Overview
- Thirteen countries issued a 37-page advisory attributing the years-long Salt Typhoon operation to China-linked actors and naming three companies, including already-sanctioned Sichuan Juxinhe.
- Authorities say the campaign reached at least 80 countries and targeted more than 600 organizations, including about 200 in the U.S., across telecommunications, government, transportation, lodging and military sectors.
- The advisory details reliance on fixable vulnerabilities in Cisco, Ivanti and Palo Alto devices (e.g., CVE-2023-20198, CVE-2023-20273, CVE-2024-21887, CVE-2024-3400, CVE-2018-0171) to gain access, persist on routers and pivot via trusted links.
- Stolen telecom and travel data can enable identification, tracking and, for select targets, interception of communications, with an FBI official warning the operation likely swept up information on millions of Americans.
- Dutch intelligence independently confirmed access to routers at smaller domestic ISPs and hosting providers and reported no evidence of deeper penetration, as agencies urge rapid patching and coordinated threat hunting.