Salt Typhoon
PRC state-backed actor responsible for the 2024 intrusions into U.S. commercial telecommunications providers — among the most consequential telecom-targeted operations on the public record. Operates against ISP and telecom network infrastructure to enable lawful-intercept abuse and broad collection against U.S. policy and political targets. CISA and the FBI confirmed the campaign in joint guidance throughout late 2024 and early 2025.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
2 events- AdvisoryCritical2025-08-27·CISA
13-nation joint advisory AA25-239A on PRC global telecom espionage
CISA, FBI, NSA and 12 partner-nation cyber agencies issued joint cybersecurity advisory AA25-239A, attributing the long-running global compromise of telecommunications, government, transportation, lodging, and military networks to PRC state-sponsored activity that partially overlaps with the cluster vendor reporting calls Salt Typhoon (also OPERATOR PANDA, RedMike, UNC5807, GhostEmperor).
five-eyestelecomespionagejoint-advisory - AdvisoryCritical2024-12-04·CISA
CISA + partners issue Salt Typhoon defender guidance to telecom sector
CISA, NSA, FBI, and Five Eyes partners released joint guidance to U.S. and allied communications-infrastructure operators on hardening against the PRC-attributed Salt Typhoon campaign. Wall Street Journal reporting in early October 2024 had already disclosed compromises at AT&T, Verizon, Lumen, and T-Mobile; Senate Intelligence Chair Mark Warner characterized the campaign as 'the worst telecom hack in our nation's history,' citing access to call metadata, unencrypted SMS, and lawful-intercept systems.
telecomespionagefive-eyeslawful-intercept
Indicators of compromise
3 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| MD5 | MD5 of `cmd3`, a Linux/Go SFTP staging client paired with `cmd1` in Salt Typhoon intrusions. Listed in Table 4 of the joint AA25-239A advisory; written by the same developer as `cmd1` based on shared Go build paths (`C:/work/sync/cmd/...`). | Aug 26, 2025 | CISA / NSA / FBI |
| SHA-256 | SHA-256 of `cmd1`, a Linux/Go custom SFTP client used by the Salt Typhoon / GhostEmperor cluster to stage and exfiltrate encrypted archives. Listed in Table 5 of the September 2025 joint advisory `Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System` (AA25-239A). | Aug 26, 2025 | CISA / NSA / FBI |
| MD5 | family · Demodex MD5 of the Demodex kernel-mode rootkit driver published by Kaspersky in the September 2021 disclosure that originally named the actor `GhostEmperor` - the cluster now publicly tracked by U.S. agencies as Salt Typhoon. Loaded by bypassing Driver Signature Enforcement via the signed Cheat Engine driver `dbk64.sys`. | Sep 29, 2021 | Kaspersky (Securelist) |
Related actors
shared ATT&CK techniques- CN · ChinaAPT32 shared techniques
- CN · ChinaAPT312 shared techniques
- IR · IranAPT342 shared techniques
- CN · ChinaAPT402 shared techniques
- ?? · UnknownScattered Spider2 shared techniques
- KP · DPRKAndariel1 shared technique
References
cite this page
Threat Intel Tracker. (2026-05-19). Salt Typhoon — actor profile. Retrieved from https://threatintel.local/actors/salt-typhoon