Salt Typhoon Cyberattacks: Updated Threat Assessment and Recommended Mitigations

Key Takeaways

• Multiple agencies of the U.S. government and other governments have concluded that the cyberthreat presented by the People’s Republic of China (PRC), specifically actors attributed to Salt Typhoon, is substantially greater than previously reported.
• The agencies’ assessments and recommended mitigations for the telecommunications sector and other critical infrastructure can serve as useful resources for those potentially affected by the threat.

U.S. federal agencies, including the Federal Bureau of Investigation (FBI), National Security Agency, and Cybersecurity and Infrastructure Security Agency (CISA), along with security and intelligence agencies from 12 partner nations, jointly issued a Cybersecurity Advisory (CSA) on August 27, 2025. The CSA details Salt Typhoon’s tactics, techniques, and procedures (TTPs) targeting telecommunications and internet service providers, as well as sectors including transportation, lodging, and others. 

The CSA was informed by contributions from private-sector partners, including but not limited to Amazon Web Services Security, Cisco Security and Trust, Cisco Talos, CrowdStrike, Google Mandiant, Google Threat Intelligence, GreyNoise, Microsoft, and PwC Threat Intelligence.

This advisory follows the announcement in November 2024 by U.S. and partner agencies that PRC-affiliated cyberthreat actors had compromised networks of major global telecommunications providers to conduct a broad and significant cyber espionage campaign. Our previous Update provides additional information about that announcement and the security guidance it contained.

The CSA describes observed TTPs by the threat actors for initial access, persistence, lateral movement and collection, and exfiltration. To mitigate these escalated threats, critical infrastructure operators—particularly telecommunications companies—should perform threat hunting and, when appropriate, incident response activities. The threat actors often succeed using publicly known common vulnerabilities and exposures (CVEs) to gain access to networks. Companies should therefore patch the CVEs the CSA identifies and should prioritize the highest-risk network components, such as edge devices.

The CSA further provides general recommendations, as well as guidance on hardening management protocols and services, implementing robust logging, routing best practices, Virtual Private Network best practices, and recommendations specific to particular equipment and producers.

The agencies have not been able to identify how the threat actors obtain initial access in many cases. This remains a critical information gap. The FBI and CISA encourage United States-based organizations to report suspicious or criminal activity related to information in the CSA. 

This CSA and the persistent Salt Typhoon threat highlight the need for critical infrastructure operators to maintain a robust, up-to-date, and proactive security program and to understand information-sharing opportunities and obligations. Perkins Coie is available to help review data security programs, assess readiness, enhance security planning, ensure information-sharing complies with applicable laws, and respond to incidents affecting critical infrastructure and other sectors.