The FBI has issued a security advisory warning the notorious Salt Typhoon hacker group is ramping up attacks globally.
Chinese state-sponsored threat actors have been targeting a wide range of sectors, the agency warned, mainly focusing on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers.
However, they’re also leveraging compromised devices and trusted connections to pivot into other networks, modifying routers to maintain persistent, long-term access to networks.
They've been linked to multiple China-based entities, including Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology , all of which provide cybersecurity products and services to China’s Ministry of State Security and People’s Liberation Army.
"Last fall, the FBI and CISA attributed compromises at US telecommunications providers to PRC-affiliated actors known as Salt Typhoon. Active since at least 2019, these actors conducted a significant cyber-espionage campaign, breaching global telecommunications privacy and security norms," said Brett Leatherman, assistant director of the FBI's Cyber Division.
"Today, we are releasing a Joint Cybersecurity Advisory to help defenders prevent, detect, and respond to this threat. Paired with guidance from late 2024, it offers practical steps to improve visibility and detect malicious activity early."
Salt Typhoon attacks worse than previously thought
Notably, the FBI warned that attacks waged by Salt Typhoon and its counterparts were more widespread than previously thought, with at least 60 organizations in 80 countries affected.
"Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages," said Leatherman.
"If you believe you are a victim of Salt Typhoon — or any other malicious cyber activity — I encourage you to contact your local FBI field office."
The advisory from the FBI comes in the wake of a report from the Department of Defense (DoD) detailing a long-term hacking campaign by the group against US National Guard networks.
In July, the DoD revealed Salt Typhoon breached and laid low in the compromised network of an unnamed US state National Guard for almost a year.
The group is believed to have accessed and exfiltrated sensitive military and law enforcement data as part of the campaign.
How to defend against Salt Typhoon
The advisory describes how Salt Typhoon operates, gaining initial access via known vulnerabilities in networking equipment.
Once in, the attackers altered access control lists, created privileged accounts, and enabled remote management to gain long-term access before moving laterally through organizations.
Rather than financial gain, the attacks were focused on telecom carriers, government organisations, and military infrastructure with the aim of surveillance and spying.
However, healthcare organizations have been targeted too.
“This alert details one of the largest global cyber espionage campaigns ever uncovered related to the Chinese government,” said John Riggi, AHA national advisor for cybersecurity and risk.
“US health care may be directly or indirectly impacted by this espionage and potentially disruptive cyberattack on critical infrastructure, and should take aggressive action to identify, contain, remediate and report to the FBI known instances of these malware strains appearing on healthcare networks or third-party networks.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
