China-linked Salt Typhoon and others hacked into US networks including defense infra; How they breach and how to stay safe

Chinese state-sponsored hackers are targeting critical networks globally, including the telecommunications and government infrastructure, by exploiting routers and compromised devices. These Advanced Persistent Threat (APT) actors, tracked as Salt...

China-linked cyber espionage group “Salt Typhoon” targets global networks; cybersecurity agencies warn on breaches and share safety measures

America’s Cyber Defense Agency has warned that state-sponsored hackers linked to the People’s Republic of China are targeting critical networks worldwide, including telecommunications, government, transportation, lodging, and even military infrastructure, by exploiting major backbone routers and leveraging compromised devices to maintain long-term access.

This activity overlaps with campaigns tracked in the cybersecurity industry under names such as Salt Typhoon, Operator Panda, RedMike, UNC5807, and GhostEmperor. However, the authoring agencies note they are not adopting any one commercial naming convention and instead refer to those responsible more broadly as Advanced Persistent Threat (APT) actors. According to the advisory, this cluster of malicious activity has been observed across the United States, Australia, Canada, New Zealand, the United Kingdom, and other regions worldwide.

Additionally, the UK and international allies on Wednesday(27 August) publicly linked three China-based technology companies to a global cyber campaign aimed at critical networks. The named entities are Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co, and Sichuan Zhixin Ruijie Network Technology Co Ltd.


In a new advisory, the National Cyber Security Centre (NCSC), part of GCHQ, and partners from 12 other nations shared technical details showing how malicious activity tied to these firms has targeted nationally significant organisations across the world.

Since at least 2021, the campaign has struck critical sectors across multiple countries, with a cluster of activity observed in the UK. The operations overlap with campaigns the cybersecurity industry tracks under the name Salt Typhoon. According to the advisory, the data stolen through these intrusions could give Chinese intelligence services the ability to monitor communications and movements of targets on a global scale.

What is Salt Typhoon?


ADVERTISEMENT
Salt Typhoon is the name used by cybersecurity researchers to track a state-sponsored advanced persistent threat (APT) group linked to China, known for conducting long-running espionage campaigns.

Active since at least 2021, the group has targeted critical sectors worldwide, including government, telecommunications, transportation, lodging, and military infrastructure, by exploiting unpatched network devices like backbone and edge routers. Security agencies warn that Salt Typhoon’s operations enable Chinese intelligence services to steal sensitive data, maintain covert long-term access, and potentially track global communications and movements.

How are the APTs exploiting and breaching companies?


The APT actors exploit infrastructure such as virtual private servers (VPSs) and compromised intermediate routers that are not linked to publicly known botnets or obfuscation networks to target telecommunications and network service providers, including ISPs. They may compromise edge devices regardless of ownership, using these as pathways to reach core targets of interest. By leveraging compromised devices, trusted connections, or private interconnections, such as provider-to-provider or provider-to-customer links, the actors pivot into other networks.

In some cases, they modify routing, enable traffic mirroring through SPAN/RSPAN/ERSPAN, and configure GRE/IPsec tunnels and static routes to maintain access. These actors frequently exploit large numbers of vulnerable, Internet-exposed devices across multiple IP addresses and may revisit systems for follow-on operations.
ADVERTISEMENT

Initial access vectors remain a critical information gap, and agencies encourage organizations to share compromise details with appropriate authorities to improve understanding and response efforts.

To maintain persistent access to target networks, the APT actors use a variety of techniques. Many of these techniques can obfuscate the actors’ source IP addresses in system logs, making their actions appear as if they originate from local IP addresses. Following initial access, the actors focus on protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to enable lateral movement across network devices. They often achieve this through SNMP enumeration and SSH, and from these devices, they passively collect packet captures (PCAP) from specific ISP customer networks.
ADVERTISEMENT

To further support discovery and lateral movement within networks, the APT actors may target authentication protocols including TACACS+ and Remote Authentication Dial-In User Service (RADIUS), Managed Information Bases (MIBs), router interfaces, Resource Reservation Protocol (RSVP) sessions, Border Gateway Protocol (BGP) routes, installed software, and configuration files. These actions allow them to map network topology, identify critical assets, and maintain persistent access while remaining difficult to detect.

How to stay safe?


Keep systems updated
– Regularly patch routers, servers, and software to close known vulnerabilities that attackers exploit.

Monitor network traffic – Use intrusion detection systems (IDS) and security monitoring tools to identify unusual activity or unauthorized access.

Segment networks – Limit lateral movement by isolating critical infrastructure from general networks.

Strong authentication – Implement multi-factor authentication (MFA) for administrative and remote access accounts.

Limit edge device exposure – Secure customer edge (CE) and provider edge (PE) devices, including routers and switches, to prevent exploitation.

Audit and review logs – Regularly review system and network logs to detect anomalies or suspicious activities.

Encrypt communications – Use VPNs, IPsec tunnels, or other encryption methods to protect data in transit.

Vendor and supply chain security – Evaluate security practices of third-party providers to prevent attackers from pivoting through trusted connections.

Incident response plan – Have a clear plan to respond to breaches, including notifying authorities and isolating compromised systems.

Share threat intelligence – Collaborate with national cybersecurity centers or industry groups to stay informed about emerging threats.
Download
The Economic Times Business News App
for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App
for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
READ MORE
ADVERTISEMENT

READ MORE:

LOGIN & CLAIM

50 TIMESPOINTS

More from our Partners

Loading next story
Business News › News › International › US News › China-linked Salt Typhoon and others hacked into US networks including defense infra; How they breach and how to stay safe
Text Size:AAA
Success
This article has been saved

*

+