Among the many cyber threats facing the U.S. today, few are as sophisticated—or as alarming—as Salt Typhoon. A Chinese state-sponsored group behind a widespread espionage campaign. The threat actor, discovered in late 2024, has quietly infiltrated major telecommunications providers like Verizon, AT&T, and Lumen Technologies. Their target? The lawful intercept systems used by law enforcement for authorized wiretaps.
These systems—designed for secure surveillance—were compromised in an operation that also accessed sensitive communications tied to both Republican and Democratic 2024 presidential campaigns, as well as several high-level politicians.
This Salt Typhoon cyber threat has spilled into 2025 and now spans beyond U.S. borders. With Chinese cyber activity increasing by 150% year-over-year, according to CrowdStrike’s latest Global Threat Report. Analysts warn that this is not just a case of data theft—China is actively embedding itself into critical infrastructure, potentially preparing for more aggressive cyber operations down the road.
Salt Typhoon: A Stealthy and Persistent Adversary
Salt Typhoon is no ordinary hacking group. It uses “living off the land” (LoTL) techniques, which involve hijacking legitimate system tools like PowerShell and WMI to blend in with normal traffic. This makes detection extremely difficult, according to Flashpoint’s senior intelligence analyst Aaron Shraberg.
“Salt Typhoon has demonstrated stealth and persistence,” Shraberg explains. “They use legitimate credentials and move laterally across networks, making it hard to spot and contain them.”
The group’s ability to operate quietly for months at a time highlights just how advanced their tactics, techniques, and procedures (TTPs) have become.
On April 2, the House Committee on Government Reform held a hearing focused entirely on Salt Typhoon. During the session, Rep. William Timmons (R-SC) pressed cybersecurity expert Edward Amoroso about potential retaliation. Amoroso urged restraint, warning that “hacking back” avoids the real issue: the U.S. needs to get its own defenses in order.
Experts agree. Instead of launching counterattacks, most say the best response is to fortify internal systems, improve threat visibility, and take action on known vulnerabilities that remain unpatched in critical infrastructure.
Experts Weigh In on the Salt Typhoon Cyber Threat
Cybersecurity leaders from across the industry acknowledge the severity of this breach—and the implications if the U.S. doesn’t act fast.
Bobby Kuzma, director at ProCircular, points out how dangerous it is for adversaries to access lawful intercept systems. “They can see all network traffic, even if they can’t decrypt it,” he says. “It gives them insight into who’s communicating and when—valuable intelligence even without reading the content.”
Dave Merkel, CEO at Expel, says Salt Typhoon’s campaign is serious, but not surprising. “China has long pursued counterintelligence and IP theft in the private sector. These operations are just the latest evolution of a long-term strategy.”
Austin Berglas, global head of services at BlueVoyant and former FBI cyber head, warns that China has already embedded itself deeply within U.S. infrastructure. “They’re collecting massive amounts of data and positioning themselves to disrupt or take control of critical services if conflict arises.”
What Should the U.S. Do Now?
The experts offered a range of responses:
- Sanctions and Criminal Charges: Kuzma notes that the U.S. has already sanctioned individuals and organizations tied to the Chinese Ministry of State Security (MSS). But these diplomatic steps may not be enough.
- Stronger Cyber Regulations: Red team expert Alon Termin says implementing strict cybersecurity standards, especially for telecom and infrastructure sectors, could help close the doors Salt Typhoon exploited.
- Secure Edge Devices: Trellix analyst Anne An recommends prioritizing the security of phones, laptops, and IoT devices. These endpoints are often the first targets in espionage campaigns.
- Reducing Lawful Intercept Exposure: Kuzma also raises a controversial but important point: rethinking the necessity of lawful intercept features that act as exploitable backdoors.
Lessons for Cyber Defenders
Even if your organization isn’t on the frontlines of geopolitical cyberwarfare, the lessons from Salt Typhoon still apply.
Merkel at Expel emphasizes foundational cybersecurity practices: patch systems quickly, enforce multi-factor authentication, and keep asset inventories updated.
Shraberg at Flashpoint advises companies to adopt a layered defense strategy, combining technical protections with employee education, especially as AI supercharges phishing and social engineering.
Anne An adds that organizations should monitor login behavior and enforce strong credential policies. Salt Typhoon often uses valid credentials to move undetected within a network, so frequent audits and anomaly detection are key.
Ultimately, the consensus is clear: retaliation may be tempting, but building a resilient and well-defended cyber infrastructure is the best way forward. As Amoroso said during the House hearing, “The best defense is a good defense.”
