Salt Typhoon: The Chinese cyberattack that compromised millions of Americans' data

A massive cyberattack perpetrated by the group known as Salt Typhoon, linked to the Chinese government, has been described as one of the most ambitious in recent history.

The years-long attack compromised telecommunications, transportation, hosting, and military infrastructure data in more than 80 countries, potentially impacting virtually every U.S. citizen, according to reports from The Telegraph.

According to a joint report by agencies including the FBI, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), hackers exploited vulnerabilities in outdated systems to infiltrate critical networks, gaining access to information that could allow Chinese intelligence services to track communications and movements of key targets, such as politicians, spies and activists.

The attack, discovered by cybersecurity experts at Microsoft, is attributed to China-based actors linked to Chinese intelligence.

Chinese companies linked to these operations

These operations are not isolated activities, but part of a broader ecosystem of Chinese state-backed cyberespionage that combines government priorities with the capabilities of private Chinese technology companies. The agencies report attributes this activity to the following entities:

These companies provide network technologies and offensive cyber capabilities directly to China's intelligence apparatus, particularly to units of the People's Liberation Army (PLA) and the Ministry of State Security (MSS).

Targets

High-profile targets included the communications of figures such as President Donald Trump and Vice President JD Vance during the 2024 election campaign. But the attack also compromised the Democratic Party, as well as members of Kamala Harris' campaign team and staffers for Senator Chuck Schumer, according to notes from The New York Times.

A global hack

Beyond high-profile political targets, hackers accessed data on millions of people, including unencrypted call records and text messages, thanks to the infiltration of some U.S. telecommunications companies, such as Verizon, AT&T and T-Mobile.

The Salt Typhoon operation not only focused on data theft but also sought to establish persistent access on the compromised networks. The hackers exploited known flaws in Western-branded routers, such as those from Cisco, Ivanti and Palo Alto Networks, to maintain long-term control and evade detection through advanced techniques, including manipulating access control lists and creating network tunnels.

In the UK, the National Cyber Security Centre (GCHQ) reported intrusions into national critical infrastructure, while countries such as Canada, Australia, New Zealand, and several European nations also fell victim to Chinese attacks.

In the face of this global attack, the FBI and CISA have urged affected companies to strengthen the security of their networks, stressing the importance of updating outdated systems and monitoring malicious activity. Despite efforts to mitigate the attack, authorities acknowledge that hackers could still be present on some networks, posing an ongoing risk.

In addition, the cyber operation has also generated sanctions, such as those imposed by the U.S. Treasury Department in January of this year against the Chinese company Sichuan Juxinhe Network Technology Co., Ltd., linked to Salt Typhoon. In that vein, former Deputy Treasury Secretary Adewale O. Adeyemo, during the Biden administration, noted:

"The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically."