Chinese-backed Salt Typhoon tops list of international threats in latest cybersecurity advisory - Cybernews

Image by Cybernews A new joint cybersecurity advisory (CSA) released on Wednesday by over a dozen international law enforcement organizations exposes the inner workings of Beijing-backed threat groups, with Salt Typhoon topping the list. Key takeaways: Global advisory warns China-backed Salt Typhoon continues to target telecoms and critical infrastructure worldwide. The report links three Chinese companies to supplying resources and intelligence to carry out attacks. Experts caution that Salt Typhoon remains a major, ongoing threat, urging organizations to adopt the CSA’s mitigation guidelines to detect and evict intrusions. The CSA, titled “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” aims to provide organizations with the specific tactics, techniques, and procedures (TTPs) used by the nation-state threat groups and proactive steps they can take to harden systems. ADVERTISEMENT “These recommendations are especially important for network defenders of telecommunications and critical infrastructure organizations to discover unknown intrusions and prevent undetected malicious activity on their network,” the CSA states. “The report accuses three Chinese organizations of providing Salt Typhoon with resources and intelligence to conduct attacks on critical global infrastructure,” said Pete Luban, Field CISO at AttackIQ. “An Avengers-level threat” Luban calls Salt Typhoon “an Avengers-level threat,” having shown the ability to disrupt key systems while remaining undetected. He points out that with the backing of three notable Chinese organizations, they only get more dangerous, and their breadth for potential attacks widens dramatically,” adding that the group remained active in 2025, causing further disruptions to telecommunications systems. The broad international coalition behind the advisory is comprised of multiple cybersecurity and intelligence agencies, including the US, Australia, Britain, Canada, and New Zealand, all members of the "Five Eyes" intelligence alliance. Joint international cybersecurity advisory released on August 27th, 2025. “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System.” Image by US National Security Agency/Central Security Service. Other nations signing off on the CSA include Germany, Italy, the Netherlands, Japan, the Czech Republic, Finland, Spain, and Poland. ADVERTISEMENT The advisory identifies several advanced persistent threat (APT) actors sponsored by the Chinese government, many with overlapping targets of interest, attack pathways, and other TTPs used for “initial exploitation, persistence, lateral movement, collection, and exfiltration. The five threat groups singled out in the advisory – Salt Typhoon. OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor – are said to be the most notable (and active) groups tracked by the cybersecurity intel community, which often use their own naming conventions to label the same APTs, and are assumed to be one in the same. Chinese state-sponsored actors are targeting global telecommunications and other critical infrastructure orgs. We’ve joined others worldwide to call these actors out and publish hunting & mitigation guidance to reduce this ongoing threat. https://t.co/saq1a0sT8o pic.twitter.com/gu6vaWkq9O undefined NSA Cyber (@NSACyber) August 27, 2025 The threat actors are said to have found “considerable success” repeatedly exploiting publicly known common vulnerabilities and exposures (CVEs) as well as other avoidable system weaknesses. The APTs have been observed targeting various networks worldwide with a penchant for going after telecommunications, government, transportation, lodging, and military infrastructure networks, the CSA said. Luban says at-risk organizations and security teams, “particularly those in the telecommunications industry, should familiarize themselves with Salt Typhoon’s common attack tactics and techniques to understand where actors would target their defenses and patch vulnerabilities before exploitation can occur.” The Cybernews community is talking about this. Be a part of the conversation. “While these actors focus on large backbone routers of major telecommunications providers, and provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” the CSA said. ADVERTISEMENT The CSA also noted that the Chinese nation-state threat actors often modify routers to maintain persistent and long-term access to networks. “When threat hunting, the authoring agencies advise that organizations gain a full understanding of the APT actors’ accesses before implementing visible incident response and mitigation actions to maximize the chance of achieving full eviction from compromised networks,“ the advisory states. Three Chinese companies named The 37-page report explicitly calls out three Chinese companies over the alleged hacking activity tied to the APTs. “Salt Typhoon’s ties to major Chinese corporations put its scale and success into sharper focus, However, the true shock has always been the sheer scope of their operations,” said Nick Tausek, Lead Security Automation Architect at Swimlane." The three firms (listed below) are accused of providing "cyber-related products and services to China's intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security." Sichuan Juxinhe Network Technology Beijing Huanyu Tianqiong Information Technology Sichuan Zhixin Ruijie Network Technology "Salt Typhoon targeting over 600 organizations across 80 countries in 2024 alone required an extreme amount of inside knowledge and resources,” Tausek said, adding that having corporate backing explains how the group was able to conduct these operations as successfully as they did. To note, Beijing regularly denies its involvement in cyber-espionage activity. In January, the US Treasury sanctioned Sichuan Juxinhe for a direct connection with Salt Typhoon and its espionage campaign against nine US telecoms in the lead-up to the 2024 US presidential elections, even tapping into the email accounts of Trump campaign staffers. ADVERTISEMENT Besides US firms AT&T, Lumen Technologies, Verizon, and Viasat, in 2024, Salt Typhoon was also blamed for hacking the US Treasury, the US National Guard – in which Luban pointed out they remained “undetected for nearly a year, stealing sensitive military and law enforcement data." In the alleged year-long US Treasury hack, the Chinese hackers gained unauthorized access to the laptops of senior White House officials, and subsequently, the email accounts of about 100 bank regulators. https://www.youtube.com/embed/8pXYqbaxRDI Follow us Since then, more than a dozen Chinese nationals have been indicted by the US Department of Justice in connection with the telecom attacks, as well as individual and corporate sanctions imposed by the Treasury’s Office of Foreign Assets Control (OFAC). The other two firms, Beijing Huanyu Tianqiong and Sichuan Zhixin Ruijie, were both allegedly hit by recent and so far unexplained data leaks, according to Reuters. Unfortunately, Tausek says just because we understand how it happened doesn’t mean the threat is now gone. “Salt Typhoon is still just as dangerous as ever, and companies need to be prepared,” he said. “Organizations should follow the guidelines set by the NSA and gain a full understanding of the APT actors’ accesses before implementing visible incident response and mitigation actions to maximize the chance of achieving full eviction from compromised networks,” he said. The US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Defense Cyber Crime Center (DC3) were all involved in the effort. ADVERTISEMENT Share Post Share Share Share