[image: image.png] https://globalcyberalliance.org/new-report-salt-typhoon-across-the-internet/ Overview and Context The report analyzes the *Salt Typhoon* cyber-espionage campaign, a long-running and highly sophisticated operation publicly attributed by U.S. authorities to state-linked actors. The campaign focuses on global telecommunications and critical internet infrastructure and is assessed as persistent, strategic, and ongoing rather than opportunistic. Data Source and Methodology The analysis is based on data from the Automated Internet Defense Environment (AIDE), a global network of honeypots operated across more than 25 countries. These decoy systems emulate vulnerable internet-facing services, particularly those used in telecommunications environments. Between August 2023 and August 2025, AIDE recorded more than 72 million attack attempts originating from China-based IP space. Behavioral patterns observed in this data align closely with previously documented *Salt Typhoon* tactics, techniques, and procedures. Key Findings - Multi-Phase Campaign Evolution: The activity follows a clear lifecycle: - Initial reconnaissance and scanning (mid-2023 to late-2024) - Targeted exploitation and credential attacks (late-2024 to early-2025) - Persistence, lateral movement, and advanced operations (early- to mid-2025) - Targeting Patterns: Attackers consistently focused on internet-exposed remote access systems, especially VPN gateways and network management interfaces. Vendors and platforms commonly observed include Cisco, Ivanti, Palo Alto Networks, and Fortinet, mirroring public vulnerability disclosures during the same period. - Operational Techniques: The campaign relies heavily on “living-off-the-land” techniques, using legitimate administrative tools alongside custom payloads to evade detection. Common behaviors include credential harvesting, webshell deployment, command-and-control preparation, and staged data exfiltration. - Geographic Reach: Activity consistent with *Salt Typhoon* was observed globally, with notable concentrations affecting North America, Europe, and the Asia-Pacific region. The campaign appears designed to scale across borders rather than focus on a single national target. Observed Scale and Indicators Across the observation period, AIDE recorded: - Tens of thousands of exploitation attempts - Widespread credential-based attacks - Large volumes of potential data exfiltration activity - Coordinated use of multiple IP addresses across different campaign phases These indicators point to sustained resourcing and centralized coordination rather than isolated threat actors. Strategic Implications The report emphasizes that *Salt Typhoon* represents a deliberate effort to gain long-term access to communications infrastructure. Such access could enable surveillance, intelligence collection, or future disruption of essential services. Telecommunications networks are highlighted as especially high-value targets due to their role in lawful intercept systems and national communications resilience. Defensive Recommendations Organizations operating critical or internet-facing infrastructure are urged to: - Audit and harden all VPN and remote access systems - Patch known vulnerabilities in network devices promptly - Enable detailed logging and monitor for anomalous administrative behavior - Enforce strong authentication, including multi-factor authentication - Conduct proactive threat hunting aligned with observed attacker behaviors Conclusion The report concludes that *Salt Typhoon* remains an active and serious threat. By combining large-scale honeypot telemetry with known adversary behaviors, it provides a data-driven view of a persistent state-linked campaign and underscores the need for immediate and sustained defensive action across the global internet ecosystem. RESOURCES - Full Report <https://globalcyberalliance.org/wp-content/uploads/2025/12/PUBLIC-REPORT-Salt-Typhoon-Across-the-Internet.pdf> -- -------------------------------------- Joly MacFie +12185659365 -------------------------------------- -