The U.S. Federal Bureau of Investigation, along with other law enforcement agencies and international partners, is warning of an alleged Chinese government-backed “Salt Typhoon” hacking campaign that has targeted more than 200 U.S. companies across 80 countries.

The FBI, the U.S. National Security Agency, the Cybersecurity and Infrastructure Agency and the Department of Defense’s Cyber Crime Center, joined by counterparts in the U.K., Canada, Australia, Germany, Italy and Japan, are warning that Salt Typhoon represents one of the most pervasive state-sponsored espionage operations discovered to date. The joint advisory outlines the tactics, techniques and procedures used by the group and stresses that its focus on network infrastructure, such as routers, virtual private networks and other edge devices, allows intrusions to bypass conventional endpoint defenses.

Salt Typhoon isn’t new and has already caused damage in the past, including a large-scale cyberattack campaign against U.S. telecommunications companies in 2024. The breach exposed sensitive information affecting more than a million users, including senior political figures.

More recently, Salt Typhoon was found to have infiltrated a U.S. National Guard network for months, quietly extracting credentials, diagrams and sensitive configuration data from dozens of organizations.

The new update sees the U.S. and its allies name three Chinese companies that are allegedly involved with Salt Typhoon: Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co. and Sichuan Zhixin Ruijie Network Technology Co. Ltd. The companies are claimed to have provided cyber products and services to China’s Ministry of State Security and the People’s Liberation Army to facilitate the Salt Typhoon attacks.

Organizations in sectors including telecommunications, defense, transportation and hospitality are being asked to assume that compromise may have already occurred and to take immediate steps to harden defenses. Recommended actions include rapid patching of known vulnerabilities, adopting zero-trust architectures, conducting proactive threat hunting and leveraging the indicators of compromise published in the joint advisory.

Salt Typhoon, which is also known as Earth Estrie and Ghost Emperor, has been active since at least 2019. The group maintains long-term persistence by compromising network-level devices before then collecting intelligence at scale.

“Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages,” said Brett Leatherman, assistant director of the FBI’s Cyber Division. “If you believe you are a victim of Salt Typhoon — or any other malicious cyber activity — I encourage you to contact your local FBI field office.”

Image: SiliconANGLE/Reve