29MAY

FBI: Salt Typhoon still very much live

3 min read

14:17UTC

An FBI official told CyberTalks 2026 the China-linked telecoms compromise is not contained. 200+ companies, 80 countries, and Volt Typhoon sits behind it.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyAssessed

Key takeaway

Volt Typhoon is in US infrastructure for sabotage readiness, not intelligence collection.

An FBI official told CyberTalks 2026 in February that the China-linked Salt Typhoon telecoms compromise was "still very, very much ongoing" with at least 200 companies across 80 countries affected as of August 2025 ¹. Salt Typhoon is the name the US government has used since 2024 for the cluster that penetrated at least nine major US telecoms operators, including routes used to intercept lawful-intercept wiretap metadata on US political figures. The FBI's "still ongoing" line is the first public confirmation by a named agency that remediation has not concluded.

Running in parallel, the Cybersecurity and Infrastructure Security Agency (CISA) continues to assess with high confidence that Volt Typhoon, a separate China-linked cluster, is pre-positioning in US Critical National Infrastructure (CNI) Information Technology (IT) networks for later lateral movement into Operational Technology (OT), the industrial control systems that run physical processes like power generation, water treatment and rail signalling. Communications, energy, transportation and water and wastewater sectors have all been confirmed compromised.

CISA has labelled the Volt Typhoon activity as disruption-capability pre-positioning rather than espionage. Espionage exfiltrates secrets and leaves; pre-positioning installs the remote-access footholds that let an adversary trigger real-world effects at a moment of its choosing. For Security Operations Centre (SOC) leads inside US CNI operators, that reframes the adversary model from "what are they reading" to "what could they turn off, and when".

Deep Analysis

In plain English

Two separate Chinese hacking groups, named Salt Typhoon and Volt Typhoon, are conducting long-running intrusions into US infrastructure. Salt Typhoon broke into the computer systems of telecoms companies, which means it may have access to the systems used to provide phone calls and internet services to 200 or more companies across 80 countries. The FBI confirmed in February 2026 that this breach is still ongoing. Volt Typhoon, meanwhile, is believed to have planted itself inside the computer systems that sit adjacent to the controls for US power grids, water systems, and transportation networks. The working assessment of US security agencies is that China is building the capability to disrupt these systems if a conflict, such as a military confrontation over Taiwan, were to occur. Neither group appears to have caused disruption yet. The concern is that the access is already in place.

Deep Analysis

Root Causes

US critical infrastructure across communications, energy, transportation, and water sectors runs on private-sector IT platforms with government-regulated operational technology beneath them. The IT-OT boundary is the vulnerability: OT networks in many CNI operators are not fully air-gapped from corporate IT, and IT compromise can reach OT systems through trusted connections, engineering workstations, and historian servers that bridge the two domains.

Salt Typhoon's telecoms access is structurally distinct: US telecommunications law (Title II, and CALEA requirements) mandates that telecoms operators maintain lawful interception infrastructure that provides government agencies access to communications. That same infrastructure is what Salt Typhoon is assessed to have accessed, meaning the mandated interception architecture may have been the attack surface.

What could happen next?

Risk
The FBI's 'still very much ongoing' characterisation of Salt Typhoon means affected telecoms operators have not fully evicted the adversary after more than a year of public disclosure, indicating the intrusion is either too deep or too distributed to remediate through standard incident response approaches.
Consequence
Volt Typhoon pre-positioning in US CNI IT networks is the strongest technical argument for the Cyber Security and Resilience Bill's data-centre essential-services classification in the UK: the parallel vulnerability pattern exists in UK CNI, not only US.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2007 cyberattacks on Estonia's government, banking, and media infrastructure attributed to Russian actors ahead of and during the Bronze Soldier political dispute.

Those attacks were the first documented case of a state using cyber means to exert coercive pressure on a NATO-adjacent adversary during a geopolitical flashpoint. Volt Typhoon's assessed pre-positioning follows the same strategic logic, but on a dramatically larger infrastructure scale and with longer persistence timelines.

Counter-parallel: Russia's 2015 and 2016 attacks on Ukraine's power grid (attributed to Sandworm) demonstrated that pre-positioned OT access can cause physical infrastructure outages. Volt Typhoon has not been observed causing disruption; the CISA framing is that it is in IT networks positioning for potential OT movement, not that it has reached OT. The gap between IT pre-positioning and OT disruption capability is the key unresolved question.

Consensus view: CISA's joint advisory with the Five Eyes on Volt Typhoon, published in February 2024 and updated in 2025, assesses the CNI pre-positioning as a strategic deterrence asset: China is building reversible disruption capability against US critical infrastructure so that any military escalation over Taiwan carries an explicit domestic cost for the United States.

The FBI's CyberTalks statement that Salt Typhoon is 'still very, very much ongoing' as of February 2026 confirms remediation is not complete across affected telecoms providers.

Counter-view: Tsinghua University's Center for International Security and Strategy published analysis arguing that US characterisations of Volt Typhoon as sabotage pre-positioning misrepresent what is standard state signals intelligence collection, and that the 'disruption capability' framing reflects US strategic communication rather than confirmed adversary intent derived from technical evidence.

Key tension: Whether the distinction between espionage (Salt Typhoon accessing communications content) and sabotage pre-positioning (Volt Typhoon in OT-adjacent IT systems) is technically and legally significant, given that the same access can serve both purposes simultaneously.

Sources:CyberScoop

Mentions:FBI →Salt Typhoon →CISA →United States →China →NATO →Ukraine →Estonia →Prima →Taiwan →Russia →CyberTalks 2026 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

CyberScoop· 17 Apr 2026

Read original →

Causes and effects

This Event

FBI: Salt Typhoon still very much live

Reframes the adversary model for US critical infrastructure from espionage to sabotage readiness.

Led to

Sixteen agencies put IOC extinction in print

16-agency advisory extends prior Salt/Volt Typhoon coverage by formalising IOC-extinction and naming Integrity Technology Group as the named operator behind Raptor Train and KV Botnet.

Occurred 23 Apr 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.