China's Salt Typhoon still has access to essential networks, contrary to popular belief

In a joint effort to safeguard global digital security, a coalition of government agencies and cybersecurity firms from around the world have issued a security alert regarding the escalated cyberespionage activities of the complex Chinese APT group known as Salt Typhoon.

The hackers, who have a unique advantage due to their familiarity with telecommunications systems, have targeted more than 600 organizations across 80 countries. The campaign, which has been ongoing since late last year, has extended beyond American telecommunications and federal networks, affecting organizations worldwide.

The first reports of Salt Typhoon's activities were made by CrowdStrike late last week. Since then, CrowdStrike researchers have documented over a dozen cases of hacking activity attributed to Salt Typhoon, also known as Murky Panda, since late spring.

The targeted sectors include telecommunications, government, transportation, lodging, and military infrastructure networks. The hackers have been conducting a significant cyber espionage campaign, aiming to geo-locate millions of subscribers, monitor their internet traffic, and record their phone calls.

The international coalition, which includes the US's FBI, CISA, National Security Agency, and Department of Defense Cyber Crime Center, as well as agencies from the UK, Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain, called out three China-based entities affiliated with Salt Typhoon - Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology.

The joint advisory includes indicators of compromise associated with Chinese government spies seen as recently as June. It also lists CVEs that Salt Typhoon commonly exploits to gain initial access, including CVE-2024-21887, CVE-2024-3400, CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171.

While Salt Typhoon has had no known successful activities in Germany as of August 2025, preventive measures and technical guidance have been issued to detect and mitigate potential attacks. The German Federal Office for Information Security (BSI) has also warned that the cyberespionage activities of Salt Typhoon have been targeting the hospitality and transportation sectors, which could be used to closely surveil individuals.

In response to the ongoing campaign, Google's Mandiant incident response team has been part of the clean-up crew called in to help telco companies globally rid their networks of Salt Typhoon. The coalition urges all affected organizations to take immediate action to secure their networks and protect their data from potential attacks.

China's Salt Typhoon still has access to essential networks, contrary to popular belief