FBI Warns Salt Typhoon Telecom Intrusions Remain an Ongoing Risk
A senior FBI cyber intelligence official warned that Salt Typhoon, a China-linked cyber espionage group tied to the widespread compromise of telecommunications infrastructure disclosed in 2024, remains an active and broad threat to U.S. public- and private-sector organizations. Speaking at CyberTalks in Washington, D.C., FBI Deputy Assistant Director Michael Machtinger said organizations that engaged early with the FBI and agencies such as CISA were more successful at mitigating the impact of the intrusions, and he emphasized that the campaign largely exploited basic security weaknesses rather than relying primarily on zero-days.
Machtinger also assessed that Salt Typhoon is likely retaining stolen data “in perpetuity” for future surveillance and exploitation, noting uncertainty about how the PRC intends to use the information but expressing confidence it could enable follow-on operations. Reporting highlighted that the group accessed dozens of telecom providers globally in a multi-year effort and, in the U.S., targeted sensitive communications by accessing “lawful intercept” systems used for court-ordered wiretaps; it remains unconfirmed whether the actors have been fully removed from affected American networks. The FBI official further stated that Salt Typhoon “for certain” stole information from well over a million Americans directly, reinforcing the long-term counterintelligence and privacy risk posed by persistent access and large-scale data theft from telecom environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
FBI warns Salt Typhoon remains active and retains stolen data
At CyberTalks, FBI cyber intelligence officials warned that Salt Typhoon is still an ongoing threat to U.S. public and private sectors. They said the group likely retains stolen telecom and communications data indefinitely for future surveillance or exploitation and continues to exploit basic security weaknesses and legacy systems.
FBI says Salt Typhoon stole data from over 1 million Americans
By February 2026, the FBI said Salt Typhoon had stolen information from well over 1 million Americans and affected targets in more than 80 countries. Officials also said it remained unclear whether the actors had been fully removed from U.S. networks.
Salt Typhoon campaign is publicly disclosed
The telecom espionage campaign was publicly disclosed in 2024, bringing broader attention to the Chinese state-backed operation. After the disclosure, the FBI and CISA worked with affected organizations, and early engagement reportedly helped some entities mitigate the intrusions more effectively.
Salt Typhoon compromises U.S. telecom infrastructure
By 2024, Salt Typhoon had compromised U.S. telecommunications infrastructure, including access to lawful intercept systems used for court-ordered wiretaps. The campaign targeted communications involving senior political officials and was later described as one of the worst telecom espionage intrusions in U.S. history.
Salt Typhoon begins telecom espionage campaign
The FBI said Salt Typhoon's intrusions into telecommunications networks have been ongoing since at least 2019, marking the start of a multi-year cyberespionage campaign. The activity ultimately affected telecom providers and related targets across many countries.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Salt Typhoon threat against US persists, FBI official says | SC Media
scworld.com
Open sourceFBI: Threats from Salt Typhoon are ‘still very much ongoing’ | CyberScoop
cyberscoop.com
Open sourceChinese telecom hackers likely holding stolen data ‘in perpetuity’ for later attempts, FBI official says - Nextgov/FCW
nextgov.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Salt Typhoon Cyber Espionage Campaign Targeting U.S. Telecom and Government Networks
Salt Typhoon, a threat group linked to the People’s Republic of China, conducted a multiyear cyber espionage campaign targeting major U.S. telecom providers such as Verizon, AT&T, and T-Mobile, compromising the data of hundreds of millions of users. The campaign is considered by U.S. officials to be the most significant cyber espionage operation in history, with attackers gaining access to sensitive information including call logs, unencrypted texts, and audio from high-ranking political figures, as well as targeting law enforcement intercept backdoors and military networks. The group’s activities have raised concerns about potential election interference, political blackmail, and threats to national security. Salt Typhoon exploited unpatched, end-of-life, and forgotten network perimeter devices—such as routers, VPNs, and firewalls—using sophisticated “living off the land” tactics to establish long-term persistence and evade detection. The attackers stole administrator credentials, network traffic diagrams, and personal information from military and state cybersecurity personnel, using this intelligence to fuel further intrusions. The campaign highlights the urgent need for organizations to address technical debt and proactively secure legacy infrastructure, as reactive patching cannot undo compromises on already breached devices.
Mar 21, 2026
U.S. Telecoms Launch C2 ISAC After Salt Typhoon Breached Carrier Networks
Major U.S. telecommunications providers have formed the **Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC)** to strengthen real-time threat sharing and collective defense after the China-linked **Salt Typhoon** campaign compromised carrier networks in the United States and abroad. The intrusions, described by Sen. Mark Warner as the worst telecom hack in U.S. history, affected multiple major providers including **AT&T, Verizon, Lumen Technologies, T-Mobile**, and others, with investigators saying the activity has been ongoing since at least 2019 and there is still no clear public evidence the threat actors have been fully removed from communications networks. Officials and reporting said the espionage campaign enabled attackers to move between telecom networks, exfiltrate large volumes of data, and in some cases listen to audio calls in real time while targeting high-value intelligence, government, and political communications. Investigators also found breaches of U.S. lawful intercept systems used for court-ordered surveillance, while a separate suspected China-linked compromise of an FBI surveillance system likely exposed phone numbers of monitored targets; the campaign has also been linked to exploitation of vulnerabilities in **Cisco** routers to gain access to telecom infrastructure.
May 25, 2026
Salt Typhoon Cyber Espionage Campaign Targeting U.S. Critical Infrastructure
U.S. officials and cybersecurity experts have highlighted the ongoing threat posed by nation-state actors, particularly the Chinese-linked group known as Salt Typhoon, which has conducted widespread cyber intrusions targeting critical American infrastructure. These campaigns have focused on stealing intellectual property, surveilling government officials, and pre-positioning within essential networks such as airports, hospitals, water treatment facilities, and telecom providers, with the intent to disrupt services or gather intelligence at a time of their choosing. The persistence and sophistication of these operations underscore the urgent need for coordinated defense efforts between government agencies and the private sector, as most critical infrastructure is privately owned or operated. Recent incidents attributed to Salt Typhoon include the compromise of multiple U.S. telecom networks, with attackers maintaining access for nearly a year before detection. These breaches exemplify the evolving nature of hybrid and cross-domain threats, where cyber intrusions can cascade into physical and reputational risks. Security leaders are being urged to adopt new, asymmetric approaches to risk management, breaking down traditional silos and ensuring that intelligence and response capabilities keep pace with the rapidly changing threat landscape.
Mar 21, 2026