Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat

Sept. 25, 2025, 7:33 p.m.

Description

Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security, specializing in long-term espionage operations targeting global telecommunications infrastructure. Active since 2019, it has demonstrated advanced capabilities in exploiting network edge devices, establishing deep persistence, and harvesting sensitive communications data from telecom providers and critical infrastructure sectors. The group operates with MSS oversight and support from pseudo-private contractors, using front companies to obscure attribution. Salt Typhoon's campaigns utilize bespoke malware, living-off-the-land binaries, and stealthy router implants, with a targeting profile spanning the U.S., U.K., Taiwan, and EU. Their operations are notable for using publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.

External References

https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat
https://otx.alienvault.com/pulse/68d56db8ea32a255b0de8822
Tags
CVE-2024-3400
china
cyber espionage
telecommunications
china chopper
advanced persistent threat
demodex
CVE-2023-20198
2025-09-25
long-term persistence
infrastructure targeting
ministry of state security
sigrouter
CVE-2023-35082
contractor ecosystem

Date

  • Created: Sept. 25, 2025, 4:28 p.m.
  • Published: Sept. 25, 2025, 4:28 p.m.
  • Modified: Sept. 25, 2025, 7:33 p.m.

Attack Patterns

  • Salt Typhoon

Additional Informations

  • Energy
  • Defense
  • Telecommunications
  • Government
  • Taiwan
  • United Kingdom of Great Britain and Northern Ireland
  • United States of America