In 2024, experts at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) uncovered a highly sophisticated cyber espionage campaign that had infiltrated virtually all critical telecommunications infrastructure in the United States. The party behind these operations, Salt Typhoon, has been identified as a Chinese state-sponsored entity, and its cyber-offensive may be the most troubling and sophisticated of its kind to ever directly target the U.S.
Among the most alarming aspects of these attacks is that Salt Typhoon managed to compromise the lawful wiretapping systems utilized by intelligence and law enforcement, originally designed to facilitate their investigations. By gaining access to these systems, Salt Typhoon has exfiltrated metadata and private communications of high-ranking officials, posing a direct threat to national security.
Now, nearly a year after identification, Salt Typhoon’s campaign continues, having demonstrated a number of systemic vulnerabilities in U.S. telecommunications infrastructure – technological and legal – within the private and public sectors. It also leaves the administration of President Donald Trump with one of the greatest cybersecurity challenges of our time, a challenge that the administration seems to be progressively less capable of engaging as it continues to pursue its broader agenda of agency cuts and cultural shifts.
While the administration has been rhetorically focused on U.S. competition with China, a number of its executive actions have ignited concerns within the cybersecurity and intelligence communities as to whether CISA and other federal entities are being sufficiently supported against this threat and others like it.
Trump has issued several executive orders with the broad goals of targeting the efficiency or altering the character of these institutions, with little respect to the sensitivity of their taskings. Some of these decisions have directly impacted the work against Salt Typhoon, such as cutting the Cyber Safety Review Board (CSRB) responsible for handling the domestic response to the Salt Typhoon campaign.
In a May 2 letter to the Senate Appropriations Committee, U.S. Office of Management and Budget Director Russell Vought stated that the administration is seeking a $491 million cut to CISA, with special emphasis on its election security and disinformation operations, cuts that are expounded upon in the Office of Management and Budget’s supplement to the FY2026 budget proposal. It proposes an elimination of 1,083 positions, bringing CISA down to a staff of 2,649. Among these are substantial cuts to CISA’s Integrated Operations Division and its regional teams, which have been at the forefront of the Salt Typhoon response. Other proposed cuts to critical functions have included a 73% reduction in funding to CISA’s National Risk Management Center. Other executive actions have generated instability and impacted systemic readiness, such as those affecting the Federal Communications Commission (FCC), the National Security Agency (NSA), and the FBI.
While the final version of the One Big Beautiful Bill Act softened the proposed cuts to CISA to $135 million, the CISA workforce has been cut by nearly a third, and the scope of the agency has been reduced, leaving the U.S. more exposed to adversarial cyber threat actors. Similar trends have been seen at other agencies across the intelligence community that play a role in ensuring robust U.S. cybersecurity capabilities. Rebuilding this readiness will require restoring institutional capacity, overhauling lawful intercept infrastructure, enacting improved privacy measures, and investing in next-generation cybersecurity technologies. To thwart threat actors of Salt Typhoon’s capability, national cybersecurity infrastructure cannot become a casualty to partisanship.
What Is Salt Typhoon?
Salt Typhoon is the latest disclosed threat actor in what Microsoft’s Threat Intelligence Center (MSTIC) has identified as the “Typhoon” Family, a designation created in 2023. Microsoft’s “Typhoon” moniker refers specifically to cyber threat actors sponsored by the Chinese government. Typhoon is united by related TTPs (tactics, techniques, and procedures) and strategic objectives, such as cyberespionage, intellectual property theft, and infrastructure-targeting operations.
While various vendors have given other designations to this group of threat actors, MSTIC’s has been the most comprehensive and adopted for communications within the industry. This has included the infamous “GhostEmperor” by Russia’s Kaspersky Lab, which no longer has a relationship with the U.S. government, and “UNC2286” by Google’s Threat Intelligence Group.
