30APR

FBI: Salt Typhoon still very much live

3 min read

08:16UTC

An FBI official told CyberTalks 2026 the China-linked telecoms compromise is not contained. 200+ companies, 80 countries, and Volt Typhoon sits behind it.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyAssessed

Key takeaway

Volt Typhoon is in US infrastructure for sabotage readiness, not intelligence collection.

An FBI official told CyberTalks 2026 in February that the China-linked Salt Typhoon telecoms compromise was "still very, very much ongoing" with at least 200 companies across 80 countries affected as of August 2025 ¹. Salt Typhoon is the name the US government has used since 2024 for the cluster that penetrated at least nine major US telecoms operators, including routes used to intercept lawful-intercept wiretap metadata on US political figures. The FBI's "still ongoing" line is the first public confirmation by a named agency that remediation has not concluded.

Running in parallel, the Cybersecurity and Infrastructure Security Agency (CISA) continues to assess with high confidence that Volt Typhoon, a separate China-linked cluster, is pre-positioning in US Critical National Infrastructure (CNI) Information Technology (IT) networks for later lateral movement into Operational Technology (OT), the industrial control systems that run physical processes like power generation, water treatment and rail signalling. Communications, energy, transportation and water and wastewater sectors have all been confirmed compromised.

CISA has labelled the Volt Typhoon activity as disruption-capability pre-positioning rather than espionage. Espionage exfiltrates secrets and leaves; pre-positioning installs the remote-access footholds that let an adversary trigger real-world effects at a moment of its choosing. For Security Operations Centre (SOC) leads inside US CNI operators, that reframes the adversary model from "what are they reading" to "what could they turn off, and when".

Deep Analysis

In plain English

Two separate Chinese hacking groups, named Salt Typhoon and Volt Typhoon, are conducting long-running intrusions into US infrastructure. Salt Typhoon broke into the computer systems of telecoms companies, which means it may have access to the systems used to provide phone calls and internet services to 200 or more companies across 80 countries. The FBI confirmed in February 2026 that this breach is still ongoing. Volt Typhoon, meanwhile, is believed to have planted itself inside the computer systems that sit adjacent to the controls for US power grids, water systems, and transportation networks. The working assessment of US security agencies is that China is building the capability to disrupt these systems if a conflict, such as a military confrontation over Taiwan, were to occur. Neither group appears to have caused disruption yet. The concern is that the access is already in place.

Deep Analysis

Root Causes

US critical infrastructure across communications, energy, transportation, and water sectors runs on private-sector IT platforms with government-regulated operational technology beneath them. The IT-OT boundary is the vulnerability: OT networks in many CNI operators are not fully air-gapped from corporate IT, and IT compromise can reach OT systems through trusted connections, engineering workstations, and historian servers that bridge the two domains.

Salt Typhoon's telecoms access is structurally distinct: US telecommunications law (Title II, and CALEA requirements) mandates that telecoms operators maintain lawful interception infrastructure that provides government agencies access to communications. That same infrastructure is what Salt Typhoon is assessed to have accessed, meaning the mandated interception architecture may have been the attack surface.

What could happen next?

Risk
The FBI's 'still very much ongoing' characterisation of Salt Typhoon means affected telecoms operators have not fully evicted the adversary after more than a year of public disclosure, indicating the intrusion is either too deep or too distributed to remediate through standard incident response approaches.
Consequence
Volt Typhoon pre-positioning in US CNI IT networks is the strongest technical argument for the Cyber Security and Resilience Bill's data-centre essential-services classification in the UK: the parallel vulnerability pattern exists in UK CNI, not only US.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2007 cyberattacks on Estonia's government, banking, and media infrastructure attributed to Russian actors ahead of and during the Bronze Soldier political dispute.

Those attacks were the first documented case of a state using cyber means to exert coercive pressure on a NATO-adjacent adversary during a geopolitical flashpoint. Volt Typhoon's assessed pre-positioning follows the same strategic logic, but on a dramatically larger infrastructure scale and with longer persistence timelines.

Counter-parallel: Russia's 2015 and 2016 attacks on Ukraine's power grid (attributed to Sandworm) demonstrated that pre-positioned OT access can cause physical infrastructure outages. Volt Typhoon has not been observed causing disruption; the CISA framing is that it is in IT networks positioning for potential OT movement, not that it has reached OT. The gap between IT pre-positioning and OT disruption capability is the key unresolved question.

Consensus view: CISA's joint advisory with the Five Eyes on Volt Typhoon, published in February 2024 and updated in 2025, assesses the CNI pre-positioning as a strategic deterrence asset: China is building reversible disruption capability against US critical infrastructure so that any military escalation over Taiwan carries an explicit domestic cost for the United States.

The FBI's CyberTalks statement that Salt Typhoon is 'still very, very much ongoing' as of February 2026 confirms remediation is not complete across affected telecoms providers.

Counter-view: Tsinghua University's Center for International Security and Strategy published analysis arguing that US characterisations of Volt Typhoon as sabotage pre-positioning misrepresent what is standard state signals intelligence collection, and that the 'disruption capability' framing reflects US strategic communication rather than confirmed adversary intent derived from technical evidence.

Key tension: Whether the distinction between espionage (Salt Typhoon accessing communications content) and sabotage pre-positioning (Volt Typhoon in OT-adjacent IT systems) is technically and legally significant, given that the same access can serve both purposes simultaneously.

Sources:CyberScoop

Mentions:FBI →Salt Typhoon →CISA →United States →China →NATO →Ukraine →Estonia →Prima →Taiwan →Russia →CyberTalks 2026 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

CyberScoop· 17 Apr 2026

Read original →

Causes and effects

This Event

FBI: Salt Typhoon still very much live

Reframes the adversary model for US critical infrastructure from espionage to sabotage readiness.

Led to

Sixteen agencies put IOC extinction in print

16-agency advisory extends prior Salt/Volt Typhoon coverage by formalising IOC-extinction and naming Integrity Technology Group as the named operator behind Raptor Train and KV Botnet.

Occurred 23 Apr 2026

Read story →

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.