Home/Threat Actor/Salt Typhoon
Threat Actor

Salt Typhoon

salt_typhoon · china · active since 2019

Salt Typhoon (GhostEmperor / Earth Estries / FamousSparrow / UNC2286 / OperatorPanda / G1045) is a Chinese state-sponsored cyber-espionage actor attributed to the People's Republic of China Ministry of State Security and operated through the Sichuan Juxinhe Network Technology Co. Ltd. commercial contractor (US Treasury OFAC SDN designation September 2025); active since at least 2019 with the September 2025 CISA / FBI / NSA / CNMF / Five Eyes joint cybersecurity advisory AA25-239A formally establishing PRC-state attribution.

emerged into international public consciousness with the October 2024 disclosure of compromise of multiple major US telecommunications carriers (Verizon, AT&T, Lumen Technologies, T-Mobile, and at least five others, nine carriers per Senator Cantwell's December 2025 testimony), among the most consequential US cyber-intelligence incidents in modern history.

intrusions persisted for months to years with Cisco's 2025 disclosure documenting at least one three-year dwell time, with the compromise extending to CALEA lawful-intercept (wiretap) systems giving visibility into US surveillance subjects, call metadata, real-time location tracking, and text-message content of millions of Americans, presidential campaign communications (Trump, Vance, Harris-Walz November 2024), senior government officials' communications, US state Army National Guard networks (early-2024 administrator-credential and network-diagram compromise), and Viasat satellite communications (mid-2025 ground-infrastructure compromise); global scope expanded by December 2024 to 80+ countries with FBI notification of over 600 organizations.

tradecraft hallmarks include network-device-focused initial access via Cisco IOS XE / Juniper / Ivanti Connect Secure / Sophos Firewall / Fortinet FortiClient EMS exploitation, supply-chain compromise via telecom vendors (T1199 trusted relationship), the GhostSpider modular backdoor (Trend Micro November 2024) as signature implant, the historical Demodex Windows kernel rootkit (Kaspersky October 2021 GhostEmperor), network-device firmware modification (T1601), network sniffing on compromised telecom switches (T1040), PAM authentication-process modification (T1556.003), extensive living-off-the-land tradecraft, and unprecedented long-term-persistence posture complementing Volt Typhoon (US CI pre-positioning), Flax Typhoon (Raptor Train ORB / Taiwan), and Gallium (historical global telecom) in the modern PRC telecom-and-pre-positioning operational ecosystem.

china confidence: high 21 aliases MITRE ATT&CK G1045 ↗
Sigma rules200 YARA rules85 Live IOCs16 CVEs exploited17

Profile

Salt Typhoon (GhostEmperor / Earth Estries / FamousSparrow / UNC2286 / OperatorPanda / G1045) is a Chinese state-sponsored cyber-espionage actor attributed to the People's Republic of China Ministry of State Security (MSS), formally established by the September 2025 CISA/FBI/NSA/CNMF/Five Eyes joint cybersecurity advisory AA25-239A and the September 2025 US Treasury OFAC sanctions designation of Sichuan Juxinhe Network Technology Co. Ltd. as the MSS-affiliated commercial contractor operating Salt Typhoon. Active since at least 2019 with some carrier compromises documented dating to 2022 or earlier, Salt Typhoon emerged into international public consciousness in October 2024 with the disclosure of its compromise of multiple major US telecommunications carriers, among the most consequential US cyber-intelligence incidents in modern history. Salt Typhoon's defining 2024-2025 operations against US telecommunications carriers established the cluster as one of the highest-priority PRC cyber threats in public reporting. Confirmed targets included Verizon, AT&T, Lumen Technologies, T-Mobile, and at least five other US telecom carriers (Senator Cantwell's December 2025 testimony cited at least nine carriers). The intrusions persisted for months to years, Cisco's 2025 disclosure documented at least one confirmed case of three- year dwell time inside a telecommunications network. The compromise extended to: (a) CALEA (Communications Assistance for Law Enforcement Act) lawful intercept systems, the federal-wiretap infrastructure mandated by US law and used by law enforcement and intelligence agencies for court-authorized surveillance. Compromise gave Salt Typhoon visibility into which individuals were under US surveillance, access to call metadata, real-time location tracking, and the ability to read text messages of millions of Americans (per Senate Commerce Committee testimony). Among the most consequential intelligence breaches in US history. (b) Presidential campaign communications, November 2024 revelations that Salt Typhoon had accessed communications of Donald Trump, JD Vance, and senior Harris-Walz campaign personnel. This elevation from intelligence-collection concern to direct election-period interference reshaped the US-PRC cyber-attribution posture. (c) Senior government officials' communications, directly surveilling US federal officials. (d) Army National Guard networks, early-2024 compromise of a US state's Army National Guard giving access to administrator credentials, network diagrams, and traffic logs revealing cross-state National Guard connectivity (strategically significant given Guard mobilization patterns). (e) Viasat satellite communications, mid-2025 compromise of Viasat's internal systems via remote-management abuse, enabling potential satellite-telemetry monitoring or manipulation, significant given Viasat's role as US military backup network during crises. (f) Global scope, by December 2024 the investigation expanded to 80+ countries with FBI notification of over 600 organizations worldwide. Tradecraft hallmarks distinguish Salt Typhoon from other PRC clusters: (a) network-device-focused initial access, extensive compromise of Cisco IOS XE (CVE-2023-20198/20273), Juniper, Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887), Sophos Firewall (CVE-2022-3236), and Fortinet FortiClient EMS (CVE-2023-48788) edge devices that are less monitored than servers and provide deep network access when compromised; (b) supply-chain compromise via telecom vendors and service providers (T1199 trusted relationship), establishing persistence with service vendors rather than direct targets; (c) the GhostSpider modular backdoor (Trend Micro November 2024) as the signature 2024 telecom-targeting implant; (d) the historical Demodex Windows kernel rootkit (Kaspersky October 2021 GhostEmperor disclosure), technically sophisticated by state-actor standards.

