Critical Infrastructure Security,
Cyberwarfare / Nation-State Attacks,
Fraud Management & Cybercrime
US Cyber Defense Agency Was Not Initially Aware of Hackers Involved in Salt Typhoon
The initial indication of a breach of American telecommunications infrastructure by Chinese hackers came from telemetry data detected within U.S. government networks. This crucial information enabled threat hunters from the Cybersecurity and Infrastructure Security Agency (CISA) to swiftly extend technical support to the private sector, as confirmed by CISA Director Jen Easterly.
Currently, both the telecommunications industry and federal entities are engaged in an ongoing effort to eradicate the threat actor known as Salt Typhoon from domestic networks. This campaign became publicly acknowledged shortly before the November 2024 elections, with reports highlighting that specific individuals, including President-elect Donald Trump, were among the targets. Active since August 2019, Salt Typhoon has been a persistent threat, although major telecom providers like Verizon and AT&T reported significant progress in eliminating the intrusion.
“We recognized anomalies before we fully identified them as stemming from Salt Typhoon,” Easterly stated during a recent event hosted by the Foundation for Defense of Democracies. Access to copies of data stored on virtual private servers facilitated CISA and law enforcement in uncovering the broader implications of the Salt Typhoon incidents.
Despite ongoing efforts, CISA has refrained from disclosing a timeline for a complete resolution of the Salt Typhoon threat within telecom infrastructures. During the same event, Easterly emphasized that foreign adversaries, particularly from China, remain vigorously focused on threatening critical U.S. infrastructure. Officials have indicated that although Salt Typhoon hackers have infiltrated networks, they have not compromised classified information.
“While we’ve effectively dismantled numerous Chinese intrusions across critical sectors, we are aware that our findings may represent only a fraction of a much larger issue,” Easterly noted in a blog post on CISA’s website. This highlights potential tactics that could have been employed during the attack, such as initial access through phishing or exploiting vulnerabilities in network infrastructure, in line with the MITRE ATT&CK framework.
In response to the evolving threat landscape, CISA issued guidance in December encouraging high-ranking officials to utilize encrypted communication and improved mobile security measures. This guidance included tailored recommendations for iPhone and Android users aimed at mitigating potential vulnerabilities. The agency has also published enhanced visibility and security protocols for communications networks, offering insight to network vendors confronting persistent cyber threats.
“The threats posed by the People’s Republic of China are both real and persistent, and they will likely continue to evolve throughout 2025 and beyond,” Easterly stated in her official remarks. She emphasized, however, that these threats are not insurmountable, encouraging ongoing vigilance and proactive measures to bolster cyber defenses across the affected sectors.
