The extensive cyberattack by the group known as Salt Typhoon is considered by experts and officials as China’s most ambitious and effective operation to date.

China’s Invisible War

China has been infiltrating U.S. power grids and companies for decades, stealing sensitive files and intellectual property, including microchip designs, in an effort to gain an advantage over the U.S.

However, an extensive cyberattack by the group known as Salt Typhoon is regarded by experts and officials as China’s most ambitious and effective to date. It targeted more than 80 countries and, according to officials, may have exfiltrated data on nearly every American citizen. The case is viewed as proof that China’s cyber capabilities can compete with, and increasingly surpass, those of the U.S. and its allies.

A “Massive” and “Limitless” Attack

The attack, which lasted for years, penetrated major telecommunications companies and other organizations. Its scope was far larger than initially estimated, with security authorities warning that the stolen data could be exploited by Chinese intelligence to manipulate global communications networks and monitor politicians, agents, and activists.

“Chinese state-sponsored hackers target networks worldwide, including telecommunications, governments, transportation, hospitality, and military infrastructure,” read a joint statement from British and American officials and national security members of both countries. The U.K. and U.S. described the attack as “massive” and “limitless.” The statement was also endorsed by Canada, Finland, Germany, Italy, Japan, and Spain.

Targets included phones used by politicians such as former President Donald Trump and Vice President J.D. Vance during their campaigns, as well as members of the Democratic Party and close associates of Vice President Kamala Harris. Hackers breached more than six major U.S. telecommunications providers, exploiting old security vulnerabilities. They were able to intercept calls and unencrypted messages, with reports even suggesting compromises of devices used by national intelligence services in the attacked countries.

Experts warn that Salt Typhoon marks a new era of Chinese cyber capabilities, characterized by advanced technical proficiency, patience, and persistence. The campaign has been linked to at least three Chinese tech companies acting on behalf of military and political intelligence agencies since 2019.

Officials emphasize that China is no longer content with stealing commercial secrets and personal data; it now seeks full dominance in the digital space.

What is Salt Typhoon?

Salt Typhoon is a cyber-espionage group linked to the Chinese state. The U.S. agencies (CISA, NSA, FBI), along with 19 international partners, have issued a joint warning identifying the activity the industry calls “Salt Typhoon.”

Microsoft uses the term “Typhoon” for China-linked groups, and Salt Typhoon falls into this category.

Other Names

The group is also referred to as GhostEmperor, Earth Estries (Trend Micro), FamousSparrow (ESET), UNC2286 (Mandiant). In government reports, it appears under the aliases OPERATOR PANDA, RedMike, UNC5807.

Targets and Scope

• Primary targets: telecommunications infrastructure networks (backbone, edge routers)
• Other attacks: governments, transportation, hospitality/hotels, and military organizations

Activity has been recorded since 2019 in the U.S., U.K., Australia, Canada, New Zealand, and other countries.

Reports (based on FBI updates) indicate attacks in more than 80 countries, including breaches of critical infrastructure and government agencies.

By the end of 2024, intrusions had been confirmed in at least nine U.S. telecommunications providers.

Strategic Purpose

Salt Typhoon aims for long-term, stealthy access to monitor communications and acquire metadata, enabling Chinese intelligence to track the movements and contacts of targeted individuals.

Initial Infiltration and Devices

The group focuses on advanced network equipment (backbone routers, provider-edge, customer-edge, firewalls, gateways).