{ "id": "ba4808bd-6aec-40a6-a62c-8242123005a4", "created_at": "2026-04-06T00:15:31.388155Z", "updated_at": "2026-04-10T03:34:28.247286Z", "deleted_at": null, "sha1_hash": "66ecc304f81503f3955f332bee061e0abf49c324", "title": "What Should the US Do About Salt Typhoon?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2076060, "plain_text": "What Should the US Do About Salt Typhoon?\r\nBy Alexander Culafi\r\nPublished: 2025-04-10 · Archived: 2026-04-05 13:22:15 UTC\r\nSource: Daniren via Alamy Stock Photo\r\nOf the countless threat actors, state-sponsored and otherwise, that target the US private and public sectors, few\r\nhave gained the wide cultural relevance of Salt Typhoon, the Chinese state-sponsored threat actor that has targeted\r\nmajor telecommunications providers in a far-reaching, ongoing espionage campaign.\r\nDiscovered last fall, Salt Typhoon has hacked into telecom giants in the US and abroad — including Verizon,\r\nAT\u0026T, Lumen Technologies, and others — in a successful effort to access the \"lawful intercept\" systems law\r\nenforcement agencies use for court-authorized wiretapping. In its apparently months-long campaign, Salt Typhoon\r\naccessed sensitive data belonging to the Republican and Democratic 2024 presidential campaigns as well as that\r\nof other politicians.\r\nSalt Typhoon's activities have continued into the new year and around the world. Although Chinese state-backed\r\nespionage against the US is well-established, the telecom-focused attacks reported last fall are a high-profile\r\nreminder of how these activities are escalating. The question is, What can the US do about it?\r\nRelated:Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate\r\nSalt Typhoon: Truly an Advanced Threat\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon\r\nPage 1 of 5\n\nCrowdStrike's recent 2025 \"Global Threat Report\" said China state-backed hacking has reached an \"inflection\r\npoint\" and noted a 150% increase in China-nexus activity across all sectors. Beyond espionage, the Chinese\r\ngovernment has also shown an interest in pre-positioning itself in critical environments to prepare for possible\r\nescalation with adversaries.\r\nAaron Shraberg, senior intelligence analyst at Flashpoint, tells Dark Reading that on top of aforementioned\r\nespionage and pre-positioning activities, the group utilizes a number of sophisticated tactics.\r\n\"Salt Typhoon has demonstrated stealth and persistence, meaning it is difficult to identify the threat on networks,\"\r\nShraberg says. \"The group has demonstrated proficiency in various tactics, techniques, and procedures (TTPs),\r\nlike living off the land (LoTL), to use legitimate tools and blend in with network traffic to avoid discovery.\"\r\nOn April 2, the House Committee on Government Reform dedicated a hearing to Salt Typhoon. During the\r\nhearing, state representative and committee chairman William Timmons (R-SC) asked Edward Amoroso, research\r\nprofessor at New York University, whether the US should retaliate for the Salt Typhoon attacks and what kind of\r\nresponse would be justified.\r\nAmoroso did not advocate for \"hacking back\" (the popular colloquial term for retaliatory offensive cyber activity),\r\ninstead saying the US should see it as a wake-up call for the country to shore up its defenses and pull together. He\r\nsaid the idea of hacking back \"shirks the responsibility\" to look inward.\r\nRelated:Bank Trojan 'Casbaneiro' Worms Through Latin America\r\nDark Reading asked four security experts about the US's options for responding to Salt Typhoon, as well as how\r\ndefenders should protect themselves against APT threats.\r\nThe Threat of Salt Typhoon\r\nAsked how much of a threat Salt Typhoon's malicious activities pose to the United States, experts Dark Reading\r\nspoke with broadly attested to their significance.\r\nBobby Kuzma, director of offensive cyber operations at penetration testing and incident response firm\r\nProCircular, says the activity Salt Typhoon engaged in was \"pretty bad,\" noting the reach granted by leveraging\r\nthe lawful intercept capabilities built into domestic telecommunications providers.\r\n\"For every phone company and ISP (not that there’s much of a difference anymore) they have access to, they can\r\nintercept everything travelling over the network, including encrypted communications,\" Kuzma says. \"They might\r\nnot be able to read the content of those communications, but they can certainly look at patterns in who is talking to\r\nwhom and make educated guesses.\"\r\nDave Merkel, co-founder and CEO of managed security services vendor Expel, says it was a huge deal but,\r\nnotably, nothing new. \"China actively goes after US private sector organizations for a number of reasons, relating\r\nto counterintelligence, IP theft, you name it,\" he says.\r\nRelated:AI-Powered 'DeepLoad' Malware Steals Credentials, Evades Detection\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon\r\nPage 2 of 5\n\nAnd to Merkel's point, China's cyber efforts are more or less institutionalized by this point. CrowdStrike, for\r\nexample, regularly discusses how China's Five-Year Plans should be interpreted from a cyber-focused lens.\r\nThis activity doesn't seem to be slowing down. Austin Berglas, global head of professional services at security\r\nvendor BlueVoyant as well as former head of cyber for the FBI in New York, says as much.\r\n\"Chinese state-sponsored attacks against United States critical infrastructure will continue to occur,\" Berglas says.\r\n\"China has been embedding themselves in networks and exploiting supply chains for the purpose of conducting\r\nmassive data collection activities for years. This is nothing new to the intelligence community.\"\r\nHe continues, \"The fact that China is already embedded in US infrastructure is a massive concern. Traditional\r\ngoals such as intellectual property theft and large-scale intelligence collection pales in comparison to the potential\r\nfor disruption or takeover of critical services.\"\r\nUS Government Options for Response\r\nKuzma names \"strongly worded diplospeak,\" expelling members of diplomatic delegations, criminal charges\r\nagainst individual foreign citizens, and sanctions against organizations (which has happened already). \"All these\r\nare so-called proportionate responses,\" he says. \"It gets scarier from there.\"\r\nAlon Termin, red team expert at exposure management firm CYE, approached the question of possible responses\r\nfrom a more cyber-focused angle. Namely, shoring up defenses and imposing stronger regulations.