

Fedco International

Fedco International is an IT and SCADA ICS Security consultancy firm.

SCADASUDO

SCADASUDO

SCADASUDO is a cyber solution architecture and design office, established by leading experts in the field of OT (Industrial control) and IT (information Technology).

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

CyberFortress

CyberFortress

CyberFortress is an insuretech startup offering a new kind of online business interruption policy designed for small business.

Acmetek Global Solutions

Acmetek Global Solutions

Acmetek is a Global Distributor and a Trusted Advisor of PKI /IOT & SSL Security Products and a Managed Services Company.

Netgo

Netgo

Netgo group meet the requirements of a complex, digitized world with IT consulting, IT solutions & services, managed & cloud services and software products & development.

Salus Cyber

Salus Cyber

Salus is a provider of world-class cyber security services, enabling our clients to identify and manage their cyber risks proactively and effectively.

CYBHORUS

CYBHORUS

CYBHORUS are a team of Italian cyber security experts, specialized in cyber threat defense and strategic and organizational consulting.

Orchestrate Technologies

Orchestrate Technologies

Orchestrate Technologies provides computer network and IT managed services for small and mid-market clients as well as small enterprise businesses.

CloudGuard

CloudGuard

CloudGuard is an AI-driven XDR platform that helps organisations to proactively detect and automatically remediate threats in real-time.

Verastel

Verastel

Specializing in the niche space of proactive cyber-defense, and adaptive resilience, team Verastel is bolstering enterprise digital security like never before.

Worksent Technologies

Worksent Technologies

Worksent is a Trusted white-label offshore support partner for MSPs and MSSPs.

Sacumen

Sacumen

Sacumen is a niche player in the cybersecurity market, solving critical problems for security product companies.