Salt Typhoon, a hacking group linked by U.S. officials to China’s Ministry of State Security, is at the center of an expansive cyber espionage campaign that breached global telecommunications networks and accessed data from millions of users, according to advisories and investigative reports released through 2024 and 2025.
The campaign first drew public attention in 2024, when U.S. agencies and major news outlets confirmed that the group had infiltrated at least nine American telecom and broadband companies, including AT&T, Verizon, T-Mobile, and Lumen. Investigators found that the intrusions likely began years earlier, with related activity traced to at least 2019.
Advisories from U.S. and allied governments describe how Salt Typhoon exploited vulnerabilities in Cisco routers and other network equipment, then used legitimate administrative tools to remain hidden. Once inside carrier systems, the group accessed large volumes of communications metadata and, in some cases, viewed information from platforms used to administer lawful wiretaps. One government assessment reported that the hackers obtained a near-complete list of phone numbers subject to interception, including devices used by Donald Trump, JD Vance, and members of the 2024 Kamala Harris campaign.
What began as a domestic case soon expanded internationally. Private threat-intelligence firms and U.S. officials have identified more than 200 affected organizations in over 80 countries, including telecom carriers, universities, energy operators, and technology firms. Analysts say the operation appears focused on counterintelligence and communications mapping rather than consumer financial theft.
Salt Typhoon’s activity has been linked to several Chinese technology contractors that U.S. officials say act as intermediaries for state intelligence agencies. Three firms—Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology—were named in U.S. advisories for providing infrastructure and personnel for the campaign. In January 2025, the U.S. Treasury sanctioned Juxinhe and an associated hacker for roles in the telecom breaches and a later intrusion into the Treasury Department.
The operation also reached into the U.S. military. A Department of Homeland Security memo reported that hackers breached one state’s Army National Guard network for nine months in 2024, acquiring administrator credentials, network diagrams, and configuration files. Officials warned that the intrusion could offer a foothold into additional military or critical-infrastructure systems.
U.S. responses have included sanctions, technical guidance to telecom carriers, and ongoing criminal investigations. Officials acknowledge, however, that exposure has not deterred the group, which continues to operate. Private cybersecurity firms tracking Salt Typhoon report ongoing activity through 2025, including the registration of new infrastructure.
For policymakers and security experts, the case illustrates how access to core communications technologies can be used to monitor global activity at scale. The investigation has renewed calls for stronger coordination between governments, carriers, and equipment manufacturers to reduce vulnerabilities in systems that support billions of users worldwide.
This image is the property of The New Dispatch LLC and is not licenseable for external use without explicit written permission.
