Anatomy of an Attack: CISA Alert on Salt Typhoon

A Joint Warning on a Pervasive Threat

On August 27, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) issued a critical joint advisory [1] shining a spotlight on "Salt Typhoon," a sophisticated state-sponsored advanced persistent threat (APT) actor affiliated with the People's Republic of China (PRC), whose ongoing cyber espionage campaign poses a significant threat to critical infrastructure sectors globally.

Who is Salt Typhoon?

Salt Typhoon is not a new player in the cyber threat landscape. Active since at least 2019, the PRC state-sponsored group is primarily focused on long-term cyber espionage, meticulously gathering intelligence rather than seeking immediate financial gain [2]. Their operations are extensive, designed to establish persistent access to target networks and exfiltrate sensitive data. These activities represent a clear breach of global telecommunications privacy and security norms, aiming to compromise organizations crucial to national and economic security.

The Scope of the Attacks

The advisory highlights that Salt Typhoon's targeting is deliberate and strategic, focusing on sectors that provide essential services and hold significant value for a long-term espionage campaign.

Targeted Sectors

Salt Typhoon has primarily targeted critical infrastructure sectors across the globe.

Telecommunications: By gaining deep access to telecommunications networks, Salt Typhoon can conduct pervasive surveillance, intercepting communications on a massive scale. This provides invaluable intelligence on a broad range of targets, including government agencies, businesses, and private citizens, without having to individually compromise each target.

Government: The targeting of government entities goes beyond simple data theft. By infiltrating government networks, Salt Typhoon can collect sensitive policy documents, operational data, and strategic plans, all of which provide a clear picture of a nation's intentions and capabilities. This information is invaluable for diplomatic, economic, and military intelligence gathering.

Transportation: Infiltrating transportation networks, including those for air, sea, and land travel, provides a significant strategic advantage. A threat actor can not only monitor logistics and supply chains but also potentially track the movement of key personnel or military assets. In a crisis scenario, such access could be used to cause economic disruption or impede a military response.

Lodging: This sector is often used as a gateway to target high-value individuals. Salt Typhoon has targeted networks at hotels and other lodging establishments to gain access to the devices of visiting government officials, corporate executives, and military personnel. These networks are often less secure than corporate or government networks, making them an ideal initial entry point for an attack on a high-value target.

Military Networks: Direct intelligence gathering from military networks is a core goal of any state-sponsored espionage group. Access to these systems can provide critical insights into defense capabilities, military doctrine, research and development projects, and operational readiness. This information can be used to inform strategic decisions or to prepare for potential future conflicts [3].

Salt Typhoon’s Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon's operational playbook is characterized by stealth, persistence, and an adept use of both well-known vulnerabilities and sophisticated evasion techniques. Their methods demonstrate a clear intent to establish long-term access rather than short-term disruption.

Initial Access (MITRE ATT&CK: T1190): The group frequently exploits public-facing applications to gain a foothold [4]. They target known, unpatched vulnerabilities in internet-facing network edge devices, such as routers, firewalls, and VPN appliances. The advisory notes that the group has had considerable success using this method, underscoring the critical importance of diligent patch management.

Persistence (MITRE ATT&CK: T1098.004, T1021.004, T1571): Once inside, they establish persistence by adding SSH authorized keys to devices for continued remote access. They utilize a well known technique known as non-standard port usage by enabling SSH on ports other than the default. They are adept at clearing logs and disabling security features to cover their tracks [5].

Lateral Movement (MITRE ATT&CK: T1078.003): Salt Typhoon leverages compromised credentials to move deeper into the network using valid accounts [6]. They abuse legitimate protocols and routing infrastructure to traverse devices, seeking out high-value data and additional systems to control.

Command and Control (C2) (MITRE ATT&CK: T1071.001, T1572): For C2 communications, Salt Typhoon often uses application layer protocols like web protocols over encrypted channels and legitimate web services to blend in with normal network traffic. They have also been observed using protocol tunneling via GRE/IPsec to create a stealthy C2 channel.

Data Exfiltration (MITRE ATT&CK: T1041, T1048): Their primary goal is intelligence gathering, so data exfiltration focuses on sensitive communications and proprietary information [7]. This is often accomplished by using the established C2 channel (exfiltration over C2 channel) or by using alternative protocols (exfiltration over alternative protocol) to move data out of the compromised network.

Joint Guidance and Mitigation Measures for Salt Typhoon

The joint advisory provides a crucial and actionable defense blueprint for organizations to fortify their security posture against the persistent threat of Salt Typhoon. Implementing these measures is not just recommended; it is critical to preventing, detecting, and mitigating a compromise.

Patch Management: Diligently identifying and immediately patching all internet-facing devices is the single most critical step. Salt Typhoon's preferred initial access method involves exploiting known, unpatched vulnerabilities on routers, firewalls, and VPN appliances. By maintaining a strict and timely patching schedule, organizations can directly shut down one of the primary entry points used by the threat actors.

Configuration Monitoring: Organizations must regularly audit and monitor the configurations of all network devices for unauthorized or suspicious changes. Salt Typhoon frequently modifies device configurations to establish persistence and create backdoors, often enabling services like SSH and FTP on unusual ports. Proactive monitoring can help security teams spot these unauthorized changes before the adversary can fully entrench themselves in the network.

Network Monitoring: Proactively hunting for anomalous network traffic patterns is a key defensive tactic. Since Salt Typhoon often uses non-standard ports for services like SSH to evade basic firewall rules and security tools, a robust network monitoring solution is essential for detecting this unusual activity. This vigilance can uncover the tell-tale signs of an ongoing compromise that would otherwise go unnoticed.

