Full Report
Satellite communications company Viasat is the latest victim of China's Salt Typhoon cyber-espionage group, which has previously hacked into the networks of multiple other telecom providers in the United States and worldwide. [...]
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Attributed to China (Chinese Salt Typhoon state hackers). The group is known for long-term targeting of telecommunications infrastructure.
## Activity Summary
Salt Typhoon reportedly breached Viasat, a telecom giant. This activity is part of a broader, sustained campaign that began at least in 2019. In October, the group breached multiple U.S. telecom providers, including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream, affecting companies in dozens of countries. In the process of compromising these U.S. telecom networks, the actors gained access to the U.S. law enforcement's wiretapping platform, accessing the "private communications" of a limited number of U.S. government officials. In early 2025, NSA and CISA officials suggested Comcast and Digital Realty were also potentially compromised. They remained actively engaged in targeting telecoms globally between December 2024 and January 2025.
## Tactics, Techniques & Procedures
- Breaching telecommunications providers globally.
- Exploiting unpatched Cisco IOS XE network devices to breach telecoms (December 2024 - January 2025).
- Accessing sensitive platforms like the U.S. law enforcement's wiretapping infrastructure.
## Targeting
- Sectors: Telecommunications, Government (via access to law enforcement platforms).
- Geography: Global, specifically mentioning U.S. providers (Viasat, AT&T, Verizon, Lumen, Charter, Consolidated, Windstream, Comcast) and companies in "dozens of countries."
- Victims: Viasat, AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, Windstream, potentially Comcast and Digital Realty.
## Tools & Infrastructure
- Malware families used: Not explicitly detailed.
- Infrastructure (C2, domains, IPs): Not explicitly detailed, but noted use of compromised telecom infrastructure as a pivot point.
## Implications
Salt Typhoon displays a sustained, strategic focus on compromising global telecommunications infrastructure. This access not only allows for espionage against corporate entities but critically enables surveillance and access to the communications of U.S. government officials via law enforcement backends, indicating a high-priority intelligence collection mandate. The reliance on unpatched vulnerabilities (like Cisco IOS XE) suggests opportunistic exploitation of known weaknesses to achieve long-term persistence.
## Mitigations
- Immediately prioritize patching and remediation for known vulnerabilities, especially on network infrastructure such as Cisco IOS XE devices.
- Enhance monitoring and segmentation of sensitive internal platforms, particularly those interfacing with government or law enforcement systems (e.g., wiretapping platforms).
- Conduct rigorous threat hunting within telecommunications environments targeting long-term persistence mechanisms typical of state-sponsored actors.