Full Report
A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors. Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and […] The post FBI: Threats from Salt Typhoon are ‘still very much ongoing’ appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
* **Actor Name:** Salt Typhoon
* **Country of Origin:** People’s Republic of China (PRC)
* **Identity:** Described by the FBI as a Chinese cyber espionage group and part of the broader "PRC intelligence apparatus."
* **Associated Groups:** Linked to the wider network of Chinese state-sponsored enabling infrastructure.
## Activity Summary
Salt Typhoon is responsible for a massive, persistent campaign discovered in 2024 that compromised major U.S. telecommunications infrastructure. As of February 2026, the FBI confirms that the group’s operations are "still very much ongoing." The campaign is characterized by broad, indiscriminate data collection and has successfully impacted entities in more than 80 countries.
## Tactics, Techniques & Procedures
* **Exploitation of Basic Vulnerabilities:** Contrary to high-end zero-day usage, the actor primarily exploits "basic" vulnerabilities and "lock the front door" security gaps.
* **Targeting Legacy Systems:** Frequent targeting of vulnerable legacy systems that lack modern security controls.
* **Phishing:** Utilization of phishing attacks as a primary initial access vector.
* **Exploitation of Network Architecture:** Taking advantage of patchwork consolidated networks and a lack of internal segmentation.
* **Persistent Access:** Establishing long-term, widespread access within telecommunications routing and administrative environments.
* **Indiscriminate Collection:** Following a "playbook" of broad access paired with wide-scale information gathering.
## Targeting
* **Sectors:**
* **Telecommunications:** (Primary) Deep compromise of major telecom providers.
* **Public Sector:** Government agencies and infrastructure.
* **Private Sector:** Broad targeting of proprietary corporate information.
* **Geography:** Global (Impacted over 80 countries), with a heavy focus on the United States.
* **Victims:** Specifically mentions AT&T and Verizon (via referenced Senate hearing context).
## Tools & Infrastructure
* **Malware & Exploits:** While the group uses zero-days occasionally, the article highlights a reliance on exploiting unpatched edge devices and common vulnerabilities.
* **Infrastructure:** Uses a vast "enabling infrastructure" to mask origins and maintain persistence across the global telecom footprint.
* **Defense Evasion:** Leverages weaknesses in "patchwork" consolidated networks to move laterally.
## Implications
* **Strategic Intelligence Loss:** The group has gained access to sensitive personal and proprietary information at a systemic level.
* **Systemic Risk:** The "indiscriminate" nature of their collection suggests a goal of total information dominance over communications traffic.
* **Ongoing Threat:** The actor has proven resilient; despite public disclosure and federal mitigation efforts, the threat remains active and adaptive.
## Mitigations
* **Fundamental Hygiene:** Implementation of "lock the door inside the house" strategies—moving beyond perimeter security to internal segmentation.
* **Zero Trust Architecture:** Moving away from implicit trust within networks to a verified access model.
* **Identity Management:** Implementing least-privilege access and robust identity protections to counter identity abuse.
* **Secure-by-Design:** Adopting systems that are inherently resistant to common exploitation.
* **Encryption:** Wide-scale implementation of end-to-end encryption to protect data even if the underlying transit network is compromised.
* **Edge Device Management:** CISA recommends decommissioning or strictly securing unsupported edge devices (routers, firewalls) that act as entry points.