The Typhoon family shares a number of TTPs, such as living off the land, wherein a threat actor will utilize tools and resources native to a target device or network as much as possible in order to avoid detection. The family typically targets supply chains by establishing persistence with service vendors rather than their targets. For this to work, they use a number of techniques to target high-level administrative and privileged accounts. This has been done through a number of zero-day exploits (vulnerabilities in systems that haven’t been disclosed to the vendors) and known but unpatched vulnerabilities. The Typhoons have also demonstrated their ability to develop and utilize their own sophisticated malware for these purposes. The end-state is typically to establish a consistent, undetected presence within the target’s network. Because of all of this, the Typhoons land in what’s defined as the most dangerous threat actor category: an Advanced Persistent Threat, or APT.
The strategic focus of the Typhoon family of APTs typically revolves around three major pillars:
- Pre-conflict preparation, wherein the threat actor has persistent access to systems that it can use to carry out more acute cyberattacks in the event of armed conflict. In the case of Salt Typhoon, such access to critical infrastructure would allow Chinese operators to cause greater domestic havoc should such a conflict ever manifest. The telecommunications backdoors would provide them with invaluable intelligence, if they’d never been detected.
- Comprehensive intelligence collection, wherein the threat actor attempts to gain direct insight into various government services or (in Salt Typhoon’s case) surveillance apparatuses within telecommunications infrastructure.
- Economic competition, wherein the threat actor attempts to exfiltrate research and technology data from universities and various research and development operations. In Salt Typhoon’s case, this directly supports China’s industrial and military modernization ambitions.
Some of Salt Typhoon’s fellow travelers have included Flax Typhoon, which is targeted at Taiwan’s government and tech sectors; Volt Typhoon, which is targeted at U.S. critical infrastructure; and others that have been targeted at scientific research. Several Typhoon family members have compromised logistical supply chains, maritime operations, and energy infrastructure worldwide. The Typhoons have been determined to be among the most competent families of threat actors ever publicly disclosed.
Telecoms And Lawful Intercept Breach
Salt Typhoon’s initial campaign targeted nine of the largest U.S. telecommunications providers and compromised systems that handle private communications, metadata, and surveillance operations. The attacks were not a singular breach but rather a prolonged infiltration effort in which Salt Typhoon successfully evaded detection with living-off-the-land techniques.
The Salt Typhoon campaign’s compromise of U.S. telecommunications systems also led it to access lawful intercept systems. These systems, often simplified as “wiretaps,” are mandated under the CALEA (Communications Assistance for Law Enforcement Act) and enable real-time surveillance of communications traffic, allowing law enforcement and intelligence agencies to intercept calls, messages, and data. It also gave the group access to metadata such as network access locations, call durations, and device identifiers. Salt Typhoon would also have been able to monitor federal target selection lists. These systems are deeply embedded in phone carriers and internet service provider infrastructure. They’re often fragmented across legacy platforms, newer compliance tools, and third-party vendor integrations, which allows for numerous points of failure and an uneven attack surface. They’re also largely outside the cybersecurity governance structures applied to customer-facing systems, meaning they receive less scrutiny from regulatory bodies like the FCC.
Attack Chain
To gain initial access, Salt Typhoon utilized common spear phishing tactics and exploited vulnerabilities in public-facing endpoints. This included publicly known vulnerabilities in the Ivanti Connect Secure VPN, Fortinet’s FortiClient Endpoint Management Server, Sophos Firewall, and Microsoft Exchange. Because these were already publicly known in some capacity since 2021, it is likely the targeted systems were not fully patched.
Once inside the network, Salt Typhoon established persistence using the Demodex rootkit and its own custom-built GhostSpider backdoor. These tools allowed the group to maintain access to the compromised systems even after system reboots.
Salt Typhoon then was able to deploy more common commercial tools such as Cobalt Strike, which enables command-and-control within the target network, and PsExec, which makes for easier malware deployment. Both tools are quite common for both threat actors and legitimate cybersecurity penetration testers to establish lateral movement across patchworked and widely distributed systems. Once inside, Salt Typhoon’s operators then utilized the TrillClient malware to harvest sensitive credentials from browser caches and other storage areas, which the group then used to impersonate privileged users.
For data collection and exfiltration, Salt Typhoon used a new variant of the NinjaCopy tool – common among APTs and ransomware operators – to bypass security mechanisms and extract sensitive system files.
After data collection, the group exfiltrated the stolen archives via its internal command-and-control channels and uploaded files to anonymized file-sharing services. It also utilized the services’ internal proxy servers to disguise outbound traffic, forwarding data from compromised machines to external command-and-control servers. The amount of data stolen hasn’t been released but was described by FBI and CISA officials as “vast.”
By gaining direct access to lawful intercept systems, Salt Typhoon was able to monitor, extract, and potentially manipulate highly sensitive surveillance data. This included lists of individuals under surveillance, both foreign and domestic, intercepted call content and text messages, and other data streams that might have transferred over the telecoms’ networks at the time. The group also was able to obtain network-level metadata, which would allow them to detail the communication patterns and habits of intelligence targets.
This type of access presents a severe counterintelligence risk to the United States. Salt Typhoon not only could preemptively identify Chinese assets under U.S. surveillance but also could track dissidents, journalists, and foreign officials communicating with U.S. targets, thereby extending China’s surveillance reach into U.S. domestic operations. Utilizing coercive surveillance tactics on its own citizens and their relatives abroad is a known behavior of the Chinese intelligence services, and this would greatly expand on those services’ ability to conduct such operations.
What makes this breach especially troubling is that it exploits systemic vulnerabilities that may force the U.S. to reimagine or rework lawful intercept systems from the ground up. These platforms often exist as patchwork systems cobbled together from legacy hardware, compliance add-ons, and third-party vendor tools, creating a fragmented and inconsistently secured environment. Many lawful intercept systems are managed separately from customer-facing platforms, meaning they fall outside of the more mature cybersecurity governance frameworks used to protect subscriber data. This segmentation, which might have been intended to isolate sensitive surveillance operations, instead created blind spots that allowed Salt Typhoon to operate undetected for extended periods.
Regarding this infiltration’s persistence, sources have moved the potential timeline for Salt Typhoon’s formation as far back as 2019, with it broadly agreed that the group had been present in the telecoms’ networks since at least mid-2023. This would mean that it likely had no less than a year of access to these systems before any public disclosure of the incidents.
The telecommunications and wiretap access that Salt Typhoon obtained in this campaign enabled the other incidents attributed to them. One of the most troubling and unique elements of the Salt Typhoon campaign is that its persistence model relied on having access to the supply chain on the most fundamental level: the internet service providers themselves. Given enough time, this access provides the group with data on just about any person or entity residing in the U.S. that it seeks to target. Data has been exfiltrated on over 1 million users, including senior U.S. officials.
Salt Typhoon’s successful infiltration indicates an underappreciated risk posed by lawful intercept infrastructure. While such infrastructure was originally intended to enhance law enforcement and intelligence capabilities, it’s now become a high-value target for hostile nation-states. It undermines ongoing intelligence operations and understandably raises privacy concerns for any U.S. citizen whose communications passed through affected networks. It’s imperative that such incidents prompt renewed discussion on the infrastructure of such a sprawling surveillance state. As public figures in the digital privacy community have argued, when engineers put legal backdoors into communications systems that are typically encrypted – even with the best of intentions – they still create openings where there shouldn’t be any. This argument is given even more weight in light of the more recent TeleMessage scandal, wherein a poorly modified version of the Signal encrypted messaging app exposed the sensitive communications of several high-ranking Trump administration officials. Backdoors and exceptions will inevitably increase an attack surface.