Log Analysis: Implementing a robust and centralized log management system is vital. Salt Typhoon is known to tamper with or clear logs to hide its activity and maintain a low profile within a compromised network. By capturing and analyzing logs in real-time and storing them securely on a separate system, security teams can preserve a forensic record of malicious activity even if the attackers attempt to erase their tracks.

Strong Authentication: Enforcing strong, unique passwords across all systems and implementing multi-factor authentication (MFA) everywhere possible, particularly for all remote access points, is a foundational security measure. Salt Typhoon relies on compromised credentials, often obtained via password spraying or phishing, to facilitate lateral movement and escalate privileges. MFA directly mitigates this threat by making it exponentially harder for attackers to use stolen credentials.

Secure Remote Access: All remote access solutions, including VPNs and remote desktop services, must have strict controls and continuous monitoring. These services are a prime target for initial access. By securing these gateways with strong authentication, monitoring for anomalous connection attempts, and logging all activity, organizations can significantly reduce their external attack surface.

Network Segmentation: Properly segmenting the network into smaller, isolated zones is a highly effective way to limit the potential impact of a breach. Even if Salt Typhoon successfully compromises one part of the network, segmentation restricts their ability to move laterally to other sensitive systems and data, containing the attack and preventing a full-scale compromise.

How Network Detection and Response (NDR) Combats Salt Typhoon

While essential, traditional security tools like firewalls, antivirus, endpoint detection and response (EDR), and SIEMs may not be enough to counter the stealth and persistence of a sophisticated APT like Salt Typhoon. This is where the ExtraHop RevealX Network Detection and Response (NDR) platform can provide a critical advantage.

Continuous Network Visibility: ExtraHop passively monitors all network traffic, including encrypted communications, providing a complete, real-time picture of activity across the entire attack surface. ExtraHop directly counters the tactics of Salt Typhoon by providing comprehensive network visibility, monitoring all network traffic, including encrypted communications, and fully decrypting and decodes 90+ protocols. This unique visibility ensures security teams can see malicious activity hidden within encrypted traffic that evades detection from other NDR tools, like reconnaissance, lateral movement, use of compromised credentials, and data exfiltration attempts.

Targeted Detection of Salt Typhoon's TTPs:

• Lateral Movement: ExtraHop's machine learning models excel at detecting anomalous internal behaviors. It can detect subtle deviations like unusual authentication patterns, abnormal protocol usage, and suspicious lateral movement, even when legitimate credentials are used. Your security team can pull built-in and custom metrics into a dashboard to visualize these minute deviations from the baseline, which is critical for identifying and investigating even the smallest threats.
• Persistence and Evasion: ExtraHop can precisely identify services running on non-standard ports, a key evasion tactic of Salt Typhoon. For example, if SSH or FTP traffic is observed on an unusual port, ExtraHop immediately flags it as a critical alert.
• Command and Control: By analyzing network flows and behavioral anomalies, ExtraHop can detect suspicious outbound connections that indicate C2 activity, even when using encrypted tunnels or legitimate web services.
• Data Exfiltration: ExtraHop provides deep visibility into data transfers, detecting unusually large data egress, transfers to suspicious external destinations, or the use of non-standard protocols for data exfiltration.

Automated Response & Integration: ExtraHop integrates seamlessly with other security tools like SIEM and SOAR platforms, enriching alerts with high-fidelity network context. This allows security teams to automate responses, validate alerts quickly, and respond with greater speed and confidence, reducing the Salt Typhoon's dwell time.

Threat Hunting & Forensics: With continuous network recording and advanced analytics, ExtraHop provides the comprehensive data needed for deep forensic investigation. Security teams can trace an attacker's entire path, understand the full scope of a compromise, and determine precisely what data was accessed or exfiltrated. With high-fidelity network forensics to measure the scope of impact and conduct forensic analysis, ExtraHop converts the source of truth found within network data into actionable insights. This allows security teams to conduct a detailed forensic analysis to see exactly how Salt Typhoon moved, what systems were accessed, and what data was compromised, enabling a more rapid response.

The Ongoing Effort to Protect Critical Infrastructure

The CISA, NSA, and FBI joint advisory on Salt Typhoon serves as an important reminder of the persistent and evolving nature of state-sponsored cyber espionage. Protecting critical infrastructure requires a multi-layered defense strategy, with robust cyber hygiene as the foundation and advanced detection capabilities as a vital component. By understanding Salt Typhoon's TTPs and leveraging solutions like the ExtraHop RevealX Network Detection and Response (NDR) platform, organizations can significantly enhance their ability to detect, investigate, and respond to these sophisticated threats, safeguarding their operations and the critical services they provide.

Endnotes:

[1] CISA. (August 27, 2025). CISA and Partners Release Joint Advisory: Countering Chinese State-Sponsored Actors’ Compromise. https://www.cisa.gov/news-events/news/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromise

[2] CISA. (August 27, 2025). Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a

[3] NSA. (August 27, 2025). NSA and Others Provide Guidance to Counter China State-Sponsored Actors Targeting Critical Infrastructure. https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4287371/nsa-and-others-provide-guidance-to-counter-china-state-sponsored-actors-targeti/

[4] CISA. (August 27, 2025). Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a (Specifics on exploiting known vulnerabilities)

[5] CISA. (August 27, 2025). Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a (Details on persistence techniques like non-standard ports, log clearing)

[6] FBI. (August 27, 2025). Salt Typhoon Briefing. https://www.fbi.gov/video-repository/salttyphoon082725.mp4/view (Information on lateral movement and credential abuse)

[7] CISA. (August 27, 2025). Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a (Details on data collection focus for intelligence gathering)