Since being discovered in late 2024, the Salt Typhoon group has continued to hack telecommunications industries and has expanded into spying on universities.
In December 2024, Americans first learned about the Salt Typhoon hack, a far-reaching cyber campaign that compromised the infrastructure of nine US telecommunications firms, exposed the cellular metadata of a large number of Americans. The attack was both broad and deeply penetrative - high-ranking officials in government had unencrypted text messages stolen and may have had their live phone calls listened in on. The hack was done by a cybergroup sponsored by China, dubbed Salt Typhoon by Microsoft (and RedMike by Insikt Group, Recorded Future’s research team). Despite knowing the cause of the infiltration, the extensive breadth of the hack meant that cybersecurity officials weren’t sure when they would be able to evict the group from US systems.
In the midst of tumultuous administration changes in America’s cybersecurity departments, Salt Typhoon has received less coverage than they did in December. Still, the group has not stopped their hacking operation on telecommunications networks. Like the first hack discovered in late 2024, Salt Typhoon continued reaching into the systems telecommunications providers all over the world. In mid-February, Insikt Group reported on the group’s actions in December and January, and their exploitation of unpatched Cisco network devices to gain root privileges - leading to their attempt to compromise over 1,000 network Cisco network devices in multiple settings. Still, over half of the devices were based in the US, South America and India. After telecom organizations, the Insikt Group also found “RedMike targeting devices associated with universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the United States (US), and Vietnam.”
According to Insikt Group, universities were likely targeted by Salt Typhoon because of their “valuable research data and intellectual property”, which plays into a larger pattern of Chinese state-sponsored threat activity. In the US, University of California at Los Angeles (UCLA), California State University, Loyola Marymount University, and Utah Tech University were attacked. Considering how UCLA has a highly ranked computer science program, it seems likely that other universities with strong programs in related fields like engineering, technology and telecommunications are also at risk of being spied on. Outside of the US, nine universities, also of good standing, were targeted.
The leader of Insikt Group, Levi Gundert, commented on Salt Typhoon’s powerful, but somewhat unacknowledged ability to WIRED: “They’re super active, and they continue to be super active. I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.” That’s not to say there haven’t been any actions to stop them - in an effort to curb malicious China-based cyber campaigns, Sichuan Silence was sanctioned almost a week after the news broke on Salt Typhoon. Still, Gundert says they “haven’t observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.”
Recently, telecom security has reemerged as an important issue on the federal stage. On April 9, 2025, Oregon Senator Ron Wyden (D) said he would block Sean Plankey’s nomination to run the Cybersecurity and Infrastructure Security Agency (CISA). Wyden’s decision hinges on CISA’s refusal to release an unclassified 2022 report on security issues in America’s telecommunications companies. In his statement, Wyden recounts his efforts to make the report, “U.S. Telecommunications Insecurity 2022” widely accessible, as the report “contains important factual information that the public has a right to see and CISA should stop withholding the entire report under a purported ‘deliberative process privilege’ claim.” His request was seemingly ignored by former President Biden and previous CISA Director Jen Easterly.
Wyden believes the Salt Typhoon hack is proof of poor cybersecurity posture by these telecommunications companies: “This espionage incident, and the harm to U.S. national security caused by it, were the direct result of U.S. phone carriers’ failure to follow cybersecurity best practices, such as installing security updates and using multi-factor authentication, and federal agencies failing to hold these companies accountable.” Senator Wyden says these phone companies aren’t required to meet minimum cybersecurity standards, but it’s worth noting that the Federal Communications Commission (FCC) passed a rule in January requiring telecommunications operators to secure their networks from being attacked (by building up cybersecurity plans).
Reports show that threat actors backed by China are not going anywhere anytime soon. According to CrowdStrike’s annual threat report, intrusions linked to the country were up 150% in 2024 compared to 2023, with a larger focus on secretly gaining and sustaining access to important networks. While there seems to be an initiative to stop financial cybercrime in the Senate, Wyden’s block appears to be the only one focusing on improving cybersecurity in telecommunications. Hopefully, some regulations can be set before more Salt Typhoon activity is discovered.