(e) network-device firmware compromise (T1601 modify system image), modifying Cisco/Juniper device firmware to maintain persistence.

(f) network sniffing on compromised telecom switches (T1040) to passively collect communications traffic.

(g) modification of authentication processes including PAM (T1556.003) on telecom Linux systems; (h) extensive use of legitimate administrative tools and living-off-the-land tradecraft (paralleling Volt Typhoon and Flax Typhoon LOTL patterns)

(i) the SparrowDoor, HemiGate, Zingdoor, SnappyBee, and Masol RAT backdoor family in historical operations.

(j) the unprecedented dwell-time profile, Salt Typhoon emphasizes persistent long-term access over smash-and-grab intrusion. Strategic distinction from related PRC clusters: Salt Typhoon complements Volt Typhoon (US critical-infrastructure pre- positioning), Flax Typhoon (Raptor Train ORB / Taiwan collection), and Gallium / Granite Typhoon (historical global telecom CDR collection). Together these clusters form the modern PRC telecom-and-pre-positioning operational ecosystem. Salt Typhoon's dual-purpose posture, sustained intelligence collection combined with positioning for potential service disruption during a future geopolitical crisis, aligns with broader PRC strategic objectives including preparation for a potential confrontation over Taiwan.

Aliases

21
salt typhoonsalttyphoong1045ghostemperorghost emperorearth estriesearthestriesfamoussparrowfamous sparrowunc2286unc 2286sichuan juxinhesichuan juxinhe network technologyjuxinhejuxinhe network technologymssministry of state securityprc state sponsoredoperator pandaoperatorpandarookery

Notable Campaigns

13
2026Ongoing Global Telecommunications Operations (2026)
2025CISA AA25-239A Joint Cybersecurity Advisory (September 2025)
2025Cisco Three-Year Telecom Dwell Time (Cisco 2025)
2025US Treasury OFAC Sanctions on Sichuan Juxinhe Network Technology (September 2025)
2024Viasat Satellite Communications Compromise (Mid-2024)
2024US Presidential Campaign Communications Targeting (November 2024)
2024CALEA Lawful Intercept System Compromise (Late 2024)
2024Global Scope Revelation, 80+ Countries Affected (December 2024)
2024US State Army National Guard Compromise (Early 2024)
2024US Telecom Mass Compromise Disclosure (October 2024)
2023Earth Estries Disclosure (Trend Micro 2023)
2021FamousSparrow Disclosure (ESET September 2021)
2021GhostEmperor Disclosure (Kaspersky GReAT October 2021)

