Full Report
The FBI has issued a public appeal for information concerning an ongoing cyber campaign targeting US telecommunications infrastructure, attributed to actors affiliated with the People's Republic of China (PRC). This cyber operation, tracked under the moniker Salt Typhoon, has compromised networks at multiple US telecommunications companies and resulted in the theft of sensitive data. As the investigation continues, the FBI is calling on the public to help identify individuals involved in these malicious activities. The Scope of the Salt Typhoon Campaign The Salt Typhoon operation, which has been under investigation for several months, is part of a broader campaign by PRC-affiliated threat actors seeking to exploit vulnerabilities in critical US telecommunications infrastructure. The FBI's ongoing probe into these activities, officially marked under alert number I-042425-PSA, has revealed that attackers have gained access to vast amounts of data. [caption id="attachment_102264" align="alignnone" width="782"] Source: FBI[/caption] This includes call data logs, private communications involving government officials and political figures, and select information requested by US law enforcement through court orders. The investigation indicates a global scope, with the malicious actors potentially targeting individuals and organizations worldwide. Previous FBI and Government Alerts on Salt Typhoon The FBI has previously alerted the public to this threat with joint statements from the Cybersecurity and Infrastructure Security Agency (CISA) and other government agencies on October 25, 2024, and November 13, 2024. On December 3, 2024, a comprehensive guide titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure was released, providing critical advice for telecommunications providers to upgrade defenses against PRC-affiliated cyber threats. FBI's Ongoing Commitment to Disrupting Salt Typhoon In response to this cybersecurity challenge, the FBI continues to work closely with industry partners and US government agencies to mitigate the damage caused by Salt Typhoon. As part of its efforts, the FBI is seeking specific information that could lead to the identification of the individuals responsible for this campaign. The agency urges those with knowledge of these activities to come forward and provide any relevant details. Rewards for Justice Program: Up to $10 Million for Tips In addition to the FBI's request, the U.S. Department of State's Rewards for Justice (RFJ) program is offering a reward of up to $10 million for information that leads to the identification of individuals linked to foreign government-directed cyberattacks on US critical infrastructure. This initiative highlights the US government's commitment to identifying and prosecuting those involved in cyber espionage and other malicious activities in violation of the Computer Fraud and Abuse Act (CFAA). Data Theft and Espionage Linked to PRC-affiliated Hackers The Salt Typhoon campaign has already been linked to several large-scale incidents where PRC-affiliated actors infiltrated commercial telecommunications infrastructure to steal data. The targets of this espionage effort have largely been individuals connected to government and political activities, though the full extent of the damage continues to unfold. The FBI and CISA have been providing technical assistance to affected companies, sharing information to help other potential victims protect themselves. Strengthening Cyber Defenses in the Telecommunications Sector The FBI is working alongside other international agencies to enhance the visibility and resilience of the global telecommunications sector. Notably, the US has also collaborated with agencies in Australia, Canada, and New Zealand, sharing insights into defensive measures and strengthening global cybersecurity efforts. These coordinated actions are aimed at reducing the vulnerability of critical telecommunications infrastructure worldwide to Salt Typhoon and other cyber threats. As of the latest updates, PRC-affiliated hackers have exploited pre-existing vulnerabilities in telecommunications infrastructure. Their ability to exploit these weaknesses underlines the importance of proactive network monitoring and the need for organizations to implement rigorous security measures. The FBI has urged telecommunications companies to closely scrutinize network configurations, monitor unusual behavior, and employ strong encryption methods to protect sensitive data from future compromises. Conclusion Organizations that suspect they have been targeted by Salt Typhoon or similar campaigns are urged to contact their local FBI field offices immediately. Individuals with information on the identities or activities of those behind Salt Typhoon can report their tips securely through the FBI’s Internet Crime Complaint Center (IC3) or the Rewards for Justice program’s secure channels. As the investigation continues, authorities emphasize the importance of ongoing collaboration between government agencies and the private sector to protect US telecommunications networks from further cyber threats.
Analysis Summary
# Incident Report: Salt Typhoon PRC Cyber Campaign Targeting Telecoms
## Executive Summary
The FBI issued an alert regarding the "Salt Typhoon" cyber campaign, attributed to actors linked to the People's Republic of China (PRC), which actively targets US telecommunications infrastructure. The attackers exploit pre-existing vulnerabilities in network configurations to gain unauthorized access. Response efforts involve international collaboration and urgency for telecommunication companies to enhance monitoring and implement strong encryption.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the FBI **issued an alert** on or around Friday, April 25, 2025.
- **Incident Date:** Ongoing threat/Campaign activity prior to the alert date.
- **Affected Organization:** US Telecommunications Infrastructure (unspecified individual companies listed, but the sector is the primary target).
- **Sector:** Telecommunications
- **Geography:** Primarily United States, with international collaboration partners (Australia, Canada, New Zealand).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing prior to April 25, 2025.
- **Vector:** Exploiting pre-existing **vulnerabilities** in telecommunications infrastructure configurations.
- **Details:** Attackers leveraged known weaknesses to gain initial footholds in critical network equipment.
### Lateral Movement
- *Details regarding specific internal lateral movement techniques were not provided in the summary.*
### Data Exfiltration/Impact
- The primary impact focuses on compromising critical telecommunications infrastructure, suggesting potential reconnaissance, persistence, or disruption capabilities, though specific data exfiltration details were not provided in this excerpt.
### Detection & Response
- **How it was discovered:** Identified via intelligence gathered by the FBI and partner agencies.
- **Response actions taken:** The FBI issued a public alert. The US has collaborated with agencies in Australia, Canada, and New Zealand to share insights and coordinate defenses.
## Attack Methodology
- **Initial Access:** Exploitation of pre-existing vulnerabilities in network configurations.
- **Persistence:** *Not specified.*
- **Privilege Escalation:** *Not specified.*
- **Defense Evasion:** *Not specified.*
- **Credential Access:** *Not specified.*
- **Discovery:** *Implied internal reconnaissance following access.*
- **Lateral Movement:** *Not specified.*
- **Collection:** *Not specified.*
- **Exfiltration:** *Not specified.*
- **Impact:** Targeting and compromising critical telecommunications infrastructure.
## Impact Assessment
- **Financial:** *Not specified.*
- **Data Breach:** *Specific compromised data types/volumes not specified.*
- **Operational:** Threat to the integrity and security of critical US telecommunications infrastructure.
- **Reputational:** Impact on trust in telecommunication providers' security posture.
## Indicators of Compromise
- **Network indicators - defanged:** *None provided in the summary.*
- **File indicators:** *None provided in the summary.*
- **Behavioral indicators:** Monitoring for unusual behavior within network configurations indicative of exploitation.
## Response Actions
- **Containment measures:** Collaboration between international agencies (US, AU, CA, NZ).
- **Eradication steps:** Organizations urged to scrutinize network configurations and patch vulnerabilities.
- **Recovery actions:** Focus on hardening infrastructure against future attacks.
## Lessons Learned
- The persistence of PRC-affiliated actors in targeting critical infrastructure such as telecom networks.
- The severe risk posed by unpatched or misconfigured networking equipment.
- The vital necessity of proactive network monitoring.
## Recommendations
- Telecommunications companies must **closely scrutinize network configurations**.
- Organizations must **monitor for unusual behavior** across their infrastructure.
- Implement and employ **strong encryption methods** to protect sensitive data.
- Organizations suspecting compromise should **contact their local FBI field offices** immediately.