{ "id": "fceb5cf6-d2d1-495a-8483-c32f3ce2c614", "created_at": "2026-04-06T00:13:22.435821Z", "updated_at": "2026-04-10T13:11:40.128536Z", "deleted_at": null, "sha1_hash": "1a1180bf314a1d20b4aa60aff8d668a7a70eed44", "title": "FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 890548, "plain_text": "FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches\r\nBy Sergiu Gatlan\r\nPublished: 2025-04-25 · Archived: 2026-04-05 14:08:44 UTC\r\nThe FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of\r\ntelecommunications providers in the United States and worldwide.\r\nIn October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including\r\nAT\u0026T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other\r\ntelecom companies in dozens of countries.\r\nAs revealed at the time, while they had access to the U.S. telecoms' networks, the attackers also accessed the U.S. law\r\nenforcement's wiretapping platform and gained access to the \"private communications\" of a \"limited number\" of U.S.\r\ngovernment officials.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOn Thursday, the FBI issued a public service announcement seeking tips that could help identify and locate the Salt Typhoon\r\nhackers who targeted US telecommunications infrastructure.\r\n\"Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into\r\nthese networks to target victims on a global scale. This activity resulted in the theft of call data logs, a limited number of\r\nprivate communications involving identified victims, and the copying of select information subject to court-ordered US law\r\nenforcement requests,\" the FBI said.\r\n\"FBI maintains its commitment to protecting the US telecommunications sector and the individuals and organizations\r\ntargeted by Salt Typhoon by identifying, mitigating, and disrupting Salt Typhoon's malicious cyber activity. If you have any\r\ninformation about the individuals who comprise Salt Typhoon or other Salt Typhoon activity, we would particularly like to\r\nhear from you.\"\r\nIn January, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against\r\nSichuan Juxinhe Network Technology, a Chinese cybersecurity firm believed to be directly involved in the Salt Typhoon\r\ntelecom breaches.\r\nThe FBI also reminded that the U.S. Department of State is offering a reward of up to $10 million through its Rewards for\r\nJustice (RFJ) program for information about government-linked foreign hackers linked to malicious cyber activities against\r\nU.S. critical infrastructure.\r\nMore Salt Typhoon telecom breaches\r\nChina's Salt Typhoon Chinese cyber-espionage group (also tracked as Ghost Emperor, FamousSparrow, Earth Estries, and\r\nUNC2286) has been breaching government entities and telecom companies since at least 2019.\r\nIn recent months, it was also uncovered that this state-backed hacking group is still actively targeting telecoms. Between\r\nDecember 2024 and January 2025, it breached more telecommunications companies worldwide by exploiting privilege\r\nescalation and Web UI command injection vulnerabilities in unpatched Cisco IOS XE network devices.\r\nThese additional breaches include a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications\r\nprovider, an Italian ISP, a South African telecom provider, and a large Thai telecommunications provider.\r\nCisco has also revealed that the Chinese hackers use a custom JumbledPath malicious tool to stealthily monitor network\r\ntraffic and likely capture sensitive data from compromised U.S. telecommunication providers' networks.\r\nIn response to these breaches, U.S. authorities are considering banning TP-Link routers if an ongoing investigation finds\r\ntheir use in cyberattacks poses a national security risk. They are also reportedly planning to ban China Telecom's last active\r\noperations in the United States.\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/\r\nhttps://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches/" ], "report_names": [ "fbi-seeks-help-to-unmask-salt-typhoon-hackers-behind-telecom-breaches" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434402, "ts_updated_at": 1775826700, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a1180bf314a1d20b4aa60aff8d668a7a70eed44.pdf", "text": "https://archive.orkl.eu/1a1180bf314a1d20b4aa60aff8d668a7a70eed44.txt", "img": "https://archive.orkl.eu/1a1180bf314a1d20b4aa60aff8d668a7a70eed44.jpg" } }