Salt Typhoon: China’s State-Sponsored Espionage Group Infiltrates Global Telecoms for Long-Term Cyber Warfare
Ddos 
A new report from DomainTools exposes the operations of Salt Typhoon, a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS). Active since at least 2019, Salt Typhoon specializes in long-term espionage against global telecommunications providers, embedding itself deep within critical infrastructure to collect signals intelligence (SIGINT) and prepare for potential cyber warfare.
According to DomainTools, “Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure.”
What distinguishes Salt Typhoon is its hybrid operational model. The report notes that the group “operates with both direct MSS oversight and the support of pseudo-private contractor ecosystems, leveraging front companies and state-linked firms to obscure attribution.”
These contractors—including Sichuan Juxinhe, Beijing Huanyu Tianqiong, and Sichuan Zhixin Ruijie—provide the infrastructure, domain registration pipelines, and technical tools that allow Salt Typhoon to scale operations while maintaining plausible deniability.
Salt Typhoon’s operations have been highly targeted, with confirmed breaches across multiple regions:
- U.S. Telecom Breaches (2024): The group infiltrated AT&T, Verizon, T-Mobile, and others, exfiltrating “subscriber metadata, call detail records (CDRs), VoIP infrastructure configs, and lawful intercept logs.”
- U.S. National Guard Intrusions (2024): Attacks on state-level military networks harvested “network diagrams, VPN configs, credentials, and incident response playbooks.”
- UK Critical Infrastructure (2023–2024): Strategic espionage operations collected communications routing and geo-location metadata from government and defense systems.
- EU Router Hijacking (2022–2023): The group implanted custom router backdoors across European ISPs, enabling long-term surveillance and potential staging for future campaigns.
These intrusions underscore Salt Typhoon’s dual-use mission: espionage today, but with infrastructure in place for communications disruption in wartime scenarios.
Despite its sophistication, Salt Typhoon has left unusual fingerprints. DomainTools highlights “the use of publicly trackable domains registered with false U.S. personas, marking a rare lapse in tradecraft among advanced Chinese threat actors.”
Domains were often registered with ProtonMail accounts and fabricated U.S. identities such as “Shawn Francis” and “Monica Burch.” While intended to blend into domestic internet traffic, these patterns created durable attributional seams that defenders can use to track campaigns.
Salt Typhoon mirrors the operational style exposed in the 2024 i-SOON leaks, where private Chinese companies served as fronts for MSS-directed cyber operations. The report explains: “Like i-SOON, Salt Typhoon’s supporting companies illustrate how the PRC cyber apparatus blurs the lines between state, semi-private, and private entities.”
This model allows Beijing to outsource cyber operations, achieving scalability and deniability. Contractors provide malware development, domain logistics, and covert access tools while MSS sets priorities and oversees campaigns.
Salt Typhoon’s work highlights a broader shift in China’s cyber strategy: away from monolithic APT groups and toward fragmented, industrial-scale espionage fueled by contractors. As DomainTools concludes, “Salt Typhoon is not merely another state-backed APT. It is a prototype of China’s next-generation cyber espionage model, where covert access is privatized, capabilities are modular, and deniability is built into every layer of the intrusion lifecycle.”
Related Posts:
- The Ultimate Insider Threat: How North Korean IT Workers Infiltrated the Global Remote Economy
- Unmasking Salt Typhoon: A Report Exposes 45 New Domains from a Chinese APT Group
- FCC Takes Action to Strengthen Cybersecurity in Response to Salt Typhoon Cyberattack
- Volt Typhoon: Chinese State-Sponsored APT Targets U.S. Critical Infrastructure
- State Secrets for Sale: China’s “Hack-for-Hire” Ecosystem Exposed in Massive VenusTech & Salt Typhoon Leaks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
