Salt Typhoon: What Security Action Should Governments Take Now?
None
<p><main id="readArticle" class="Page-main" data-module="" data-padding="none" morss_own_score="5.266028002947679" morss_score="13.441953928873604"></main></p><p><a href="https://www.govtech.com/blogs/lohrmann-on-cybersecurity">Lohrmann on Cybersecurity</a></p><h1>Salt Typhoon: What Security Action Should Governments Take Now?</h1><h2>The FBI just announced that the Salt Typhoon cyber attacks against U.S. telecoms uncovered last year were much worse and more widespread than previously disclosed. What’s next?</h2><div>August 31, 2025 • </div><p><a href="https://www.govtech.com/authors/dan-lohrmann.html"><span>Dan Lohrmann</span></a></p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><figure> <p><img decoding="async" src="https://erepublic.brightspotcdn.com/dims4/default/e30c9f8/2147483647/strip/true/crop/8159x4254+0+204/resize/840x438!/quality/90/?url=http%3A%2F%2Ferepublic-brightspot.s3.us-west-2.amazonaws.com%2F18%2Fad%2Ff55f65fb4f77ae3045b207ecbac9%2Fadobestock-249818596.jpeg"><figcaption>Adobe Stock/Mike Mareen</figcaption></p></figure><div class="Page-articleBody RichTextBody" morss_own_score="5.494033412887829" morss_score="107.49403341288783"> <p> In December 2024, <a href="https://www.reuters.com/world/us/us-agencies-brief-senators-chinese-salt-typhoon-telecom-hacking-2024-12-04/">Reuters reported</a> that “U.S. government agencies held a classified briefing for all senators on Wednesday on China’s alleged efforts known as Salt Typhoon to burrow deep into American telecommunications companies and steal data about U.S. calls.”</p></div><div>At the time, there were many questions and few answers. The article goes on to say:</div><div>“A U.S. <a href="https://www.reuters.com/technology/cybersecurity/large-number-americans-metadata-stolen-by-chinese-hackers-senior-official-says-2024-12-04/">official told reporters a large number of Americans</a>‘ metadata has been stolen in the sweeping cyber espionage campaign, adding dozens of companies across the world had been hit by the hackers, including ‘at least’ eight telecommunications and telecom infrastructure firms in the United States. </div><div>“‘The extent and depth and breadth of Chinese hacking is absolutely mind-boggling — that we would permit as much as has happened in just the last year is terrifying,’ said Senator Richard Blumenthal.”</div><div>And this past week, we learned that the hacking and data breaches, and global scope of the problem, was — and is — much worse than previously disclosed.</div><div>On Aug. 27, <i>Yahoo Finance</i> reported: <a href="https://finance.yahoo.com/news/fbi-says-china-salt-typhoon-193940012.html">“FBI says China’s Salt Typhoon hacked at least 200 US companies.”</a> <div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="045a2b0596bf5eb7a91155ac-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="045a2b0596bf5eb7a91155ac-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div> </div><div>“FBI assistant director Brett Leatherman told The Washington Post that the hackers, <a href="https://techcrunch.com/2025/01/10/meet-the-chinese-typhoon-hackers-preparing-for-war/">dubbed Salt Typhoon</a>, also <a href="https://www.washingtonpost.com/technology/2025/08/27/fbi-advisory-china-hacking-expansion/">broke into companies in 80 countries</a>, revealing for the first time the global scale of the Chinese spying campaign.</div><div>“Leatherman didn’t name the hacked companies.” <h3>NEW JOINT CYBERSECURITY ADVISORY: RECOMMENDED ACTIONS</h3> </div><div>In a historic level of cooperation and coordination for global government entities including the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), FBI and numerous other agencies, a new 37-page <a href="https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF">Joint Cybersecurity Advisory</a> was issued on Aug. 27, 2025, that provides extensive guidance to enterprises on defending their systems and data after these recent cyber attacks. Here is what the executive summary says:</div><div>“People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks.</div><div>“This activity partially overlaps with cyber threat actor reporting by the cybersecurity industry—commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others. The authoring agencies are not adopting a particular commercial naming convention and hereafter refer to those responsible for the cyber threat activity more generically as ‘Advanced Persistent Threat (APT) actors’ throughout this advisory. This cluster of cyber threat activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom, and other areas globally.</div><div>“This Cybersecurity Advisory (CSA) includes observations from various government and industry investigations where the APT actors targeted internal enterprise environments, as well as systems and networks that deliver services directly to customers. This CSA details the tactics, techniques, and procedures (TTPs) leveraged by these APT actors to facilitate detection and threat hunting, and provides mitigation guidance to reduce the risk from these APT actors and their TTPs.</div><div>“The authoring agencies strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this CSA to reduce the threat of Chinese state-sponsored and other malicious cyber activity.</div><div>“Any mitigation or eviction measures listed within are subject to change as new information becomes available and ongoing coordinated operations dictate. Network defenders should ensure any actions taken in response to the CSA are compliant with local laws and regulations within the jurisdictions within which they operate.”</div><div>The table of contents goes on to describe specific areas to be addressed. These topic areas include vital details and specific recommendations in the following areas:</div><div>Background, Cybersecurity Industry Tracking, Technical details, Initial access, Persistence, Lateral movement & collection, Exfiltration, Case study, Collecting native PCAP, Host-level indicators, Enabling SSH access to the underlying Linux host on IOS XR, Threat hunting guidance, Monitor configurations changes, Monitor virtualized containers, Monitor network services and tunnels, Monitor firmware and software integrity, Monitor logs, Indicators of compromise, IP-based indicators, Custom SFTP client, Cmd1 SFTP client Yara rule, New2 SFTP client Yara rule, CVE 2023-20198 Snort rule, Mitigations, General recommendations, Hardening management protocols and services, Implementing robust logging, Routing best practices, Virtual Private Network (VPN) best practices, Cisco-specific recommendations, Mitigating Guest Shell abuse, Resources, Acknowledgements, Disclaimer of endorsement, Purpose, Contact information, Appendix A: MITRE ATT&CK tactics and techniques, Appendix B: CVEs exploited, and Appendix C: MITRE D3FEND Countermeasures.</div><div>The background section of the advisory says this:</div><div>“The APT actors have been performing malicious operations globally since at least 2021. These operations have been linked to multiple China-based entities, including at least Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司).</div><div>“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security. The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.</div><div>“For more information on PRC state-sponsored malicious cyber activity, see <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors/china">CISA’s People’s Republic of China Cyber Threat Overview and Advisories webpage</a>.” <h3>FINAL THOUGHTS</h3> </div><div>In a thought-provoking commentary from March 2025 on these expanded Chinese cyber threats, professor Ciaran Martin wrote an article entitled “<a href="https://www.rusi.org/explore-our-research/publications/commentary/typhoons-cyberspace">Typhoons in Cyberspace</a>”:</div><div>“… there has been one profoundly important shift in the threat picture recently: over the past two years we have learned of a transformation of China’s cyber capabilities into a far more formidable strategic threat.</div><div>“This is, by far, the most significant shift in the cyber threat landscape in well over a decade. As a cyber actor, China has changed in three ways. First, the objectives of its cyber capabilities have shifted from economic to political ones. Second, its operations have changed from being opportunistic to strategic. Thirdly, and most importantly, it has moved beyond being simply a passive actor to being active one. In other words, it does not just spy and steal anymore; it has also laid the ground for hugely disruptive cyber operations against western critical infrastructure, which hitherto it had shown no signs of doing.”</div><div>In my view, the recent announcements concerning Salt Typhoon’s impact on critical infrastructure globally only underlines these points now more than ever before.</div><div>Governments, as well as critical infrastructure organizations, must pay close attention and follow the urgent advice given by our top intelligence agencies.</div><p><a href="https://www.govtech.com/tag/cybersecurity">Cybersecurity</a></p><p><a href="https://www.govtech.com/authors/dan-lohrmann.html"></a></p><p><img decoding="async" src="https://erepublic.brightspotcdn.com/dims4/default/7be6234/2147483647/strip/true/crop/343x343+77+0/resize/100x100!/quality/90/?url=http%3A%2F%2Ferepublic-brightspot.s3.us-west-2.amazonaws.com%2Faa%2Fbe%2F66bbbc539526800857dd96f3c9d5%2Flohrman.jpg"></p><p></p><p><a href="https://www.govtech.com/authors/dan-lohrmann.html">Dan Lohrmann</a></p><div> Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author. </div><p><a href="https://www.govtech.com/authors/dan-lohrmann.html">See More Stories by Dan Lohrmann</a></p><p></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/08/salt-typhoon-what-security-action-should-governments-take-now/" data-a2a-title="Salt Typhoon: What Security Action Should Governments Take Now?"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fsalt-typhoon-what-security-action-should-governments-take-now%2F&linkname=Salt%20Typhoon%3A%20What%20Security%20Action%20Should%20Governments%20Take%20Now%3F" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fsalt-typhoon-what-security-action-should-governments-take-now%2F&linkname=Salt%20Typhoon%3A%20What%20Security%20Action%20Should%20Governments%20Take%20Now%3F" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fsalt-typhoon-what-security-action-should-governments-take-now%2F&linkname=Salt%20Typhoon%3A%20What%20Security%20Action%20Should%20Governments%20Take%20Now%3F" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fsalt-typhoon-what-security-action-should-governments-take-now%2F&linkname=Salt%20Typhoon%3A%20What%20Security%20Action%20Should%20Governments%20Take%20Now%3F" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fsalt-typhoon-what-security-action-should-governments-take-now%2F&linkname=Salt%20Typhoon%3A%20What%20Security%20Action%20Should%20Governments%20Take%20Now%3F" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="">Lohrmann on Cybersecurity</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Lohrmann on Cybersecurity">Lohrmann on Cybersecurity</a>. Read the original post at: <a href="https://www.govtech.com/blogs/lohrmann-on-cybersecurity/salt-typhoon-what-security-action-should-governments-take-now">https://www.govtech.com/blogs/lohrmann-on-cybersecurity/salt-typhoon-what-security-action-should-governments-take-now</a> </p>