OrganisationCN

Salt Typhoon

Chinese state-linked APT with confirmed ongoing compromise of 200+ telecoms firms in 80 countries as of August 2025.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Is Salt Typhoon still inside global telecoms networks, and what can carriers do about it?

Timeline for Salt Typhoon

#117 Apr

Maintained ongoing access to 200+ telecoms companies across 80 countries with compromise still active as of February 2026

Cybersecurity: Threats and Defences: FBI: Salt Typhoon still very much live

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Is Salt Typhoon still hacking telecoms companies in 2026?: Yes. An FBI official confirmed at CyberTalks 2026 in February 2026 that Salt Typhoon's telecoms compromise was 'still very, very much ongoing', with at least 200 companies in 80 countries affected as of August 2025.Source: FBI / CyberTalks 2026
What did Salt Typhoon actually access in US phone networks?: Salt Typhoon accessed call data records, real-time call interception capability for targeted individuals, and the CALEA lawful-intercept back-end systems at multiple US carriers including AT&T, Verizon and T-Mobile.Source: CISA / FBI joint advisory November 2024
How is Salt Typhoon different from Volt Typhoon?: Salt Typhoon targets telecommunications for SIGINT collection (intercepting calls and data). Volt Typhoon targets US critical infrastructure CNI for pre-positioning sabotage capability. Both are China-nexus but have different mission objectives.Source: CISA / NCSC

Background

Salt Typhoon is a China-linked threat actor attributed by US and allied agencies with large-scale persistent compromise of global telecommunications infrastructure. An FBI official confirmed at CyberTalks 2026 in February 2026 that the campaign was "still very, very much ongoing" and had affected at least 200 companies across 80 countries as of August 2025.

Salt Typhoon became publicly known in late 2024 when US intelligence disclosed that the actor had compromised multiple Major US telecoms carriers, including T-Mobile, AT&T and Verizon, gaining access to call data records (CDRs), real-time call interception capability for specific targets, and CALEA (Communications Assistance for Law Enforcement Act) lawful-intercept back-end systems. The latter, designed to allow lawful interception by US law enforcement, was accessed by the Chinese actors. The compromise scale was described by CISA director Jen Easterly in November 2024 as the "worst telecommunications hack in our nation's history".

The cross-topic significance is substantial. Salt Typhoon operates in the same Chinese state-nexus space as Volt Typhoon (CNI pre-positioning) and UNC5221 (BRICKSTORM enterprise espionage), suggesting a coordinated tri-vector Chinese cyber posture: SIGINT collection (Salt Typhoon), sabotage-ready positioning (Volt Typhoon), and long-duration economic espionage (UNC5221). For security operations teams in telecoms infrastructure organisations, the February 2026 FBI confirmation means the incident window extends well beyond the initial 2024 disclosure.

How the World Sees Them

China

China denies the Salt Typhoon attribution. Ministry of Foreign Affairs stated in November 2024 that the claims were "fabricated".

United States

FBI and CISA have confirmed the breach and issued joint advisories. Congress has held hearings. Telecoms carriers face regulatory scrutiny over CALEA architecture security.

Allied nations

UK NCSC, Canadian CSE and Australian ASD have issued joint advisories on Salt Typhoon-style telecoms targeting. Allied carriers are reviewing their own network visibility.

Civil liberties

Surveillance and digital-rights organisations have flagged the CALEA back-end access as a structural weakness in the US legal-intercept framework, arguing that lawful-intercept back-doors are inherently vulnerable to foreign exploitation.