Global critical infrastructure still vulnerable to China's "Salt Typhoon" hackers, new advisory warns

A multi-national advisory from intelligence and cybersecurity agencies has issued a stark warning: the Chinese state-sponsored hacking group known as Salt Typhoon is still active and deeply embedded in critical infrastructure networks worldwide.

The group, also tracked as GhostEmperor and Operator Panda, has been conducting a persistent cyber espionage campaign for years, and authorities warn that even with public disclosures and alerts, many of their digital footholds remain.

The joint advisory, co-signed by over a dozen countries including the US, UK, Canada, and Japan, reveals that Salt Typhoon's activities extend far beyond initial reports of compromising global telecommunication providers.

The hackers have also breached systems in government, transportation, lodging, and military infrastructure networks across at least 80 countries, affecting more than 600 organizations.

This widespread access allows China’s intelligence services to identify and track the communications and movements of targets around the world.

A focus on known vulnerabilities and persistence

The report highlights a troubling reality. Salt Typhoon has had considerable success not by using sophisticated zero-day exploits, but by exploiting known, unpatched vulnerabilities in widely used hardware, such as routers from Cisco, Ivanti, and Palo Alto Networks. This "living off the land" approach allows them to use existing network tools to move laterally, collect data, and maintain long-term, stealthy access.

Once inside, the hackers are adept at creating backdoors and tampering with access control lists. They will even modify routing to enable "traffic mirroring," effectively allowing them to copy all network traffic for analysis.

This is a highly efficient way to conduct large-scale surveillance and intelligence gathering. The FBI's top cyber official, Brett Leatherman, noted that the group has multiple hidden points of re-entry, making eviction a significant and ongoing challenge for network defenders.

Commercial companies linked to espionage

The advisory goes a step further by directly blaming three Chinese technology companies for providing "cyber-related products and services" that enabled the attacks.

• Huanyu Tianqiong Information Technology Co., Ltd

• Sichuan Zhixin Ruijie Network Technology Co., Ltd

• Sichuan Juxinhe Network Technology Co., Ltd

Wake-up call

Cybersecurity experts say the latest findings serve as a wake-up call for organizations in critical sectors to prioritize basic security hygiene, including timely patching and proactive threat hunting. The threat is not just a historical event; the adversary is still inside and actively leveraging their long-term access to continue their espionage campaign.