GDT Webinar Series – How to Fail at Security? Reserve Your Spot
GDT
Contact

Ward off Salt Typhoon cyberattacks & similar APTs with these tips

  • Brian Engle
  • July 14, 2025
Salt Typhoon cyberattack

In a January 2025 advisory, CISA’s then-director, Jen Easterly, stated that “China’s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure.” Whether they aim to spy, disrupt, or destroy, safeguarding infrastructure against Salt Typhoon cyberattacks and other advanced nation-state cyberthreats has never been more critical—or more challenging—especially for broadband and internet service providers (ISPs).

Affiliated with the People’s Republic of China, Salt Typhoon is focused on espionage as its primary objective. Active since at least 2019, Salt Typhoon is responsible for numerous network infrastructure compromises and widespread intrusion activity against several major U.S. telecommunications companies, as ​confirmed by the U.S. government.

Nation-state threat adversaries like Salt Typhoon warrant heightened awareness and focused diligence that surpass the fundamental cybersecurity measures that organizations traditionally focus on.

Profiling the advanced adversary

Just because you are not hearing about Salt Typhoon cyberattacks doesn’t mean that they have gone away. If Salt Typhoon feels like old news, then you may be overlooking the traits of advanced adversaries: 

  • Focused: Crosshairs aimed at specific industries and often explicit organizations. 
  • Diligent: Near-infinite resources directed at objectives that contribute to long-range strategies. 
  • Patient: Willing to move slowly in a stepwise approach to not reveal tactics or capabilities while evading detection and maintaining presence. 
  • Stealthy: Obscuring their activities to maximize their ability to execute on their strategic objectives. 
  • Organized: Built upon layers of capabilities and tiered levels of coordinated expertise. 

Salt Typhoon conducts espionage using China’s long-game of information theft of intellectual property for strategic global advantage. These long-term goals differ from the financially motivated threat actor groups that leverage ransomware and extortion for criminal gain. 

Threat intelligence: Understanding tactics

While the tactics may parallel other cybersecurity attacks, including stolen credentials or exploiting public-facing vulnerabilities as detailed within the MITRE ATT&CK framework, Salt Typhoon makes extensive use of “living-off-the-land” techniques, leveraging tools, protocols, and utilities present within their target environments.

According to the Cisco Talos threat intelligence team, Salt Typhoon leverages the following tactics:  

  • Credential use and expansion 
  • Configuration exfiltration 
  • Infrastructure pivoting 
  • Configuration modification 
  • Packet capture  
  • Use of present operational tools in addition to custom-built utilities such as JumpledPath 
  • Defense evasion 

In their 2025 report, CrowdStrike identified five high-capability adversaries with unique telecom network targeting remits and toolsets within a broader group of seven new China-nexus adversaries. Evidence and data obtained from CrowdStrike’s services indicate that these groups have targeted telecom and professional services entities and rely heavily on exploiting internet-facing appliances for initial access. 

It is worth noting that although this blog post has focused on Salt Typhoon, attention should also be paid to Volt Typhoon, a group that is believed to have a mission and objectives aimed at disruption. These attacks would likely be reserved for more confrontational campaigns where cybersecurity attacks are used for more outright harm and destruction. As previously indicated, organization is a key trait of these types of groups, and Salt Typhoon and Volt Typhoon likely collaborate to achieve their respective missions.

Thwarting bad actors: 4 cybersecurity best practices

Organizations in the telecom and internet service provider industries should ensure that their cybersecurity efforts are robust enough to defend against attacks from Salt Typhoon and other advanced adversaries. Here are four critical cybersecurity best practices to help ensure that you are well-prepared to thwart bad actors.

