The China-linked threat group known as Salt Typhoon has intensified its operations against critical sectors worldwide, including telecommunications, government, transportation, lodging, and military infrastructure. A joint advisory issued by cybersecurity authorities from 13 countries revealed that the group is focusing on large backbone routers used by major telecom providers, as well as provider edge (PE) and customer edge (CE) routers.
Salt Typhoon’s strategy centers on compromising network devices and then using trusted connections to move laterally into other systems. Once inside, the attackers modify routers to maintain persistent access, often embedding themselves for extended periods. This persistence makes detection difficult and allows the group to conduct long-term intelligence collection and potentially disrupt essential services.
Authorities have linked the malicious activity to three Chinese companies: Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. The coordination of this campaign across such diverse industries underscores the scale and global reach of China-based APT operations.
The advisory reflects growing international concern over state-backed cyber espionage and infrastructure manipulation. It highlights the urgent need for organizations that rely on complex network architectures to strengthen monitoring, patching, and router-level defenses to reduce the risk of exploitation.
Healthcare aside, this campaign is a reminder for all critical sectors: routers are no longer just networking equipment—they’re attack surfaces. Organizations should treat them as high-value assets, prioritize firmware updates, and employ continuous monitoring to identify unauthorized modifications and persistence techniques.
