Salt Typhoon is behind one of the broadest hacking campaigns in recent years. This group, attributed to China, has targeted some of the world’s largest phone and internet companies, stealing tens of millions of phone records about senior government officials. Researchers state the group is part of a wider cluster of hackers with the collective aim of helping China prepare for an eventual war with Taiwan. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.”
Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to break in. They have also taken control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.
While Salt Typhoon focuses on hacking telecom infrastructure, other China-linked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of widespread disruption. Another group, Flax Typhoon, runs a botnet of hijacked internet-connected devices for hiding malicious internet traffic. However, Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.
The hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing that their communications could be eavesdropped on by a foreign adversary.
Salt Typhoon went even further, hacking at least 200 companies around the world according to FBI officials. The list of affected countries keeps growing.
In the United States, some of the top phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink, now Lumen. T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails. Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement. Internet and data providers Charter Communications, which operates Spectrum, and Windstream were also named as victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.
The hackers didn’t just target phone and internet providers. According to several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access other networks in every other U.S. state and several territories.
In North and South America, researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico. The Canadian government confirmed that its top telecommunications firms were hacked as part of Salt Typhoon’s extended espionage campaign, with several Cisco routers at one telecom giant hacked to steal data. The government in Ottawa warned the targeting was broader than just the telecommunications sector. Activity has also been reported in Brazil.
In Asia, Africa, and Oceania, Salt Typhoon has targeted at least one Myanmar-based telecoms provider, Mytel, via hacked Cisco routers, as well as a South African telecommunications provider. Attacks have also targeted routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand. Japan has warned of the threat to its networks. The governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand also observed the hackers across the government sector, as well as transportation, lodging, and military infrastructure networks. Compromised organizations have also been found in the telecoms, consulting, chemical, and transportation industries, as well as government agencies and non-profits in countries including Afghanistan, Eswatini, India, Taiwan, and the Philippines.
In Europe, the British government confirmed that a cluster of activity from Salt Typhoon was seen across the United Kingdom. Reporting suggests senior U.K. government staff may have had their phone records tapped and text messages read. Norway confirmed Salt Typhoon hacked several organizations in the country. Dutch authorities say several smaller internet providers and web hosts were targeted and while they had access to routers, their internal networks were not compromised. An Italian internet provider was also hacked. According to Czech cybersecurity officials, incidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.