Salt Typhoon is behind one of the broadest hacking campaigns in recent years. The group has targeted some of the world’s largest phone and internet companies, stealing tens of millions of phone records belonging to senior government officials. Researchers attribute this hacking group to China and identify it as part of a wider cluster with the collective aim of helping China prepare for an eventual war with Taiwan. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.”
Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to gain entry. They have also taken control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.
While Salt Typhoon focuses on hacking telecom infrastructure, other China-linked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of widespread disruption. Another group, Flax Typhoon, runs a botnet of hijacked internet-connected devices to hide malicious internet traffic. However, Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.
These hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing a foreign adversary could eavesdrop on their communications.
According to FBI officials, Salt Typhoon has hacked at least 200 companies around the world, and the list of affected countries keeps growing.
In the United States, some of the top phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink, now Lumen. T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails. Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement. Internet and data providers Charter Communications (Spectrum) and Windstream were also named as victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.
The hackers didn’t just target phone and internet providers. According to several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access networks in every other U.S. state and several territories.
In North and South America, researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico. The Canadian government confirmed that its top telecommunications firms were hacked as part of Salt Typhoon’s extended espionage campaign, with several Cisco routers at one telecom giant compromised to steal data. The government in Ottawa warned the targeting was broader than just the telecommunications sector. Activity has also been reported in Brazil.
In Asia, Africa, and Oceania, Salt Typhoon has targeted at least one Myanmar-based telecoms provider, Mytel, via hacked Cisco routers, as well as a South African telecommunications provider. Attacks have also targeted routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand. Japan has warned of the threat to its networks. The governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand also observed the hackers across the government sector, as well as transportation, lodging, and military infrastructure networks. Compromised organizations have also been identified in Afghanistan, Eswatini, India, Taiwan, and the Philippines across various industries.
In Europe, the British government confirmed a “cluster of activity” from Salt Typhoon across the United Kingdom, with reporting suggesting senior government staff may have had their phone records tapped. Norway confirmed several organizations in the country were hacked. Dutch authorities say several smaller internet providers and web hosts were targeted and had router access, though their internal networks were not compromised. An Italian internet provider was hacked, and incidents related to Salt Typhoon have been witnessed in Finland and Poland.