  1. Stay up to speed on the latest threat intelligence
    Subscribe to intelligence that provides information on the evolving tactics as well as strategic decision support to enable the continuous improvements needed to keep pace with the changes that are sure to occur. While the information from the referenced threat reports provides a rear-view mirror look at Salt Typhoon, a clear view out the windshield is needed to make sure you do not become a victim. 
  2. Invest in your monitoring and detection capabilities
    Prioritize state-of-the-art monitoring and detection capabilities suited to identifying and protecting against adversaries that are highly adept at evading typical security measures. Proactive threat hunting, in addition to the ability to detect subtle variations within normal activities, may reveal an already present adversary when initial access has already been achieved.
  3. Modernize your infrastructure and systems
    Bad actors use the latest technologies, and so should you. Focus on modernizing your infrastructure and systems, including micro-segmentation, zero-trust architecture, and systems that don’t rely on deprecated protocols and legacy technologies. It’s essential to keep up with vulnerabilities and exposures while ensuring that you are not harboring a vulnerable environment that is no longer receiving updates and support. 
  4. Validate your readiness
    Finally, make sure that you are testing the defenses and processes used to protect, detect, respond, and recover from these advanced adversarial attacks.

Preparedness is your best defense

This blog post covers a wide range of topics at a high level, including steps to ensure you’re well-prepared. If you are uncertain of where you stand or would like to explore your threat readiness in more detail, GDT’s team of cybersecurity experts can help. A great starting point is GDT’s complimentary Cybersecurity Workshop. During this half-day, interactive session, work with our security experts to determine where you are and where you need to go to make sure that you are ready to defend against advanced persistent threats like Salt Typhoon and other adversaries that may be targeting your network.

Author

  • Brian Engle is the principal cybersecurity advisor at GDT. Brian has 25+ years of cybersecurity experience leading and guiding security and risk management programs and has delivered actionable roadmaps and executed plans for C-level leadership and tactical plans for all aspects of security operations and information security program management.   Brian’s roles have included executive leadership at Apollo-IS and CyberDefenses for all aspects of professional service and managed service delivery of security operations, consulting, threat intelligence, security engineering, and program management. In addition, previous enterprise roles include CISO for the State of Texas and the Texas Health and Human Services Commission, Executive Director for the Retail Information Sharing and Analysis Center, and CISO for Temple-Inland.

    View all posts

Share this article

You might also like:

See All
How weak data governance, security, & identity management thwart AI transformation

How weak data governance, security, & identity management thwart AI transformation

AI has the potential to bring significant changes to business. However, AI initiatives are often hindered by issues related to AI data governance, security, and identity management. While data concerns and identity management are not the only things slowing down AI initiatives, they are among the largest roadblocks to an

AI modernization in the contact center & beyond: A Q&A with GDT experts

AI modernization in the contact center & beyond: A Q&A with GDT experts

Chances are, your organization is actively exploring AI modernization opportunities across your infrastructure, especially in the contact center and data center. In fact, you’ve likely already started your AI journey. Approximately one-third of organizations are investing in data center network upgrades over the next 12 months to meet the demands

Why you need to address Shadow AI—and how to get started

Why you need to address Shadow AI—and how to get started

What is Shadow AI? Many organizations are seeking to benefit from the productivity and innovation that AI can provide. However, the use of AI elevates risk to data security, compliance, and corporate reputation. Organizations are discovering that some employees are using publicly available models or applications without IT oversight, adding

Stay up-to-date with the industry

Fill out the form and get started!

GDT - General DataTech Logo
GDT Innovation Campus | 999 Metromedia Place Dallas, TX 75247 | 214.857.6100

Stay up to date

Copyright © 2019-2025 General Datatech, LP. All rights reserved. GDT names and logos are trademarks, or trademarks Reg. U.S. Pat. & TM Office, of General Datatech, LP and/or its affiliates in the U.S. and other countries. Third-party trademarks mentioned or reflected herein are the property of their respective owners. Additionally, the use of the word “partner” does not imply a legal partnership relationship between GDT and any other company.

Connect with us

Copyright © 2019-2024 General Datatech, LP. All rights reserved. GDT names and logos are trademarks, or trademarks Reg. U.S. Pat. & TM Office, of General Datatech, LP and/or its affiliates in the U.S. and other countries. Third-party trademarks mentioned or reflected herein are the property of their respective owners. Additionally, the use of the word “partner” does not imply a legal partnership relationship between GDT and any other company.