Salt Typhoon and the China Cyber Threat
The Asian Crime Century briefing 117
Recent public statements from senior leaders of national intelligence agencies have again highlighted the growing persistent cyber-threats from the People’s Republic of China (PRC). These threats and attacks have been identified as state sponsored and directed against both commercial as well as political targets in the US as well as multiple other countries. “Salt Typhoon” is a Chinese advanced persistent threat group that has been identified by government as well as commercial security sources as responsible for major cyber-attacks. In response to the growing cacophony of analysis regarding PRC state sponsored cyber-threats, Chinese government agencies are taking a more proactive defensive approach by publishing reports alleging that US intelligence agencies are fabricating the attacks and also conducting their own attacks against PRC organisations.
In early May this year, Vice Admiral Peter Reesink, director of the Military Intelligence and Security Service (MIVD) of the Netherlands, stated that “China has a very complex, organized cyber system. And we are not able to have a full grasp on what they can do…I would say that it's more threatening than Russia.” In their annual report for 2024, the MIVD assessed that in the past year Chinese cyber units again conducted cyber operations against the Netherlands and allies in the EU and NATO, and the effectiveness has been enhanced by most operational units now coming under the Cyber Space Force, which is directly controlled by the Central Military Commission chaired by President Xi Jinping. The MIVD assesses that the threat from PLA cyber-operations will increase.
On 7 May, Dr. Richard Horne, CEO of the UK National Cyber-Security Centre (part of Government Communications Headquarters – GCHQ) said in a speech that “China remains the pacing threat in the cyber realm. The Chinese Communist Party’s strategic approach to capability, legislation and data, means they have a whole – vast – ecosystem, entirely at their disposal. And the continued activity that we’re seeing come from the Chinese system remains a cause for profound and profuse concern.” Dr. Horne described China as an “adversary”, illustrating the outlook towards the PRC from the UK and its security partner nations.
The Federal Bureau of Investigation (FBI) in the US articulated the pursuit of the PRC cyber-threat recently with an announcement asking for information about “PRC-affiliated activity publicly tracked as ‘Salt Typhoon’ and the compromise of multiple US telecommunications companies, especially information about specific individuals behind the campaign.” The FBI investigation is in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) in relation to “PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”
The Salt Typhoon case developed publicly from November 2024, when US deputy national security adviser Anne Neuberger stated that nine telecommunications companies had been identified as victims of PRC state cyber-attack. The investigation was reported to have revealed that the attackers had obtained customer call records and gained access to private communications of individuals who were, according to the FBI, “primarily involved in government or political activity.” The attack also tried to copy US law enforcement requests relating to court orders.
Salt Typhoon is one of many cyber-threat actors around the world, but what differentiates this group from many others is the alleged or suspected links to the PRC Ministry of State Security (MSS) as its parent organisation. Cyber security firm Eclypsium has stated that “As far back as 2020 the following threat actor groups, including Salt Typhoon, have been observed, with solid evidence of operations based in China that are state-sponsored.”
In January 2025, the US Department of the Treasury Office of Foreign Assets Control (OFAC) announced sanctions against Sichuan Juxinhe Network Technology Co., Ltd., a Sichuan-based cybersecurity company with direct involvement in the Salt Typhoon cyber group. The Department of the Treasury alleged that Salt Typhoon has been active since at least 2019 and has been responsible for numerous compromises of US companies in the communication sector, including compromising the network infrastructure of multiple major US telecommunication and internet service provider companies. Furthermore, Sichuan Juxinhe Network Technology Co. Ltd. allegedly had direct involvement in the exploitation of these US telecommunication and internet service provider companies, and the MSS has maintained strong ties with the company.
The name Salt Typhoon was given by the Microsoft SecOps teams that researches and analyses cyber threats. Microsoft uses a naming taxonomy for threat actors aligned with the theme of weather, so cyber-threat actors suspected as from China are named “Typhoon”, those from Russia are “Blizzard”, those from Iran are “Sandstorm”, and those from North Korea are “Sleet”. Microsoft identifies and classifies cyber-threats from a variety of other countries, including the USA which are named “Tornado”.
After the national classification, Microsoft then categorises the cyber-threats as Nation-state actors (cyber operators acting on behalf of or directed by a nation/state-aligned program), financially motivated actors (cyber campaigns/groups directed by a criminal organization/person with motivations of financial gain and aren't associated with high confidence to a known non-nation state or commercial entity), private sector offensive actors (cyber activity led by commercial actors that are known/legitimate legal entities, that create and sell cyberweapons to customers who then select targets and operate the cyberweapons), influence operations (information campaigns communicated online or offline in a manipulative fashion to shift perceptions, behaviours, or decisions by target audiences to further a group or a nation's interests and objectives), or groups in development (unknown).
The “so called” Chinese / US hacking group
In response to the wealth of reporting regarding cyber-attacks from the PRC, there are firm Chinese denials of the origin or nature of the threat. Global Times, owned by the PRC state controlled People’s Daily Press, wrote on 17 January 2025 “Following the US hype of the so-called ‘Volt Typhoon’ false narrative to discredit China in the first half of 2024, by the end of 2024, the US fabricated another so-called ‘hacker group associated with the Chinese government’ - the ‘Salt Typhoon’, promoting the narrative of ‘Chinese cyber threats’.”
In parallel with the denials of PRC cyber-attacks there are more assertive allegations of US intelligence agencies attacking Chinese companies, which are projected as having legitimacy through the China National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT).
The CNERT, established in August 2001, claims to be “a non-governmental, non-profit network security technology center and the leading unit in China's computer network emergency response system.” However, this is not accurate as it operates under the supervision of the Office of the Central Cyberspace Security and Informatization Commission, which safeguards national cyberspace security and interests.
In March 2018, the Central Committee of the Chinese Communist Party (CCP) announced that “In order to safeguard the national cyberspace security and interests, the National Computer Network and Information Security Management Center will be managed by the Office of the Central Cyberspace Security and Informatization Commission instead of the Ministry of Industry and Information Technology.”
Hence although the CNCERT claims to operate independently from government, it does in fact publish reports that are aligned with the policies and strategies of the central government. The CNCERT is hence similar to US-CERT, the United States Computer Emergency Readiness Team, which was integrated into the US Cybersecurity and Infrastructure Security Agency (CISA) in February 2023. Inevitably, the CNCERT will follow the PRC national security policy, just as CISA will follow the US national security policy.
The PRC national security policy apparently now involves the attribution of alleged cyber-threats and attacks to US intelligence agencies, which is similar to the activities undertaken by the cybersecurity agencies of the US and its partner countries.
For instance, in December 2024, CNCERT reported that they had handled two US cyber-attacks on large Chinese technology companies and institutions to steal commercial secrets. CNERT claimed that since August 2024, “a suspected US intelligence agency” had attacked an advanced material design company in China by delivering Trojans through a software upgrade service to steal commercial secrets and intellectual property.
In addition, CNCERT claimed that since May 2023, a large-scale high-tech enterprise in the smart energy and digital information industry has been attacked by a suspected US intelligence agency, which allegedly used the company's mail server to implant backdoor programs to continuously steal email data.
The CNCERT issued another report claiming that in 2024 US intelligence agencies had launched cyberattacks against a major Chinese commercial cryptography provider, exploiting a vulnerability in the company's customer relationship management system to gain access, implanting a specialized Trojan for control and stealing data relating to customers, contracts, and projects.
The CNCERT attribution of the cyber-attack to a US intelligence agency was based on analysis that found tools technically linked to those previously used by US intelligence agencies, as well as that the attacks mainly occurred during US working hours and demonstrated sophisticated methods to evade tracing, including frequent IP switching and deletion of logs. The conclusion that a US intelligence agency operates on US working hours either shows a fundamental lack of insight or limited imagination to make up a story for the attribution.
* * *
There is an interesting difference in the security cyber-threat environments in the PRC and the US which illustrates how the preferred narratives of the state are dominant in the Chinese communist system but more objective assessments are prevail in the US. In the PRC, the CNCERT is a state operated organisation that must follow the top down directives from the Central People’s Government, which directs narratives to CCP, government, and news organisations for consistent communications. In the US, the CISA is a government organisation that will develop narratives in collaboration with partner agencies such as the Department of Homeland Security and the FBI. However, the commercial ecosystem in the US is so complex and dynamic that respected companies such as Microsoft and Eclypsium with highly developed cyber-security teams will publish independent threat assessments that US government agencies must consider and utilise. This makes the cyber-threat narratives from the PRC inherently untrustworthy and those from the US, when filtered through the multifarious analyses of commercial organisations, more reliable.