US, Allies Link Beijing-Backed Salt Typhoon Hacking Group to 2 More Chinese Companies

Udumbara Udumbara
Aug 28, 2025 - 10:00 Updated: Aug 28, 2025 - 09:50
0
US, Allies Link Beijing-Backed Salt Typhoon Hacking Group to 2 More Chinese Companies
.
Twenty-three cyber, defense, and intelligence agencies from the United States and other countries released a joint advisory on Aug. 27, laying out the playbook used by Chinese state-sponsored hackers that breached major U.S. telecoms in 2024 and urging networks to hunt for this malicious activity.

Authorities say these malicious cyber threat actors have compromised networks worldwide to feed a Chinese state-sponsored espionage system.

They named three Chinese companies linked to the campaign widely known as Salt Typhoon.

One is the U.S.-sanctioned Sichuan Juxinhe Network Technology Co., Ltd. Two other companies were previously undisclosed: Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd.
Naming companies associated with the Chinese regime’s malicious cyber activity provides cyber researchers with more insight into the capabilities of various campaigns.

“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” reads the report, co-signed by agencies in the United States, Australia, Canada, New Zealand, the UK, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain.

Officials confirmed in 2024 that dozens of countries were affected by Salt Typhoon. The Wall Street Journal reported on Aug. 27 that the FBI now says this campaign has breached more than 80 countries.
“Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages,” Brett Leatherman, head of the FBI’s Cyber Division, said in a video statement.
UK National Cyber Security Center CEO Richard Horne said in a statement, “We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale.”
The U.S. Cybersecurity and Infrastructure Security Agency said in an Aug. 27 statement that the report is based on “real-world investigations conducted across multiple countries through July 2025.”

The authorities note that this advanced persistent threat (APT) overlaps with what Microsoft tracks as Salt Typhoon, CrowdStrike as Operator Panda, and Insikt Group as RedMike, as well as other cyber researchers using different tracking methods and names.

In addition to telecommunication networks, Chinese state-sponsored hackers have stolen data from internet service providers and breached the lodging and transportation sectors, which collectively give the Chinese regime the ability to track targets’ communications and movements worldwide, according to the report. The group has also breached defense networks.

“These APT actors are exploiting vulnerabilities in the large backbone routers of telecommunications providers—specifically provider edge and customer edge routers that often lack visibility and are difficult to monitor—to gain and maintain persistent access,” CISA stated. “They often modify router firmware and configurations to evade detection and establish long-term footholds.”

The campaign has been “performing malicious operations globally since at least 2021,” according to the report, mainly taking advantage of publicly known vulnerabilities.

According to the report, these APT actors have not been observed to use any zero-day exploits, which are vulnerabilities that providers have not yet had the chance to patch, instead relying on a likely expanding collection of avoidable infrastructure weaknesses.

It urged the prioritization of a handful of the most widely exploited vulnerabilities, most of which have been publicly disclosed since late 2023 or early 2024, and one related to the Smart Install feature of Cisco IOS software, which was published in 2018.

The report includes a case study that breaks down the commands used by APT actors in a specific breach.

It also includes detailed guidelines for cyber threat hunting. Authorities have warned that APT actors tend to gain long-term access to networks, and partial responses to evict them may only alert the hackers, resulting in more stealth and potentially disrupting ongoing investigations.

“Where possible, gaining a full understanding of the APT actors’ extent of access into networks followed by simultaneous measures to remove them may be necessary to achieve a complete and lasting eviction,” the report states.

.

Read More