17APR

FBI: Salt Typhoon still very much live

3 min read

13:56UTC

An FBI official told CyberTalks 2026 the China-linked telecoms compromise is not contained. 200+ companies, 80 countries, and Volt Typhoon sits behind it.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

Volt Typhoon is in US infrastructure for sabotage readiness, not intelligence collection.

An FBI official told CyberTalks 2026 in February that the China-linked Salt Typhoon telecoms compromise was "still very, very much ongoing" with at least 200 companies across 80 countries affected as of August 2025 ¹. Salt Typhoon is the name the US government has used since 2024 for the cluster that penetrated at least nine major US telecoms operators, including routes used to intercept lawful-intercept wiretap metadata on US political figures. The FBI's "still ongoing" line is the first public confirmation by a named agency that remediation has not concluded.

Running in parallel, the Cybersecurity and Infrastructure Security Agency (CISA) continues to assess with high confidence that Volt Typhoon, a separate China-linked cluster, is pre-positioning in US Critical National Infrastructure (CNI) Information Technology (IT) networks for later lateral movement into Operational Technology (OT), the industrial control systems that run physical processes like power generation, water treatment and rail signalling. Communications, energy, transportation and water and wastewater sectors have all been confirmed compromised.

CISA has labelled the Volt Typhoon activity as disruption-capability pre-positioning rather than espionage. Espionage exfiltrates secrets and leaves; pre-positioning installs the remote-access footholds that let an adversary trigger real-world effects at a moment of its choosing. For Security Operations Centre (SOC) leads inside US CNI operators, that reframes the adversary model from "what are they reading" to "what could they turn off, and when".

Deep Analysis

In plain English

Two separate Chinese hacking groups, named Salt Typhoon and Volt Typhoon, are conducting long-running intrusions into US infrastructure. Salt Typhoon broke into the computer systems of telecoms companies, which means it may have access to the systems used to provide phone calls and internet services to 200 or more companies across 80 countries. The FBI confirmed in February 2026 that this breach is still ongoing. Volt Typhoon, meanwhile, is believed to have planted itself inside the computer systems that sit adjacent to the controls for US power grids, water systems, and transportation networks. The working assessment of US security agencies is that China is building the capability to disrupt these systems if a conflict, such as a military confrontation over Taiwan, were to occur. Neither group appears to have caused disruption yet. The concern is that the access is already in place.

Deep Analysis

Root Causes

US critical infrastructure across communications, energy, transportation, and water sectors runs on private-sector IT platforms with government-regulated operational technology beneath them. The IT-OT boundary is the vulnerability: OT networks in many CNI operators are not fully air-gapped from corporate IT, and IT compromise can reach OT systems through trusted connections, engineering workstations, and historian servers that bridge the two domains.

Salt Typhoon's telecoms access is structurally distinct: US telecommunications law (Title II, and CALEA requirements) mandates that telecoms operators maintain lawful interception infrastructure that provides government agencies access to communications. That same infrastructure is what Salt Typhoon is assessed to have accessed, meaning the mandated interception architecture may have been the attack surface.

What could happen next?

Risk
The FBI's 'still very much ongoing' characterisation of Salt Typhoon means affected telecoms operators have not fully evicted the adversary after more than a year of public disclosure, indicating the intrusion is either too deep or too distributed to remediate through standard incident response approaches.
Consequence
Volt Typhoon pre-positioning in US CNI IT networks is the strongest technical argument for the Cyber Security and Resilience Bill's data-centre essential-services classification in the UK: the parallel vulnerability pattern exists in UK CNI, not only US.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2007 cyberattacks on Estonia's government, banking, and media infrastructure attributed to Russian actors ahead of and during the Bronze Soldier political dispute.

Those attacks were the first documented case of a state using cyber means to exert coercive pressure on a NATO-adjacent adversary during a geopolitical flashpoint. Volt Typhoon's assessed pre-positioning follows the same strategic logic, but on a dramatically larger infrastructure scale and with longer persistence timelines.

Counter-parallel: Russia's 2015 and 2016 attacks on Ukraine's power grid (attributed to Sandworm) demonstrated that pre-positioned OT access can cause physical infrastructure outages. Volt Typhoon has not been observed causing disruption; the CISA framing is that it is in IT networks positioning for potential OT movement, not that it has reached OT. The gap between IT pre-positioning and OT disruption capability is the key unresolved question.

Consensus view: CISA's joint advisory with the Five Eyes on Volt Typhoon, published in February 2024 and updated in 2025, assesses the CNI pre-positioning as a strategic deterrence asset: China is building reversible disruption capability against US critical infrastructure so that any military escalation over Taiwan carries an explicit domestic cost for the United States.

The FBI's CyberTalks statement that Salt Typhoon is 'still very, very much ongoing' as of February 2026 confirms remediation is not complete across affected telecoms providers.

Counter-view: Tsinghua University's Center for International Security and Strategy published analysis arguing that US characterisations of Volt Typhoon as sabotage pre-positioning misrepresent what is standard state signals intelligence collection, and that the 'disruption capability' framing reflects US strategic communication rather than confirmed adversary intent derived from technical evidence.

Key tension: Whether the distinction between espionage (Salt Typhoon accessing communications content) and sabotage pre-positioning (Volt Typhoon in OT-adjacent IT systems) is technically and legally significant, given that the same access can serve both purposes simultaneously.

Sources:CyberScoop

Mentions:FBI →Salt Typhoon →CISA →United States →China →NATO →Ukraine →Estonia →deterrence →Prima →Taiwan →Russia →CyberTalks 2026 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

CyberScoop· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.