14JUN

FBI: Salt Typhoon still very much live

3 min read

11:51UTC

An FBI official told CyberTalks 2026 the China-linked telecoms compromise is not contained. 200+ companies, 80 countries, and Volt Typhoon sits behind it.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyAssessed

Key takeaway

Volt Typhoon is in US infrastructure for sabotage readiness, not intelligence collection.

An FBI official told CyberTalks 2026 in February that the China-linked Salt Typhoon telecoms compromise was "still very, very much ongoing" with at least 200 companies across 80 countries affected as of August 2025 ¹. Salt Typhoon is the name the US government has used since 2024 for the cluster that penetrated at least nine major US telecoms operators, including routes used to intercept lawful-intercept wiretap metadata on US political figures. The FBI's "still ongoing" line is the first public confirmation by a named agency that remediation has not concluded.

Running in parallel, the Cybersecurity and Infrastructure Security Agency (CISA) continues to assess with high confidence that Volt Typhoon, a separate China-linked cluster, is pre-positioning in US Critical National Infrastructure (CNI) Information Technology (IT) networks for later lateral movement into Operational Technology (OT), the industrial control systems that run physical processes like power generation, water treatment and rail signalling. Communications, energy, transportation and water and wastewater sectors have all been confirmed compromised.

CISA has labelled the Volt Typhoon activity as disruption-capability pre-positioning rather than espionage. Espionage exfiltrates secrets and leaves; pre-positioning installs the remote-access footholds that let an adversary trigger real-world effects at a moment of its choosing. For Security Operations Centre (SOC) leads inside US CNI operators, that reframes the adversary model from "what are they reading" to "what could they turn off, and when".

Deep Analysis

In plain English

Two separate Chinese hacking groups, named Salt Typhoon and Volt Typhoon, are conducting long-running intrusions into US infrastructure. Salt Typhoon broke into the computer systems of telecoms companies, which means it may have access to the systems used to provide phone calls and internet services to 200 or more companies across 80 countries. The FBI confirmed in February 2026 that this breach is still ongoing. Volt Typhoon, meanwhile, is believed to have planted itself inside the computer systems that sit adjacent to the controls for US power grids, water systems, and transportation networks. The working assessment of US security agencies is that China is building the capability to disrupt these systems if a conflict, such as a military confrontation over Taiwan, were to occur. Neither group appears to have caused disruption yet. The concern is that the access is already in place.

Deep Analysis

Root Causes

US critical infrastructure across communications, energy, transportation, and water sectors runs on private-sector IT platforms with government-regulated operational technology beneath them. The IT-OT boundary is the vulnerability: OT networks in many CNI operators are not fully air-gapped from corporate IT, and IT compromise can reach OT systems through trusted connections, engineering workstations, and historian servers that bridge the two domains.

Salt Typhoon's telecoms access is structurally distinct: US telecommunications law (Title II, and CALEA requirements) mandates that telecoms operators maintain lawful interception infrastructure that provides government agencies access to communications. That same infrastructure is what Salt Typhoon is assessed to have accessed, meaning the mandated interception architecture may have been the attack surface.

What could happen next?

Risk
The FBI's 'still very much ongoing' characterisation of Salt Typhoon means affected telecoms operators have not fully evicted the adversary after more than a year of public disclosure, indicating the intrusion is either too deep or too distributed to remediate through standard incident response approaches.
Consequence
Volt Typhoon pre-positioning in US CNI IT networks is the strongest technical argument for the Cyber Security and Resilience Bill's data-centre essential-services classification in the UK: the parallel vulnerability pattern exists in UK CNI, not only US.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2007 cyberattacks on Estonia's government, banking, and media infrastructure attributed to Russian actors ahead of and during the Bronze Soldier political dispute.

Those attacks were the first documented case of a state using cyber means to exert coercive pressure on a NATO-adjacent adversary during a geopolitical flashpoint. Volt Typhoon's assessed pre-positioning follows the same strategic logic, but on a dramatically larger infrastructure scale and with longer persistence timelines.

Counter-parallel: Russia's 2015 and 2016 attacks on Ukraine's power grid (attributed to Sandworm) demonstrated that pre-positioned OT access can cause physical infrastructure outages. Volt Typhoon has not been observed causing disruption; the CISA framing is that it is in IT networks positioning for potential OT movement, not that it has reached OT. The gap between IT pre-positioning and OT disruption capability is the key unresolved question.

Consensus view: CISA's joint advisory with the Five Eyes on Volt Typhoon, published in February 2024 and updated in 2025, assesses the CNI pre-positioning as a strategic deterrence asset: China is building reversible disruption capability against US critical infrastructure so that any military escalation over Taiwan carries an explicit domestic cost for the United States.

The FBI's CyberTalks statement that Salt Typhoon is 'still very, very much ongoing' as of February 2026 confirms remediation is not complete across affected telecoms providers.

Counter-view: Tsinghua University's Center for International Security and Strategy published analysis arguing that US characterisations of Volt Typhoon as sabotage pre-positioning misrepresent what is standard state signals intelligence collection, and that the 'disruption capability' framing reflects US strategic communication rather than confirmed adversary intent derived from technical evidence.

Key tension: Whether the distinction between espionage (Salt Typhoon accessing communications content) and sabotage pre-positioning (Volt Typhoon in OT-adjacent IT systems) is technically and legally significant, given that the same access can serve both purposes simultaneously.

Sources:CyberScoop

Mentions:FBI →Salt Typhoon →CISA →United States →China →NATO →Ukraine →Estonia →Prima →Taiwan →Russia →CyberTalks 2026 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

CyberScoop· 17 Apr 2026

Read original →

Causes and effects

This Event

FBI: Salt Typhoon still very much live

Reframes the adversary model for US critical infrastructure from espionage to sabotage readiness.

Led to

Sixteen agencies put IOC extinction in print

16-agency advisory extends prior Salt/Volt Typhoon coverage by formalising IOC-extinction and naming Integrity Technology Group as the named operator behind Raptor Train and KV Botnet.

Occurred 23 Apr 2026

Read story →

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.