Salt Typhoon is behind one of the broadest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records related to senior government officials.

The hacking group, widely attributed to China, is part of a wider cluster of cyber groups believed to be working toward helping China prepare for a potential future conflict involving Taiwan, according to cybersecurity researchers. U.S. officials have described a possible invasion of Taiwan as an “epoch-defining threat.”

Much of Salt Typhoon’s activity focuses on infiltrating telecommunications infrastructure. The group reportedly compromises Cisco routers located at the edge of company networks, allowing them to gain entry into telecom systems. In some cases, hackers have also taken control of surveillance systems that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.

While Salt Typhoon concentrates on telecom networks, other China-linked groups are also active. Volt Typhoon has been observed pre-positioning within critical infrastructure systems to enable potentially destructive cyberattacks in the future, while Flax Typhoon operates large botnets made up of hijacked internet-connected devices to disguise malicious traffic.

Salt Typhoon, however, stands out as one of the most prolific cyber-espionage groups in recent years.

The breaches allowed attackers to obtain call records, text messages, and even captured phone audio from senior U.S. officials. Many of these individuals were reportedly considered intelligence targets of interest. Because of the potential risk of eavesdropping by foreign adversaries, the FBI urged Americans to switch to end-to-end encrypted messaging applications.

According to U.S. officials, the campaign has affected at least 200 organizations globally, with the list of impacted countries continuing to grow.

United States

Several major American telecom companies were confirmed victims of the campaign, including AT&T and Verizon. Internet provider CenturyLink (now Lumen) was also compromised. T-Mobile said it was targeted but reported that attackers did not gain access to customers’ calls, texts, or voicemails.

Satellite communications company Viasat was also breached, giving hackers access to tools used by law enforcement to access communications.

Other affected providers include Charter Communications (Spectrum), Windstream, and fiber network operator Consolidated Communications.

Reports also indicate that Salt Typhoon compromised the network of a U.S. state’s National Guard unit, potentially giving attackers access to data and connections reaching other states and territories.

North and South America

Security researchers from Recorded Future observed Salt Typhoon targeting Cisco devices associated with universities in Argentina and Mexico.

The Canadian government confirmed that several major telecommunications companies were hacked as part of the campaign. Authorities also reported that Cisco routers within one telecom provider were compromised to steal company data.

Canadian officials warned that targeting extended beyond telecommunications into other industries as well.

Trend Micro researchers have also identified Salt Typhoon activity in Brazil.

Asia, Africa, and Oceania

Recorded Future observed attacks on a telecom provider in Myanmar called Mytel through compromised Cisco routers. The researchers also saw activity involving a telecommunications provider in South Africa.

University routers in Bangladesh, Indonesia, Malaysia, and Thailand were also targeted.

Japan has warned of the potential threat posed by Salt Typhoon to its networks.

Governments in Australia and New Zealand have confirmed observing Salt Typhoon activity affecting telecom and critical infrastructure sectors. New Zealand reported additional activity targeting government agencies as well as transportation, lodging, and military infrastructure networks.

Trend Micro also identified at least 20 compromised organizations across telecom, consulting, chemical, and transportation industries, as well as government agencies and nonprofits in several countries including Afghanistan, Eswatini, India, Taiwan, and the Philippines.

Europe

The United Kingdom government confirmed detecting a cluster of Salt Typhoon activity across the country. Reports suggest that phone records belonging to senior government staff may have been accessed.

Norway also confirmed that several organizations were hacked.

Authorities in the Netherlands reported that several smaller internet providers and web hosting companies were targeted. Attackers gained access to routers, though internal networks were not breached.

An internet provider in Italy was also compromised.

Czech cybersecurity officials say incidents linked to Salt Typhoon have also been observed in Finland and Poland.

Don’t miss updates! Follow us on Twitter Facebook. 🔔