Threat Actor Profile

Salt Typhoon

Salt Typhoon is a highly sophisticated advanced persistent threat (APT) group with ties to the Chinese government. Emerging around 2020, this state-sponsored actor specializes in cyber espionage and data theft. They primarily gain initial access by exploiting known vulnerabilities in public-facing applications and network devices, making them a serious threat to global telecommunications and critical infrastructure.

Threat Actor Profile

Salt Typhoon

Country of Origin

Salt Typhoon is widely attributed to the People's Republic of China (PRC). Cybersecurity agencies and intelligence communities across the globe, including the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), have linked the group's activities directly to China's Ministry of State Security (MSS). While the Chinese government denies these allegations, the evidence overwhelmingly points to state-sponsorship.

Members

The exact size and composition of Salt Typhoon are not publicly known, but evidence suggests it is a well-organized and resourced operation. The group collaborates with several Chinese technology companies that provide cyber products and services to the MSS. These affiliated companies include: Sichuan Juxinhe Network Technology Co. Ltd.; Beijing Huanyu Tianqiong Information Technology Co., Ltd.; Sichuan Zhixin Ruijie Network Technology Co., Ltd. This structure allows for a clear division of labor, enabling distinct teams to target different regions and industries simultaneously.

Leadership

Direct leadership details for Salt Typhoon remain unknown, which is typical for state-sponsored APTs. However, the group is understood to operate under the direction of China's Ministry of State Security. Various cybersecurity firms track this threat actor under different aliases, including: Earth Estries (Trend Micro); Ghost Emperor (Kaspersky Lab); FamousSparrow (ESET); UNC2286 (Mandiant); OPERATOR PANDA (CrowdStrike). These names all refer to the same cluster of malicious activity associated with Salt Typhoon.

Salt Typhoon TTPs

Tactics

The group's primary goals are cyber espionage and data exfiltration. Their operations are designed to:

Steal intellectual property from corporate targets.
Gather intelligence on government officials and military infrastructure.
Conduct counterintelligence by infiltrating law enforcement and intelligence systems.
Pre-position themselves within critical infrastructure for potential future disruption.

Techniques

Salt Typhoon is a master of "living off the land," using legitimate tools and built-in network utilities to evade detection. Key techniques include:

Exploiting Vulnerabilities: They frequently exploit known CVEs in firewalls, VPNs, and routers from vendors like Cisco, Palo Alto Networks, and Ivanti.
Credential Theft: The group uses tools to harvest credentials, often from packet captures of authentication traffic (like TACACS+).
Lateral Movement: After gaining a foothold, they pivot through networks using compromised credentials and trusted connections between providers.
Containerization: They have been observed using virtualized containers on network devices (like Cisco's Guest Shell) to hide their tools and activities.

Procedures

The group follows a methodical process to infiltrate and persist within target networks:

Initial Access

Exploiting public-facing applications and network edge devices.

Persistence

Creating new accounts, modifying access control lists (ACLs), enabling SSH on non-standard ports, and creating covert tunnels.

Collection

Using native packet capture tools on routers to sniff network traffic and modifying TACACS+ server configurations to intercept credentials.

Exfiltration

Leveraging separate command and control (C2) channels and protocol tunnels (GRE, IPsec) to exfiltrate stolen data.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Indicators of Compromise (IoCs)

Known IOCs associated with Salt Typhoon include a wide range of IP addresses used for C2 and staging, along with specific malware and tools. A joint advisory from CISA, the FBI, and the NSA has published an extensive list of IP addresses. Other indicators include:

Malware: A custom SFTP client written in Golang used for data transfer.
Filenames: Packet captures named mycap.pcap, tac.pcap, or 1.pcap.
Network Artifacts: Unexpected GRE or IPsec tunnels, SSH services running on high, non-standard ports (e.g., 22x22), and modifications to TACACS+ or RADIUS configurations.

Key Victims

Salt Typhoon’s primary targets are organizations within the United States and allied nations. The group has successfully compromised a broad range of sectors, with a strong focus on:

Telecommunications: Major providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have been targeted.
Critical Infrastructure: Government agencies, transportation networks, and military infrastructure.

Other Sectors: The lodging industry, where they can track the movements of high-value targets.

Law Enforcement & Arrests

While no individuals have been arrested, law enforcement agencies are taking action. In April 2025, the FBI announced a $10 million bounty for information on individuals associated with Salt Typhoon. Additionally, the U.S. Department of the Treasury has sanctioned affiliated companies, like Sichuan Juxinhe Network Technology, for their direct involvement in these cyberattacks.

How to Defend Against Salt Typhoon

Patch, Patch, Patch: Salt Typhoon loves to exploit known vulnerabilities. Prioritize patching edge devices and public-facing applications, especially those listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog.

Harden Your Network: Implement network segmentation, disable unused ports and protocols, and enforce strong credential policies. Use out-of-band management for network devices.

Monitor Everything: Regularly review device configurations, logs, and network traffic for unusual activity. Look for unexpected tunnels, unauthorized accounts, or data transfers to suspicious IPs.

Embrace Zero Trust: Assume that a breach is inevitable. A zero-trust architecture can help limit an attacker's ability to move laterally.

The Huntress Managed Security Platform provides comprehensive endpoint detection and response (EDR), managed antivirus, and identity threat detection. Our 24/7 human-led ThreatOps team actively hunts for threats like Salt Typhoon, ensuring that even the most sophisticated actors can't hide in your environment.

Try Huntress for Free

References

https://en.wikipedia.org/wiki/Salt_Typhoon

https://www.congress.gov/crs-product/IF12798

https://www.armis.com/blog/breaking-down-salt-typhoon/

https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4287371/nsa-and-others-provide-guidance-to-counter-china-state-sponsored-actors-targeti/

https://perkinscoie.com/insights/update/salt-typhoon-cyberattacks-updated-threat-assessment-and-recommended-mitigations

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free