Introduction
Salt Typhoon [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], also known as FamousSparrow [8] [11], GhostEmperor [11], Earth Estries [11], and UNC2286 [8] [10] [11], is a Chinese advanced persistent threat (APT) group linked to the Ministry of State Security (MSS). This group has been active since at least 2019 and is notorious for its sophisticated cyber espionage campaigns targeting American companies and citizens, particularly in the telecommunications sector [11] [12].
Description
Salt Typhoon has targeted US telecommunications companies [11], including Verizon [1] [2] [5], AT&T [1] [5], and Lumen/CenturyLink [1] [5], and has been implicated in multiple compromises of these firms, resulting in the theft of critical information such as call data logs and private communications involving government officials [6]. Investigations have suggested that the group may have accessed systems used for court-authorized wiretaps [1], although definitive proof of this access remains unconfirmed [5].
In December 2024 [1] [5] [6] [7], it was disclosed that Salt Typhoon had breached eight US telecom providers [1], with attacks suspected to have been ongoing for one to two years [1]. Recent reports from February 2025 indicated that the group continued its campaigns, specifically targeting internet-facing Cisco network devices used by telecom operators [1] [5]. They exploited vulnerabilities CVE-2023-20198 and CVE-2023-20273, which had received patches over a year prior to being exploited [1]. This operation is part of a broader campaign by PRC-affiliated threat actors [6], indicating a global scope of the threat [6]. Salt Typhoon is known for employing “living-off-the-land” tactics, utilizing legitimate system tools to maintain stealthy [2], persistent access to networks [2], complicating attribution and prosecution efforts [2]. The vulnerabilities exposed by Salt Typhoon include outdated computer systems and inadequate network management within the telecom industry [9]. Additionally, the group has utilized zero-day exploits and targeted spear-phishing attacks as primary vectors for their intrusions [4].
In response to these threats, the FBI has announced a reward of up to $10 million for actionable information regarding individuals associated with Salt Typhoon. This initiative is part of the US State Department’s Rewards for Justice program [2] [8], which has been adapted to address cybercrime and cyber espionage [2]. To encourage insider cooperation [2], the FBI is offering relocation assistance [2], financial compensation [2], and witness protection guarantees to whistleblowers who provide actionable intelligence about the group’s operations [2]. The FBI’s investigation [3] [6] [7], marked under alert number I-042425-PSA [6], is part of a broader effort to combat malicious cyber activities linked to foreign government-affiliated actors [3], which may also include other groups such as Volt Typhoon. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have previously issued alerts warning the public about this threat, with joint statements released on October 25, 2024 [6], and November 13, 2024 [6].
The FBI is actively seeking public assistance in locating the Chinese hackers associated with the Salt Typhoon cyberattack campaign targeting US telecommunications providers [9]. The agency has requested information on the individuals involved in Salt Typhoon’s intrusion activities [9], which are considered among the most sophisticated foreign cyber operations against US networks [9]. The FBI is conducting a multi-agency investigation [4], employing advanced monitoring tools and anomaly detection systems to identify potential threat indicators [4], including suspicious IP traffic patterns [4]. The agency is working with industry partners and US government agencies to mitigate the impact of Salt Typhoon and is providing technical assistance to affected companies. A comprehensive guide titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure was released on December 3, 2024 [6], advising telecommunications providers on strengthening defenses against PRC-affiliated cyber threats [6]. Ongoing efforts to enhance the resilience of the global telecommunications sector involve collaboration among international agencies [6], including those in Australia [6], Canada [6], and New Zealand [6], emphasizing the need for proactive network monitoring and robust security measures [6].
Organizations suspecting they have been targeted by Salt Typhoon are encouraged to contact local FBI field offices [6]. The FBI remains committed to protecting US critical infrastructure and encourages the public to report any relevant information, particularly about specific individuals involved in the group’s activities, as part of its national security rewards program [10], Rewards for Justice [2] [4] [6] [8] [10].
Conclusion
The activities of Salt Typhoon underscore the significant threat posed by state-sponsored cyber espionage groups to national security and critical infrastructure. The ongoing efforts by the FBI and international partners to mitigate these threats highlight the importance of robust cybersecurity measures and international cooperation. As cyber threats continue to evolve, it is imperative for organizations to remain vigilant, adopt proactive security practices, and collaborate with law enforcement agencies to safeguard sensitive information and infrastructure.
References
[1] https://www.newsbytesapp.com/news/science/fbi-offers-10m-for-information-on-hacking-group-salt-typhoon/story
[2] https://the420.in/fbi-10-million-reward-chinese-hacker-group-salt-typhoon/
[3] https://www.techradar.com/pro/security/fbi-places-bounty-on-salt-typhoon-usd10-million-for-info-on-infamous-chinese-hacking-group
[4] https://cybersecuritynews.com/fbi-to-offer-reward-up-to-10-million/
[5] https://arstechnica.com/security/2025/04/fbi-offers-10-million-for-information-about-salt-typhoon-members/
[6] https://thecyberexpress.com/fbi-issues-alert-on-salt-typhoon/
[7] https://www.androidheadlines.com/2025/04/fbi-10m-bounty-information-on-salt-typhoon-hackers.html
[8] https://www.wizcase.com/news/fbi-10-million-reward-chinese-salt-typhoon-hackers/
[9] https://www.cybersecuritydive.com/news/fbi-china-salt-typhoon-hack-telecom-tips/746490/
[10] https://www.forbes.com/sites/daveywinder/2025/04/27/fbi-issues-10-million-chinese-hacker-bounty/
[11] https://www.infosecurity-magazine.com/news/fbi-help-tracking-chinese-salt/
[12] https://www.hstoday.us/subject-matter-areas/cybersecurity/fbi-seeking-tips-about-prc-targeting-of-u-s-telecommunications/
