FBI: China‑linked “Salt Typhoon” breached at least 200 U.S. companies in a sweeping telecom spy campaign

International Desk — August 28, 2025

U.S. and allied authorities say a China‑backed hacking operation dubbed “Salt Typhoon” has grown into one of the most far‑reaching espionage campaigns of the past decade, compromising at least 200 American organizations and victims in 80 countries. The newly public scope comes via a joint advisory led by the FBI and partner agencies, and follows months of work to uproot intrusions first found inside major U.S. telecom networks. Investigators say the operation exposed sensitive metadata at scale, raising fresh alarms about how phone‑network access can be used to track who talks to whom—and when. The Washington PostTechCrunch

Officials say the attackers penetrated deep into communications carriers, siphoning call records and, in some instances, even accessing law‑enforcement directives used to obtain data under court order. That let the operators sketch detailed maps of social links around high‑profile U.S. figures, according to the FBI’s top cyber official, Brett Leatherman. The bureau characterizes the campaign as exceeding accepted norms for digital spying, both in scale and in its indiscriminate reach into sectors far beyond telecom. The Washington Post

Alongside the technical warning, the U.S. and a broad international coalition publicly pointed to three Chinese companies—Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology—as commercial players enabling state intelligence services. Earlier this year, the U.S. Treasury sanctioned Sichuan Juxinhe, describing “direct involvement” with Salt Typhoon and its compromises at American telecom and internet providers. Beijing typically denies state‑directed hacking; the companies could not be immediately reached for comment. ReutersU.S. Department of the Treasury

What makes the advisory notable is the size and make‑up of the signatories. Beyond the U.S. “Five Eyes” partners, agencies from Germany, Italy, Japan, the Netherlands, Poland, Spain, Finland and the Czech Republic co‑signed the alert—an unusually wide front intended to show unity and to help defenders root out the intrusions. The coalition’s guidance walks through tactics, indicators of compromise and concrete steps to evict the attackers from carrier‑grade routers and adjacent networks. U.S. Department of Defense

The technical picture is sobering but clear. Investigators say Salt Typhoon focused on large backbone and edge routers inside major providers, then used “living off the land” techniques and trusted interconnections to pivot into adjacent networks. The joint advisory emphasizes that the group has largely relied on known vulnerabilities—not zero‑days—across widely deployed devices, citing recent flaws in Ivanti Connect Secure, Palo Alto Networks PAN‑OS, and Cisco IOS XE among others. Persistence came from hands‑on changes to access‑control lists, enabling SSH and SFTP services on non‑standard ports, and even mirroring network traffic for exfiltration. For defenders, the message is blunt: patch aggressively at the edge and hunt for quiet, long‑lived footholds. U.S. Department of Defense

The public now has a better sense of the campaign’s scale. Before today’s numbers, officials had acknowledged intrusions at nine U.S. telecom and internet providers, with carriers such as AT&T, Verizon, Lumen, Charter, and Windstream named in earlier reporting. With the FBI confirming at least 200 breached U.S. companies and activity spreading across dozens of countries and industries—including lodging and transportation—the story has moved beyond a single sector into a years‑long programme of strategic collection. TechCrunch

The government’s advice to the public has also shifted in tone. After acknowledging that phone‑network metadata and even some content could have been exposed during periods of the campaign, U.S. officials urged Americans last winter to prefer end‑to‑end encrypted messengers for sensitive conversations instead of standard SMS or unencrypted calls. It was a striking recommendation from agencies that have often sparred with tech firms over encryption, and it underlines how telecom‑layer access changes the threat model for everyday communications. The Verge

Policy ramifications are already visible. Washington’s latest advisory names private Chinese firms that, officials say, sell services into a government‑run intelligence ecosystem touching both the Ministry of State Security and the People’s Liberation Army. That mirrors Treasury’s sanctions on Sichuan Juxinhe and a Shanghai‑based hacker, moves meant to impose financial and reputational costs while signaling that governments are ready to treat commercial contractors as part of the state’s offensive apparatus. Expect more joint actions if additional suppliers are identified. ReutersU.S. Department of the Treasury

For security teams, the technical annex is the must‑read. It includes mappings to MITRE ATT&CK, case studies of router compromises, indicators for traffic tunneling and port‑mirroring, and a prioritized list of edge‑device CVEs to review. The authors stress basics—harden management interfaces, monitor configuration drift, log at sufficient depth on network gear, and validate firmware integrity. The companion resources also tie Salt Typhoon to overlapping industry labels (OPERATOR PANDA, RedMike, UNC5807, GhostEmperor), helping analysts correlate historic sightings. U.S. Department of Defense

China’s government has long rejected accusations of state‑sponsored hacking. But the breadth of this week’s disclosure—and the unusual number of countries speaking with one voice—suggests a different phase of response is underway. Intelligence officials say the threat is ongoing and warn that some backdoors may survive first‑pass remediation, with attackers relying on cached credentials and knowledge of provider topologies to re‑enter. “Just because it was secure six months ago does not mean it is now,” Leatherman told The Washington Post, urging companies to treat the advisory as a starting point for fresh hunts, not a checklist to be filed away. The Washington Post

The bottom line: Salt Typhoon isn’t a smash‑and‑grab ransomware wave. It is patient, infrastructure‑level espionage designed to watch patterns of life at massive scale. That means the right response is equally patient: fix the edge, close the known doors, hunt for the quiet routes the attackers left behind—and, for sensitive personal or business conversations, use tools that assume the phone network itself may be hostile. The campaign’s true measure may be less the number of victims than the lesson it forces onto every carrier and enterprise network: in 2025, the perimeter is the product, and it’s time to defend it like one. U.S. Department of DefenseThe Washington Post