US Gov Links Private Chinese Firms to Salt Typhoon Hacks
Salt Typhoon has not been observed exploiting zero-day flaws, but instead targeting known bugs in exposed network edge devices - some of which are years old.
The NSA, along with several agencies from the U.S. and other countries, on Wednesday released an in-depth security advisory that aimed to expose techniques, Indicators of Compromise (IoCs), and other breadcrumbs linked to activity by the infamous Chinese state-sponsored group known as Salt Typhoon.
As part of the advisory, the NSA formally linked Salt Typhoon activities to multiple China-based entities, including Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. The NSA said that these companies provide cyber products and services to China’s Ministry of State Security and People’s Liberation Army.
One of these companies has been publicly called out by the U.S. before. In January 2025, the Treasury Department’s Office of Foreign Assets Control slapped sanctions on the Sichuan-based cybersecurity company Sichuan Juxinhe Network Technology Co., saying it had direct involvement with Salt Typhoon activities.
“The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world,” according to the Wednesday advisory.
Salt Typhoon: High-Profile Attacks
Salt Typhoon (also tracked as Operator Panda, RedMike, UNC5807, and GhostEmporer), has been performing operations globally since at least 2021. The group has successfully hit telecommunications and internet service providers (ISPs), as well as companies in the lodging and transportation sectors.
One of the more high-profile attacks occurred in 2024, when it was revealed that the group had targeted several U.S. telecom companies over the course of at least two years - including AT&T, Verizon, and more - in widescale attacks that also impacted individuals with government and political ties. In a new interview with the Wall Street Journal this week, FBI top cyber official Brett Leatherman said that this campaign was actually far more extensive than previously revealed, targeting more than 80 countries and over 600 companies.
These espionage-focused intrusions have given Chinese intelligence services the ability to identify and track victim communications globally.
Salt Typhoon TTPs
In the advisory, government agencies sought to shed light on some of the techniques and IoCs used in Salt Typhoon attacks up until June 2025, which could be used for detection of future attacks.
The threat group has not been observed exploiting zero-day flaws, but instead targeting known bugs in exposed network edge devices - some of which are years old. These include:
- An Ivanti Connect Secure and Policy Secure web-component command injection flaw (CVE–2024-21887)
- A Palo Alto Networks PAN-OS command injection flaw enabling unauthenticated remote code execution on firewalls with certain configurations (CVE-2024-3400)
- A Cisco IOS XE software web management user interface post-authentication command injection and privilege escalation bug (CVE-2023-20273), authentication bypass vulnerability (CVE-2023-20198), and smart install remote code execution flaw (CVE-2018-0171)
The group has also been seen executing commands via Simple Network Management Protocol (SNMP), regaining entry into environments via SSH into network devices, brute forcing passwords with weak encryption in obtained configuration files, and more.
“The APT actors may target edge devices regardless of who owns a particular device,” according to the advisory. “Devices owned by entities who do not align with the actors’ core targets of interest still present opportunities for use in attack pathways into targets of interest.”
What Companies Can Do
One of the bigger takeaways for U.S. organizations - and in particular network defenders of telecom and critical infrastructure firms - is that this threat group is targeting already known vulnerabilities, meaning that patching for these flaws is a must.
“These APT actors are having considerable success using publicly known CVEs to gain access to networks, so organizations are strongly encouraged to prioritize patching in a way that is proportionate to this threat, such as by sequencing patches to address the highest risks first,” according to the agencies’ advisory.