313/68 Friday, August 29, 2025
Cybersecurity agencies from the United States and the United Kingdom, along with partners from over 12 other countries, have revealed the connection of a global hacking operation known as Salt Typhoon to three Chinese technology companies: Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. These companies were identified as suppliers of cyber products and services to China’s Ministry of State Security and the People’s Liberation Army, which were used for cyber espionage activities. Since 2021, the campaign has targeted government, telecommunications, transportation, hotel, and military networks worldwide.
The joint report from cyber and intelligence agencies across 13 countries stated that these hacker groups have been highly successful in exploiting known vulnerabilities-with patches available long ago-on network edge devices such as Ivanti, Palo Alto, and Cisco, rather than relying on undisclosed zero-day exploits. Once attackers gained access to these devices, they modified system configurations to maintain persistent access and deployed custom-built tools to intercept communications and exfiltrate sensitive data. Even non-primary targets were exploited as staging points to infiltrate high-value networks. Over the years, Salt Typhoon has been linked to attacks on major U.S. telecommunications providers such as AT&T, Verizon, and Lumen, enabling access to sensitive communications including voicemail, SMS, and even U.S. law enforcement wiretap systems. As a result, the FCC mandated telecom providers to strengthen security measures under the CALEA law. Additionally, the group was involved in breaching the U.S. Army National Guard’s network for nearly nine months in 2024, leading to the exposure of system configurations and administrator accounts.
To mitigate such threats, cybersecurity agencies recommend organizations prioritize applying security patches to all affected devices, followed by hardening system configurations, monitoring unauthorized changes, and disabling unnecessary services. They also emphasize the importance of continuously searching for intrusion indicators, as this group primarily exploits known vulnerabilities-making detection easier with regular monitoring.