Attribution & Reporting

Attributed by
FBICISANSAUS Cyber CommandCyber National Mission Force (CNMF)US Department of JusticeUS Department of TreasuryUS Department of Treasury OFACUS Department of StateUS Department of DefenseUS Senate Commerce CommitteeUS Senate Intelligence CommitteeUS Senate Armed Services CommitteeUK NCSCAustralia ACSCCanadian Centre for Cyber SecurityNew Zealand NCSCFive EyesMicrosoftMicrosoft Threat Intelligence Center (MSTIC)MandiantGoogle Cloud Threat IntelligenceCrowdStrikeTrend MicroTrend Micro ResearchKaspersky GReATESETSentinelOneCiscoCisco TalosPalo Alto Networks Unit 42Symantec / BroadcomRecorded FutureInsikt GroupVolexitySecurityScorecardLumen TechnologiesVerizonAT&TT-Mobile
Key reporting
reportMicrosoft Threat Intelligence: Salt Typhoon Threat Actor Profile (multiple, 2024-2026)
reportCISA / FBI / NSA / CNMF / Five Eyes Joint Cybersecurity Advisory: AA25-239A, PRC-Linked Actors Compromise Networks Worldwide (September 2025)
reportTrend Micro Research: Earth Estries Targets Government, Tech for Cyberespionage (2023)
reportTrend Micro Research: Earth Estries Targets Asia with GhostSpider (November 2024)
reportKaspersky GReAT: GhostEmperor, From ProxyLogon to Kernel Mode (October 2021)
reportESET: FamousSparrow, A Suspicious Hotel Guest (September 23, 2021)
reportESET: FamousSparrow Renewed Operations (2024)
reportMandiant: Salt Typhoon China-Nexus Telecom Operations (multiple, 2024-2025)
reportCisco: Three-Year Dwell Time Telecom Network Compromise Disclosure (2025)
reportUS Treasury OFAC SB-0149: Designation of Sichuan Juxinhe Network Technology Co. Ltd. (September 2025)
reportUS Senate Commerce Committee: Salt Typhoon Hack Hearings (December 2025)
reportUS Senate Intelligence Committee: Closed-Session Briefings on PRC Telecom Compromise (2024-2025)
reportCongressional Research Service: Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications (CRS IF12798)
reportAustralia ACSC / UK NCSC / Canada CCCS / New Zealand NCSC: Joint Defending Against China-Nexus Covert Networks of Compromised Devices (2025)
reportVectra AI: Salt Typhoon TTPs, Detection, and Defense Threat Briefing
reportPicus Security: Salt Typhoon, A Persistent Threat to Global Telecommunications Infrastructure
reportNew Lines Institute: 2024, When China's Salt Typhoon Made Cyberspace Tidal Waves
reportNJCCIC: Salt Typhoon Nation-State Threat Analysis
reportneXavault: Salt Typhoon APT Chinese Cyber Espionage Guide
reportGB Hackers: Salt Typhoon Hacked Nine U.S. Telecoms (January 2025)
reportCouncil on Foreign Relations: Salt Typhoon Cyber Operations Tracker
reportEuRepoC: APT Profile, Salt Typhoon

Operational

State sponsor

People's Republic of China (PRC), Ministry of State Security (MSS). The September 2025 US Treasury OFAC sanctions designated Sichuan Juxinhe Network Technology Co. Ltd. as the MSS-affiliated commercial contractor responsible for Salt Typhoon operations. Joint FBI/NSA/CNMF/Five Eyes cybersecurity advisory CISA AA25-239A (September 2025) formally established the PRC-state attribution. Active since at least 2019 per joint advisory.

some carrier compromises documented dating to 2022 or earlier.

Motivations
espionage, intelligence_gathering, long_term_access_positioning, critical_infrastructure_positioning, telecommunications_collection, lawful_intercept_compromise, calea_compromise, wiretap_data_collection, communications_metadata_collection, political_intelligence, presidential_campaign_targeting, government_official_surveillance, dissident_tracking, service_disruption_preparation, pre_positioning_for_crisis, taiwan_strategic_preparation, supply_chain_compromise
Sectors
telecommunicationsmobile_operatorscellular_carriersinternet_service_providersbroadband_providerstelecom_infrastructurecalea_systemslawful_intercept_systemswiretap_systemsgovernmentfederal_governmentstate_governmentmilitarynational_guarddefenseintelligence_agencieslaw_enforcementpresidential_campaignspolitical_organizationssatellite_communicationssatellite_operatorsaerospacehospitalityhotelstechnologyit_service_providersmanaged_service_providershigher_educationresearch_instituteslaw_firmscritical_infrastructure
Regions
united_statescanadaunited_kingdomaustralianew_zealandgermanyfrancebelgiumitalyspainpolandczech_republictaiwanjapansouth_koreathailandphilippinesvietnamindonesiamalaysiasingaporeindiapakistansouth_africakenyaegyptbrazilargentinamexicomiddle_easteuropeasia_pacificafricaglobal

Techniques Used

60
T1003T1003.001T1003.002T1003.008T1005T1008T1012T1014T1016T1018T1021T1021.001T1021.002T1021.004T1021.006T1027T1027.001T1027.002T1027.005T1027.010T1027.013T1029T1033T1036T1036.005T1040T1041T1047T1048T1048.003T1049T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.001T1070.002T1070.003T1070.004T1070.005T1071T1071.001T1071.003T1071.004T1074T1074.001T1078T1078.002T1078.003

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)54/60 · 90%
Analytics (MITRE CAR)35/60 · 58%
Runtime / container (Falco)4/60 · 6%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)10/60 · 16%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

10 mapped
S0002 · MimikatzS0020 · China ChopperS0029 · PsExecS0039 · NetS0075 · RegS0096 · SysteminfoS0160 · certutilS0190 · BITSAdminS0349 · LaZagneS0357 · Impacket
Other tooling / TTPs (curation, not ATT&CK-mapped):
MASOLRATMASOL RATMETERPRETERSNAPPYBEESNAPPY BEESPARROWDOORSPARROW DOOR

CVEs Exploited

17
CVECVE-2021-26855
CVECVE-2021-26857
CVECVE-2021-26858
CVECVE-2021-27065
CVECVE-2021-31207
CVECVE-2021-34473
CVECVE-2021-34523
CVECVE-2021-44228
CVECVE-2022-3236
CVECVE-2023-20198
CVECVE-2023-20273
CVECVE-2023-3519
CVECVE-2023-46805
CVECVE-2023-48788
CVECVE-2024-21887
CVECVE-2024-24919
CVECVE-2024-3400
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin