NSA, FBI, Others Say Chinese Tech Firms are Aiding Salt Typhoon Attacks
None
<p>Intelligence agencies in the United States and more than a dozen other countries are putting a focus on three Chinese companies they say are supporting the state-sponsored threat group Salt Typhoon’s hacking and cyber-espionage attacks around the world.</p><p>In a <a href="https://media.defense.gov/2025/Aug/22/2003786665/-1/-1/0/CSA_COUNTERING_CHINA_STATE_ACTORS_COMPROMISE_OF_NETWORKS.PDF" target="_blank" rel="noopener">joint report</a> that also details the advanced persistent threat (APT) group’s methods and tactics, the agencies this week wrote that Sichuan Juxinhe Network Technology Co., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. are supplying products and services to intelligence services China – including various units in the People’s Liberation Army and Ministry of State Security – that are used in the Salt Typhoon operations, which have been running since 2021.</p><p>“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” the agencies wrote in the report.</p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>The agencies include the U.S. National Security Agency, CISA, FBI, and Department of Defense Cyber Crime Center, and counterparts from the UK, Canada, Australia, New Zealand, Italy, Germany, Finland, Czech Republic, Japan, the Netherlands, Spain, and Poland.</p><h3>A Focus on Private Companies</h3><p>The naming of the three companies follows similar efforts by U.S. intelligence agencies to highlight the connections between Chinese intelligence agencies, state-sponsored threat groups, and commercial entities in the country.</p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="b0e693cd2f0a686012e1f08d-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="b0e693cd2f0a686012e1f08d-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><p>In March, the U.S. Justice Department (DOJ) indicted 12 Chinese nationals for <a href="https://securityboulevard.com/2025/03/indictments-of-chinese-cyber-spies-reveal-hacker-for-hire-operation/" target="_blank" rel="noopener">hacking into computer systems</a> of a range of individuals and organizations in the United States and elsewhere, with prosecutors saying the charges revealed an extensive and long-standing use of private companies and freelance threat actors in <a href="https://www.justice.gov/usao-sdny/pr/10-chinese-nationals-charged-large-scale-hacking-us-and-international-victims-behalf" target="_blank" rel="noopener">hacker-for-hire operations</a>.</p><p>In this latest report, “the three China-based technology companies <a href="https://www.ncsc.gov.uk/news/uk-allies-expose-china-tech-companies-enabling-cyber-campaign" target="_blank" rel="noopener">provide cyber-related services</a> to the Chinese intelligence services and are part of a wider commercial ecosystem in China, which includes information security companies, data brokers and hackers for hire,” the UK’s National Cyber Security Centre <a href="https://www.ncsc.gov.uk/news/uk-allies-expose-china-tech-companies-enabling-cyber-campaign" target="_blank" rel="noopener">wrote</a>.</p><p>John Hultquist, chief analyst with the Google Threat Intelligence Group, in an email statement described an “ecosystem of contractors, academics, and other facilitators … at the heart of Chinese cyber espionage. Contractors are used to build tools and valuable exploits as well as carry out the dirty work of intrusion operations. They have been instrumental in the rapid evolution of these operations and growing them to an unprecedented scale.”</p><h3>Attacking the Telecoms</h3><p>Salt Typhoon is best known for its widespread attacks <a href="https://securityboulevard.com/2024/09/china-backed-salt-typhoon-targets-u-s-internet-providers-report/" target="_blank" rel="noopener">compromising the broadband networks</a> of U.S. telecoms as Verizon, AT&T, T-Mobile, and others to attain persistence and steal data. However, the ATP group has attacked organizations in such areas as critical infrastructure in the United States and around the globe, with Hultquist saying that “reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals. Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”</p><p>He also said that while there are many Chinese-sponsored espionage groups targeting the telecom sector, Salt Typhoon’s “familiarity with telecommunications systems gives them a unique advantage, especially when it comes to evading detection. Many of the highly successful Chinese cyber espionage actors we encounter have deep expertise in the technologies used by their targets, giving them an upper hand.”</p><h3>Exploiting CVEs for Initial Access</h3><p>According to the report this week, the Salt Typhoon actors are exploiting known common vulnerabilities and patched security flaws in compromised infrastructure, in particular <a href="https://nvd.nist.gov/vuln/detail/cve-2024-21887" target="_blank" rel="noopener">CVE-2024-21887</a> (Ivanti Connect Secure and Policy Secure command injection flaw), <a href="https://nvd.nist.gov/vuln/detail/cve-2024-3400">CVE-2024-3400</a> (Palo Alto Networks’ PAN-OS GlobalProtect remote code execution, or RCE), <a href="https://nvd.nist.gov/vuln/detail/cve-2023-20273" target="_blank" rel="noopener">CVE-2023-20273</a> (Cisco IOS XE software command injection and privilege escalation), <a href="https://nvd.nist.gov/vuln/detail/cve-2023-20198" target="_blank" rel="noopener">CVE-2023-20198</a> (Cisco IOS XE authentication bypass), and <a href="https://nvd.nist.gov/vuln/detail/cve-2018-0171" target="_blank" rel="noopener">CVE-2018-0171</a> (Cisco IOS and IOS XE smart install RCE).</p><p>“To maintain persistent access to target networks, the APT actors use a variety of techniques,” the intelligence agencies wrote. “Notably, a number of these techniques can obfuscate the actors’ source IP address in system logs, as their actions may be recorded as originating from local IP addresses.”</p><p>Once in the devices, Salt Typhoon then targets authentication protocols and infrastructure to enable lateral movement through network devices, with the report noting that “capturing network traffic containing credentials via compromised routers is a common method for further enabling lateral movement.”</p><h3>Persistence is Key</h3><p>The threat group’s malicious activity is aimed at establishing persistent and long-term access to networks, with the APT actors maintaining more than one method of access. The agencies said critical infrastructure operators should run red-teaming operations and incident responses, and encouraged defenders to define and understand the full extent of the threat group’s access to networks, and then to remove them simultaneously.</p><p>“Partial response actions may alert the actors to an ongoing investigation and jeopardize the ability to conduct full eviction,” the agencies wrote. “Incident response on one network may also result in the APT actors taking measures to conceal and maintain their access on additional compromised networks, and potentially disrupt broader investigative and operational frameworks already in progress.”</p><p>They also encouraged defenders to monitor configuration changes, virtualized containers, network services and tunnels, firmware and software integrity, and logs.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/08/nsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks/" data-a2a-title="NSA, FBI, Others Say Chinese Tech Firms are Aiding Salt Typhoon Attacks"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fnsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks%2F&linkname=NSA%2C%20FBI%2C%20Others%20Say%20Chinese%20Tech%20Firms%20are%20Aiding%20Salt%20Typhoon%20Attacks" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fnsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks%2F&linkname=NSA%2C%20FBI%2C%20Others%20Say%20Chinese%20Tech%20Firms%20are%20Aiding%20Salt%20Typhoon%20Attacks" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fnsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks%2F&linkname=NSA%2C%20FBI%2C%20Others%20Say%20Chinese%20Tech%20Firms%20are%20Aiding%20Salt%20Typhoon%20Attacks" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fnsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks%2F&linkname=NSA%2C%20FBI%2C%20Others%20Say%20Chinese%20Tech%20Firms%20are%20Aiding%20Salt%20Typhoon%20Attacks" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F08%2Fnsa-fbi-others-say-chinese-tech-firms-are-aiding-salt-typhoon-attacks%2F&linkname=NSA%2C%20FBI%2C%20Others%20Say%20Chinese%20Tech%20Firms%20are%20Aiding%20Salt%20Typhoon%20Attacks" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>