\r\n\"The US can respond with defensive cyber operations to detect, deter, and neutralize threats,\" Termin says.\r\n\"Implementing stricter cybersecurity regulations for critical infrastructure sectors could also help prevent such\r\nintrusions.\"\r\nThe FCC proposed regulations last fall requiring communication providers to annually certify, update, and\r\nimplement cybersecurity risk management plans.\r\nHow Should the US Respond to Salt Typhoon?\r\nSimilarly to Amoroso's answer during the April 2 House Committee on Government Reform hearing, sources\r\nbroadly responded to the question of what the US government should do by calling for better security hygiene in\r\nits most critical institutions. Here's what they said:\r\nAustin Berglas, BlueVoyant: Our response should be to finally get our own house in order so that we can\r\nproperly protect the homeland. Private corporations need to learn lessons from failures within the US\r\ngovernment. Permitting sensitive and business-related conversations to be conducted on platforms outside\r\nof corporate approved networks and devices will only cause problems, and policies and procedures are\r\nonly useful if enforced and followed. The FCC recently proposed to strengthen rules for telecom providers\r\nto secure their environment. This guidance is nothing without action and adoption. Lastly, our adversaries\r\ndo not need to deploy sophisticated, zero-day exploits to have success. They are capitalizing on patchable,\r\npreviously identified vulnerabilities. Basic hygiene calls for continuous and complete visibility across your\r\nnetwork and monitoring of your most critical supply chain relationships.\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon\r\nPage 3 of 5\n\nAlon Termin, CYE: The best way to respond is by investing in advanced cybersecurity technologies and\r\npractices to protect critical systems.\r\nAnne An, principal threat intelligence analyst, Trellix:  I'd hope that the US government will prioritize the\r\ndevelopment and deployment of more secure edge devices, such as phones, laptops, and other IoT [Internet\r\nof Things] hardware, which are becoming an increasing point of vulnerability. They are often the first line\r\nof defense in a network, and as they are more widely used, they become targets for APTs.\r\nBobby Kuzma, ProCircular: The US has already exerted pressure on China to make its displeasure known,\r\nthrough sanctions and individual criminal charges against MSS officers linked to the attacks. Another\r\nconsideration that is on the table, but probably won’t be acted on, is allowing telecom organizations to shut\r\ndown or remove the lawful intercept capability that acts as an effective backdoor into their infrastructure.\r\nThere needs to be a balance between convenience to law enforcement for surveillance and having massive\r\nbackdoors that allow for this exploitation.\r\nDefender Takeaways From Salt Typhoon\r\nAlthough state-backed espionage may not be something every organization feels it has to worry about, the best\r\npractices for defending against an APT are generally good advice, no matter who you are.\r\nExpel's Merkel advises enforcing good cyber hygiene, such as patching quickly, supporting multifactor\r\nauthentication, and maintaining good asset inventories. He calls this the \"bare minimum,\" and suggests taking a\r\ndefense-in-depth approach to security and prioritizing strong detection and response.\r\nFlashpoint's Shraberg, meanwhile, calls for enterprises to adopt a \"proactive and layered security approach\r\ndrawing on public and private sector resources and expertise.\"\r\n\"There are many ways to address the multifaced nature of sophisticated threat actors. Technical defenses are very\r\nimportant and should be combined with a level of education of individuals to learn how to do their part to fend off\r\nattacks from things like phishing and social engineering, especially as AI tools now find their way into attackers'\r\ntoolboxes,\" Shraberg says. \"Given the potential for supply chain compromises highlighted with other Chinese\r\nAPT groups, enterprises should also assess and manage the security risks associated with their vendors and\r\npartners, such as those involving networking equipment like routers.\"\r\nAn says that as Salt Typhoon typically uses otherwise legitimate tools like PowerShell and WMI, organizations\r\nshould monitor for unusual or suspicious activity associated with living off the land, as well as compromised\r\naccounts.\r\n\"One of the group's most common tactics is to use legitimate credentials and move laterally within the network, so\r\norganizations should follow strong monitoring practices to detect and respond to compromised accounts as\r\nquickly as possible,\" An says. \"They can do this by implementing and enforcing multifactor authentication,\r\nconducting frequent audits, and regularly analyzing login behavior for any signs of irregular activity.\"\r\nOrganizations should also patch public-facing services, VPNs, and legacy systems — common entry points for\r\nattackers.\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon\r\nPage 4 of 5\n\nThough a common impulse for the US right now to handle China from a place of escalation and retaliation, Dark\r\nReading sources uniformly do not propose doing something similar on the cyber front. Instead, as Amoroso put it\r\nat last week's House committee hearing, \"The best defense is a good defense.\"\r\nAbout the Author\r\nSenior News Writer, Dark Reading\r\nAlex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for\r\nindependent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of\r\nScience in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report,\r\nand elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on\r\npersonal writing projects, including two previously self-published science fiction novels.\r\nSource: https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon\r\nhttps://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon" ], "report_names": [ "what-should-us-do-salt-typhoon" ], "threat_actors": [ { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434531, "ts_updated_at": 1775792068, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/66ecc304f81503f3955f332bee061e0abf49c324.pdf", "text": "https://archive.orkl.eu/66ecc304f81503f3955f332bee061e0abf49c324.txt", "img": "https://archive.orkl.eu/66ecc304f81503f3955f332bee061e0abf49c324.jpg" } }