Threat Actor Profile
Salt Typhoon
Salt Typhoon is a highly sophisticated advanced persistent threat (APT) group with ties to the Chinese government. Emerging around 2020, this state-sponsored actor specializes in cyber espionage and data theft. They primarily gain initial access by exploiting known vulnerabilities in public-facing applications and network devices, making them a serious threat to global telecommunications and critical infrastructure.
Threat Actor Profile
Salt Typhoon
Country of Origin
Salt Typhoon is widely attributed to the People's Republic of China (PRC). Cybersecurity agencies and intelligence communities across the globe, including the U.S. National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), have linked the group's activities directly to China's Ministry of State Security (MSS). While the Chinese government denies these allegations, the evidence overwhelmingly points to state-sponsorship.
Members
The exact size and composition of Salt Typhoon are not publicly known, but evidence suggests it is a well-organized and resourced operation. The group collaborates with several Chinese technology companies that provide cyber products and services to the MSS. These affiliated companies include: Sichuan Juxinhe Network Technology Co. Ltd.; Beijing Huanyu Tianqiong Information Technology Co., Ltd.; Sichuan Zhixin Ruijie Network Technology Co., Ltd. This structure allows for a clear division of labor, enabling distinct teams to target different regions and industries simultaneously.
Leadership
Direct leadership details for Salt Typhoon remain unknown, which is typical for state-sponsored APTs. However, the group is understood to operate under the direction of China's Ministry of State Security. Various cybersecurity firms track this threat actor under different aliases, including: Earth Estries (Trend Micro); Ghost Emperor (Kaspersky Lab); FamousSparrow (ESET); UNC2286 (Mandiant); OPERATOR PANDA (CrowdStrike). These names all refer to the same cluster of malicious activity associated with Salt Typhoon.
Salt Typhoon TTPs
Tactics
The group's primary goals are cyber espionage and data exfiltration. Their operations are designed to:
Steal intellectual property from corporate targets.
Gather intelligence on government officials and military infrastructure.
Conduct counterintelligence by infiltrating law enforcement and intelligence systems.
Pre-position themselves within critical infrastructure for potential future disruption.
Techniques
Salt Typhoon is a master of "living off the land," using legitimate tools and built-in network utilities to evade detection. Key techniques include:
Exploiting Vulnerabilities: They frequently exploit known CVEs in firewalls, VPNs, and routers from vendors like Cisco, Palo Alto Networks, and Ivanti.
Credential Theft: The group uses tools to harvest credentials, often from packet captures of authentication traffic (like TACACS+).
Lateral Movement: After gaining a foothold, they pivot through networks using compromised credentials and trusted connections between providers.
Containerization: They have been observed using virtualized containers on network devices (like Cisco's Guest Shell) to hide their tools and activities.
Procedures
The group follows a methodical process to infiltrate and persist within target networks:
Initial Access
Exploiting public-facing applications and network edge devices.
Persistence
Creating new accounts, modifying access control lists (ACLs), enabling SSH on non-standard ports, and creating covert tunnels.
Collection
Using native packet capture tools on routers to sniff network traffic and modifying TACACS+ server configurations to intercept credentials.
Exfiltration
Leveraging separate command and control (C2) channels and protocol tunnels (GRE, IPsec) to exfiltrate stolen data.
Want to Shut Down Threats Before They Start?
Law Enforcement & Arrests
While no individuals have been arrested, law enforcement agencies are taking action. In April 2025, the FBI announced a $10 million bounty for information on individuals associated with Salt Typhoon. Additionally, the U.S. Department of the Treasury has sanctioned affiliated companies, like Sichuan Juxinhe Network Technology, for their direct involvement in these cyberattacks.
How to Defend Against Salt Typhoon
Patch, Patch, Patch: Salt Typhoon loves to exploit known vulnerabilities. Prioritize patching edge devices and public-facing applications, especially those listed in CISA's Known Exploited Vulnerabilities (KEV) Catalog.
Harden Your Network: Implement network segmentation, disable unused ports and protocols, and enforce strong credential policies. Use out-of-band management for network devices.
Monitor Everything: Regularly review device configurations, logs, and network traffic for unusual activity. Look for unexpected tunnels, unauthorized accounts, or data transfers to suspicious IPs.
Embrace Zero Trust: Assume that a breach is inevitable. A zero-trust architecture can help limit an attacker's ability to move laterally.
The Huntress Managed Security Platform provides comprehensive endpoint detection and response (EDR), managed antivirus, and identity threat detection. Our 24/7 human-led ThreatOps team actively hunts for threats like Salt Typhoon, ensuring that even the most sophisticated actors can't hide in your environment.
References
Detect, Respond, Protect
See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.