A second major incident attributed to Salt Typhoon was a systemic compromise of the U.S. Department of the Treasury’s Departmental Offices network, which occurred in early 2024. This attack targeted sensitive systems involved in sanctioning and assets control, as well as the Committee on Foreign Investment in the U.S., which conducts national security reviews of foreign acquisitions. The attack also compromised the devices of former Treasury Secretary Janet Yellen, Deputy Secretary Wally Adeyemo, and Acting Undersecretary of the Treasury Brad Smith. Salt Typhoon gained initial access through a compromise of the BeyondTrust cloud service that was supporting the Treasury’s network. Impacted Treasury systems affected included the Office of Foreign Assets Control, where the group had access to sanctions enforcement systems that could provide the Chinese government with prior insight into sanctioned entities, U.S. economic strategies, and countering or nullifying economic pressures, as well as general counterintelligence information. This is invaluable intelligence in a trade war.
In a third high-profile compromise, Salt Typhoon targeted the phones of both then-candidates Donald Trump and JD Vance, as well as staff for the campaign of former Vice President Kamala Harris. While the specifics are sparse, it’s been confirmed that some of the data stolen included call data from both campaigns and audio of Trump and Vance.
Attribution and Background
The discovery of Salt Typhoon’s activities was the result of collaborative efforts between private cybersecurity actors and CISA. The group’s existence and activities were publicly disclosed in late 2024. According to publicly available disclosures, attribution to China’s Ministry of State Security (MSS) was based on factors including the sophistication of the attacks, the nature of the targets, and the tools and techniques employed, which align with known MSS operations.
Further supporting this attribution, the U.S. Treasury Department sanctioned Sichuan Juxinhe Network Technology Co., a Chinese cybersecurity company, for its direct involvement with Salt Typhoon. The Treasury Department described the company as having strong ties to the MSS. The U.S. also sanctioned Yin Kecheng, a Shanghai-based hacker affiliated with the MSS, allegedly for his role in the breach of the U.S. Treasury Department’s network.
The MSS has been known to outsource to an extensive network of private companies and contractors to conduct cyber operations. This type of structure allows the Chinese government to obfuscate its involvement. These contractors, including Sichuan Juxinhe, are utilized to carry out cyberoperations abroad while providing plausible deniability. Some of these MSS cutouts also pose as university labs and research institutions. This degree of separation both dramatically slows attribution and insulates the government from some of the political fallout. Since attribution can never be 100 percent without explicit admissions from governments, having this layer of deniability is essential for a country that still seeks a broadly positive international reputation as China does.
- Cutout Organization: Huaying Haitai Science and Technology Development Co., Ltd.
- Details:
This firm was based in Tianjin and served as a direct contractor for the MSS’s Tianjin State Security Bureau. Two Chinese nationals, Zhu Hua and Zhang Shilong, were indicted by the U.S. Department of Justice in 2018 for conducting global cyberespionage under this company’s auspices.
- Activity:
Stole intellectual property and sensitive data from at least 45 tech and government entities worldwide, including in aviation, biotech, finance, and more.
- Cutout Organization: Hainan Xiandun Technology Development Co., Ltd.
- Details:
A front company operating in Hainan Province, tied directly to the MSS’s Hainan State Security Department. This firm was used to recruit and manage hackers under the guise of academic and commercial research.
- Indictments:
In 2021, four Chinese nationals associated with this company were indicted by the U.S. DOJ for attacks targeting maritime, defense, research institutions, and COVID-19 data.
- Activity:
The group focused heavily on strategic sectors such as naval research, satellite tech, and academia across 12+ countries.
- Cutout Organization: Not definitively named, but suspected ties to Wuhan Xiaoruizhi Science and Technology Company and academic partnerships.
- Details:
Attribution here is murkier. While no formal indictment names a specific company, multiple security firms and intelligence sources (e.g., Recorded Future, Mandiant) suggest that APT31 works through a network of contractors and universities, particularly in Hubei Province.
- Activity:
Focuses on targeting political organizations, election infrastructure, and government agencies, notably in the U.S., Canada, and Europe.
- Notable Incident:
Attempted to exploit tools from the NSA’s Equation Group leaked by Shadow Brokers—showing sophistication and aggressive ops tempo.
China has consistently denied involvement in cyberespionage activities, labeling such accusations as efforts to defame the nation. However, unofficially, U.S. officials claim that in a private meeting in December 2024 in Geneva, Chinese officials all but admitted to being responsible for the Volt Typhoon campaign, stating that, as assumed by security researchers, it was related to U.S. support for Taiwan.
Policy Recommendations
The U.S. government has responded to the Salt Typhoon campaign with limited public action, and the steps taken thus far reflect a fragmented and inconsistent approach. The most explicit action has been the Treasury Department’s sanctions. At the end of President Joe Biden’s term, the Federal Communications Commission also quietly implemented measures to better secure telecom infrastructure, but these efforts were left unsupported under the Trump administration.
The institutional infrastructure to sustain these efforts, however, has been violently and irresponsibly uprooted. The most damaging policy decision was likely the abrupt termination of the Cyber Safety Review Board, which had been established to investigate major incidents and produce concrete recommendations to improve systemic resilience. Its elimination halted its investigation into Salt Typhoon and removed one of the few venues capable of cross-agency coordination at a time when such coordination is urgently needed. The budgetary cuts proposed to CISA, totaling nearly $500 million, will further erode coordination. Compounding this is the wave of politically motivated dismissals and budget cuts within the FBI, which disproportionately affected those working in cybersecurity and counterintelligence roles. The resulting loss of personnel has degraded both institutional memory and operational readiness, with the NSA experiencing similar leadership instability in the months following the transition.
The CSRB or an entity in the same capacity should be reinstated, with statutory protections that shield it from executive interference and provide it with binding authority over federal cybersecurity incident reviews, similar to the National Transportation Safety Board The CSRB’s insights are crucial for responding to Salt Typhoon, as well as anticipating similar future campaigns. That said, the administration has already attempted to target the NTSB and similar oversight positions as it conducts and supports hundreds of investigations worldwide.
Simultaneously, the U.S. must confront the structural deficiencies in its lawful intercept infrastructure. This includes a root-level redesign of CALEA-mandated surveillance systems, ensuring they are isolated from general-purpose networks. They should be held to the same auditing standards as customer-facing platforms and subject to regular third-party security evaluations. This could be accomplished through a restored or refocused CISA Office of the Chief Technology Officer, in close coordination with the Cybersecurity Division and National Risk Management Center. In theory, they could fulfill a public sector function similar to how the FCC is tasked with handling the private sector. Without reform, these systems will remain persistent liabilities. Despite the proposed cuts, this makes the case for an increased role for CISA as a well-positioned organization.
At the legislative level, there is growing pressure to pass a comprehensive federal privacy law that codifies end-to-end encryption and restricts the scope of lawful access in ways that minimize systemic exposure. While political will remains divided, such a measure would address the fundamental tension among privacy, security, and surveillance.
In parallel, federal investment must be expanded into cybersecurity R&D, with emphasis on technologies like post-quantum encryption, advanced anomaly detection, and software supply chain validation tools. These are areas that offer high strategic value but have seen uneven support.
Finally, the capacity of U.S. institutions to defend against nation-state cyber campaigns cannot be restored without rebuilding their talent pools. This means reversing the personnel purges at agencies like the FBI and NSA, stabilizing leadership, and enacting protections that ensure cybersecurity roles remain insulated from political retaliation. The creation of a semi-autonomous Compliance Office, akin to the structure of the Financial Industry Regulatory Authority, could further enable oversight of telecom providers, imposing uniform security standards across an industry that has long resisted accountability.
Without such measures, the cycle of breach, disclosure, and half-measure response will continue, leaving U.S. systems increasingly vulnerable to adversaries that have already demonstrated the will and capability to exploit them. Making this cycle worse is the fact that it seems the current administration’s efforts to culturally bring the intelligence community to heel has now hamstrung its ability to address one of the greatest challenges in its history.
The views expressed in this article are those of the author and not an official policy or position of New Lines Institute.
