China-Linked Espionage Campaign Hit Telecoms, Cloud Email, and Manufacturers
China-linked hacking groups were reported to have penetrated a wide range of targets across the United States and allied regions, including manufacturers, U.S. government email systems, internet providers, and major telecommunications networks. Earlier reporting described broad economic espionage aimed at stealing trade secrets from manufacturing sectors in the U.S., Europe, and Asia, while later disclosures said Chinese operators breached U.S. government email accounts through Microsoft cloud infrastructure and infiltrated American internet providers for surveillance. Subsequent investigations tied the telecom intrusions to the Salt Typhoon campaign, which officials said exposed sensitive metadata and provided insight into U.S. surveillance targets.
U.S. officials characterized the activity, alongside related operations such as Volt Typhoon, as one of the most serious cyber threats to American critical infrastructure in recent years. Reporting said investigators believed the attackers may have retained access to at least eight telecom firms, including Verizon and AT&T, and that the campaign extended to dozens of telecoms and government agencies. In response, the Biden administration moved to bar the remaining U.S. operations of China Telecom Americas, citing national security risks and signaling the first public retaliatory step tied to the telecom compromises, even as debate continued over broader sanctions, technology restrictions, and offensive cyber responses.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
China-linked hackers reported to have breached dozens of telecoms and agencies
Reporting in early 2026 said China-linked hackers had breached dozens of telecommunications companies and government agencies, showing the scope of the campaign had expanded well beyond the initially disclosed victims.
Biden administration moves to ban remaining China Telecom Americas operations
The Biden administration announced a first public retaliatory step against the China-linked telecom hacking campaign by moving to ban the remaining U.S. operations of China Telecom Americas, citing national security risks tied to its network presence and cloud services.
U.S. identifies Salt Typhoon telecom compromise as major espionage campaign
By December 2024, U.S. officials had concluded that China's Salt Typhoon campaign broadly compromised American telecommunications networks, with investigators believing the hackers may still have access to at least eight telecom firms, including Verizon and AT&T, and had obtained sensitive metadata and insight into U.S. surveillance targets.
Chinese hackers target phones tied to Trump, Vance, and Harris associates
AP reported that China-linked hackers targeted cellphones used by Donald Trump, JD Vance, and individuals associated with Kamala Harris’s campaign as part of a broader intrusion into commercial telecommunications infrastructure. U.S. officials were still investigating what data, if any, had been accessed.
Chinese government hackers penetrate U.S. internet providers
The Washington Post reported that Chinese government hackers had infiltrated U.S. internet service providers to conduct espionage, indicating a deeper compromise of core communications infrastructure.
Chinese hackers breach U.S. government email via Microsoft cloud
Chinese hackers penetrated U.S. government email accounts through Microsoft's cloud environment, exposing communications from federal agencies and marking a significant escalation in Beijing-linked cyber espionage against U.S. institutions.
Researchers detail broad Chinese espionage against manufacturers
Researchers reported that China-linked hackers had conducted a wide-ranging economic espionage campaign targeting manufacturing organizations in the United States, Europe, and Asia to steal trade secrets and other sensitive business information.
Sources
5 references tracked. Mallory keeps watching after this page renders.
China-linked hackers breached dozens of telecoms, government agencies | Cybersecurity Dive
cybersecuritydive.com
Open sourceChinese hackers targeted cellphones used by Trump and Vance, AP sources say | AP News
apnews.com
Open sourceChinese government hackers penetrate U.S. internet providers to spy - The Washington Post
washingtonpost.com
Open sourceChinese hackers breach U.S. government email through Microsoft cloud - The Washington Post
washingtonpost.com
Open sourceChinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say | CNN Politics
cnn.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
U.S. Telecoms Launch C2 ISAC After Salt Typhoon Breached Carrier Networks
Major U.S. telecommunications providers have formed the **Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC)** to strengthen real-time threat sharing and collective defense after the China-linked **Salt Typhoon** campaign compromised carrier networks in the United States and abroad. The intrusions, described by Sen. Mark Warner as the worst telecom hack in U.S. history, affected multiple major providers including **AT&T, Verizon, Lumen Technologies, T-Mobile**, and others, with investigators saying the activity has been ongoing since at least 2019 and there is still no clear public evidence the threat actors have been fully removed from communications networks. Officials and reporting said the espionage campaign enabled attackers to move between telecom networks, exfiltrate large volumes of data, and in some cases listen to audio calls in real time while targeting high-value intelligence, government, and political communications. Investigators also found breaches of U.S. lawful intercept systems used for court-ordered surveillance, while a separate suspected China-linked compromise of an FBI surveillance system likely exposed phone numbers of monitored targets; the campaign has also been linked to exploitation of vulnerabilities in **Cisco** routers to gain access to telecom infrastructure.
May 25, 2026
Salt Typhoon Cyber Espionage Campaign Targeting U.S. Telecom and Government Networks
Salt Typhoon, a threat group linked to the People’s Republic of China, conducted a multiyear cyber espionage campaign targeting major U.S. telecom providers such as Verizon, AT&T, and T-Mobile, compromising the data of hundreds of millions of users. The campaign is considered by U.S. officials to be the most significant cyber espionage operation in history, with attackers gaining access to sensitive information including call logs, unencrypted texts, and audio from high-ranking political figures, as well as targeting law enforcement intercept backdoors and military networks. The group’s activities have raised concerns about potential election interference, political blackmail, and threats to national security. Salt Typhoon exploited unpatched, end-of-life, and forgotten network perimeter devices—such as routers, VPNs, and firewalls—using sophisticated “living off the land” tactics to establish long-term persistence and evade detection. The attackers stole administrator credentials, network traffic diagrams, and personal information from military and state cybersecurity personnel, using this intelligence to fuel further intrusions. The campaign highlights the urgent need for organizations to address technical debt and proactively secure legacy infrastructure, as reactive patching cannot undo compromises on already breached devices.
Mar 21, 2026
FBI Warns Salt Typhoon Telecom Intrusions Remain an Ongoing Risk
A senior FBI cyber intelligence official warned that **Salt Typhoon**, a China-linked cyber espionage group tied to the widespread compromise of telecommunications infrastructure disclosed in 2024, remains an active and broad threat to U.S. public- and private-sector organizations. Speaking at *CyberTalks* in Washington, D.C., FBI Deputy Assistant Director Michael Machtinger said organizations that engaged early with the FBI and agencies such as **CISA** were more successful at mitigating the impact of the intrusions, and he emphasized that the campaign largely exploited **basic security weaknesses** rather than relying primarily on zero-days. Machtinger also assessed that Salt Typhoon is likely retaining stolen data “**in perpetuity**” for future surveillance and exploitation, noting uncertainty about how the PRC intends to use the information but expressing confidence it could enable follow-on operations. Reporting highlighted that the group accessed **dozens of telecom providers globally** in a multi-year effort and, in the U.S., targeted sensitive communications by accessing **“lawful intercept”** systems used for court-ordered wiretaps; it remains unconfirmed whether the actors have been fully removed from affected American networks. The FBI official further stated that Salt Typhoon “for certain” stole information from **well over a million Americans directly**, reinforcing the long-term counterintelligence and privacy risk posed by persistent access and large-scale data theft from telecom environments.
Mar 21, 2026