Cyber Insiders: Understanding APT Salt Typhoon and How to Defend Against Them

A new wave of cyberattacks has once again placed cyber threat actor Salt Typhoon at the centre of global cybersecurity concerns. This state-sponsored Advanced Persistent Threat (APT) group, linked to China’s Ministry of State Security, has recently been identified targeting over 1,000 Cisco network devices used by telecommunications providers and universities worldwide.

This recent attack is part of Salt Typhoon’s ongoing campaign against telecom networks, which includes attacks on a US-based affiliate of a UK telecom provider and a South African telecom.

In our latest episode of Adarma’s podcast, Cyber Insiders, Cian Heasley, Threat Lead at Adarma, provides a comprehensive overview of Salt Typhoon that explores their origins, motivations and strategies to defend against them.

Below are key highlights from the episode, outlining Salt Typhoon’s threat profile. For a more detailed analysis and deeper insights, listen to the full podcast here.

Who is Salt Typhoon?

Salt Typhoon, also known as LIMINAL PANDA was first observed in 2019. Since it emerged, the group has become increasingly aggressive, primarily targeting telecommunications providers, internet service providers (ISPs), and government entities. Salt Typhoon is primarily focused on intelligence gathering, quietly infiltrating networks and extracting valuable data without drawing attention.

How They Gain Access

Salt Typhoon has adapted its tactics over time. Initially, the group relied on spear phishing—targeting employees with malicious emails—but has since shifted to exploiting vulnerable internet-facing devices, such as routers, VoIP systems, and on-premise servers like Microsoft Exchange.

Rather than using zero-day vulnerabilities, Salt Typhoon takes advantage of older, publicly known weaknesses, some dating back over six years. Their success underscores a major industry challenge: unpatched and poorly monitored systems continue to be a primary entry point for attackers. Once inside, Salt Typhoon moves laterally through networks, establishing persistence with custom malware designed to evade detection.

Why Telecoms and Governments?

The group’s interest in telecommunications is clear: control over communications infrastructure provides a gateway to mass surveillance and intelligence gathering. ISPs and telecom providers store vast amounts of metadata, including who is communicating with whom, when, and how often. Such data is invaluable for espionage, allowing for targeted social engineering, political intelligence gathering, and even potential supply chain compromise.

Beyond telecoms, Salt Typhoon has targeted government agencies and NGOs, often using third-party suppliers as stepping stones into larger networks. The long dwell time of these intrusions, sometimes months or years before detection, demonstrates their skilled ability to remain hidden.

The Wider Implications

This level of illegal access poses a serious threat to national security, particularly in the US, where major telecom providers have been compromised. The situation is exacerbated by regulatory uncertainty, potential reductions in oversight, and leadership changes within cybersecurity agencies like the Cybersecurity and Infrastructure Security Agency (CISA).  

How Organisations Can Defend Themselves

While Salt Typhoon is sophisticated in maintaining access, their initial intrusion methods are preventable. Organisations should prioritise:

• Patching known vulnerabilities: Many of the exploited weaknesses have fixes available. A strong vulnerability management programme is essential.
• Monitoring external-facing devices: Routers, firewalls, and VoIP systems should be secured and logged appropriately.
• Deploying endpoint detection and response (EDR): Having visibility over potential compromises can prevent attackers from persisting in the network.
• Managing assets effectively: Organisations need a clear view of what systems they have, where they are, and whether they are properly secured. Unmonitored legacy systems often become hidden entry points for attackers.

Looking Ahead

Beyond Salt Typhoon, ransomware groups continue to evolve. Emerging threats, such as Ransomhub, are adopting more elaborate social engineering tactics: phishing campaigns, fake tech support calls, and impersonation via Microsoft Teams. Cybercriminals are refining their approach to bypass traditional security measures, making awareness and training more critical than ever.

Cybersecurity may be complex, but organisations don’t need to get everything right at once. As Cian highlights, doing the basics well, patching, monitoring, and asset management, can significantly reduce risk. The cost of inaction, however, is far greater.

How Adarma Can Help

Adarma provides customised cybersecurity solutions to assist businesses in achieving future-ready cyber resilience. We protect organisations in the FTSE 350, including those in CNI and other regulated sectors. We offer effective threat detection and incident response, acting as an extension of your team to enhance your security posture and optimise your security investments for maximum risk reduction.

Our approach enables organisations to decrease cyber risks by implementing effective threat intelligence, exposure management, and detection and response capabilities. We offer tailored threat intelligence, technological solutions, and strategic consultations catering to our customers’ specific security requirements and business goals. Our expertise guarantees a balanced approach between security and operational efficiency, safeguarding our customers’ most crucial infrastructure and data.

Let’s Talk

If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.

To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.

You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.

Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.