Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

FBI: Salt Typhoon still very much live

3 min read
08:46UTC

An FBI official told CyberTalks 2026 the China-linked telecoms compromise is not contained. 200+ companies, 80 countries, and Volt Typhoon sits behind it.

TechnologyAssessed
Key takeaway

Volt Typhoon is in US infrastructure for sabotage readiness, not intelligence collection.

An FBI official told CyberTalks 2026 in February that the China-linked Salt Typhoon telecoms compromise was "still very, very much ongoing" with at least 200 companies across 80 countries affected as of August 2025 1. Salt Typhoon is the name the US government has used since 2024 for the cluster that penetrated at least nine major US telecoms operators, including routes used to intercept lawful-intercept wiretap metadata on US political figures. The FBI's "still ongoing" line is the first public confirmation by a named agency that remediation has not concluded.

Running in parallel, the Cybersecurity and Infrastructure Security Agency (CISA) continues to assess with high confidence that Volt Typhoon, a separate China-linked cluster, is pre-positioning in US Critical National Infrastructure (CNI) Information Technology (IT) networks for later lateral movement into Operational Technology (OT), the industrial control systems that run physical processes like power generation, water treatment and rail signalling. Communications, energy, transportation and water and wastewater sectors have all been confirmed compromised.

CISA has labelled the Volt Typhoon activity as disruption-capability pre-positioning rather than espionage. Espionage exfiltrates secrets and leaves; pre-positioning installs the remote-access footholds that let an adversary trigger real-world effects at a moment of its choosing. For Security Operations Centre (SOC) leads inside US CNI operators, that reframes the adversary model from "what are they reading" to "what could they turn off, and when".

Deep Analysis

In plain English

Two separate Chinese hacking groups, named Salt Typhoon and Volt Typhoon, are conducting long-running intrusions into US infrastructure. Salt Typhoon broke into the computer systems of telecoms companies, which means it may have access to the systems used to provide phone calls and internet services to 200 or more companies across 80 countries. The FBI confirmed in February 2026 that this breach is still ongoing. Volt Typhoon, meanwhile, is believed to have planted itself inside the computer systems that sit adjacent to the controls for US power grids, water systems, and transportation networks. The working assessment of US security agencies is that China is building the capability to disrupt these systems if a conflict, such as a military confrontation over Taiwan, were to occur. Neither group appears to have caused disruption yet. The concern is that the access is already in place.

Deep Analysis
Root Causes

US critical infrastructure across communications, energy, transportation, and water sectors runs on private-sector IT platforms with government-regulated operational technology beneath them. The IT-OT boundary is the vulnerability: OT networks in many CNI operators are not fully air-gapped from corporate IT, and IT compromise can reach OT systems through trusted connections, engineering workstations, and historian servers that bridge the two domains.

Salt Typhoon's telecoms access is structurally distinct: US telecommunications law (Title II, and CALEA requirements) mandates that telecoms operators maintain lawful interception infrastructure that provides government agencies access to communications. That same infrastructure is what Salt Typhoon is assessed to have accessed, meaning the mandated interception architecture may have been the attack surface.

What could happen next?
  • Risk

    The FBI's 'still very much ongoing' characterisation of Salt Typhoon means affected telecoms operators have not fully evicted the adversary after more than a year of public disclosure, indicating the intrusion is either too deep or too distributed to remediate through standard incident response approaches.

  • Consequence

    Volt Typhoon pre-positioning in US CNI IT networks is the strongest technical argument for the Cyber Security and Resilience Bill's data-centre essential-services classification in the UK: the parallel vulnerability pattern exists in UK CNI, not only US.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

CyberScoop· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.