Salt Typhoon espionage campaign revealed through global cybersecurity advisory

A joint cybersecurity advisory details how Salt Typhoon exploited unpatched network-edge devices to infiltrate telecommunications, military and government systems across 13 countries.
Cloudflare blocked a DDoS attack that sent 38TB of traffic in 45 seconds, the largest ever recorded, using mostly UDP packets from infected devices.

Intelligence and cybersecurity agencies from 13 countries, including the NSA, CISA, the UK’s NCSC and Canada’s CSIS, have jointly issued an advisory on Salt Typhoon, a Chinese state-sponsored advanced persistent threat group.

The alert highlights global intrusions into telecommunications, military, government, transport and lodging sectors.

Salt Typhoon has exploited known, unpatched vulnerabilities in network-edge appliances, such as routers and firewalls, to gain initial access. Once inside, it covertly embeds malware and employs living-off-the-land tools for persistence and data exfiltration.

The advisory also warns that stolen data from compromised ISPs can help intelligence services track global communications and movements.

It pinpoints three Chinese companies with links to the Ministry of State Security and the People’s Liberation Army as central to Salt Typhoon’s operations.

Defensive guidelines accompany the advisory, urging organisations to apply urgent firmware patches, monitor for abnormal network activity, verify firmware integrity and tighten device configurations, especially for telecom infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!