The advanced persistent threat (APT) group known as Salt Typhoon, linked to China, has intensified its cyber espionage activities, targeting a diverse range of sectors worldwide. These sectors include telecommunications, government, transportation, hospitality, and military infrastructure. The group’s operations have been particularly focused on infiltrating large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers. By compromising these critical network devices, Salt Typhoon has been able to establish persistent, long-term access to various networks.
According to a joint cybersecurity advisory released on August 28, 2025, by authorities from 13 countries, including the United States, United Kingdom, Australia, and Germany, Salt Typhoon has been exploiting vulnerabilities in network devices from leading manufacturers such as Cisco, Ivanti, and Palo Alto Networks. The advisory highlights that the group’s activities have been linked to three Chinese companies: Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These entities are believed to provide cyber-related products and services to China’s intelligence services, facilitating the collection of sensitive data from compromised networks.
Brett Leatherman, head of the U.S. Federal Bureau of Investigation’s Cyber Division, stated that Salt Typhoon has been active since at least 2019, engaging in a persistent espionage campaign aimed at breaching global telecommunications privacy and security norms. The group’s activities have expanded over time, now affecting no fewer than 600 organizations across 80 countries, including 200 entities in the United States.
The Dutch intelligence and security services, MIVD and AIVD, noted that while organizations in the Netherlands did not receive the same degree of attention from Salt Typhoon as those in the U.S., the threat actors did gain access to routers of smaller Internet Service Providers (ISPs) and hosting providers within the country. However, there is no evidence to suggest that the hackers penetrated these networks further.
Salt Typhoon’s initial access is often achieved through the exploitation of exposed network edge devices. The group has been observed leveraging specific vulnerabilities, including:
– Cisco Vulnerabilities:
– CVE-2018-0171
– CVE-2023-20198
– CVE-2023-20273
– Ivanti Vulnerabilities:
– CVE-2023-46805
– CVE-2024-21887
– Palo Alto Networks Vulnerability:
– CVE-2024-3400
By exploiting these vulnerabilities, Salt Typhoon gains unauthorized access to network devices, which are then used as footholds to pivot into other networks. In some instances, the group has been known to modify the device’s configuration to maintain persistent access and evade detection.
