Inside China’s Hidden Cyber Machine: How the MSS and ‘Salt Typhoon’ Put Spies in Your Phone Network

Key facts (as of September 28, 2025)

A sweeping joint advisory from the U.S., U.K., and 15+ allies (Aug. 27–Sept. 3, 2025) details Chinese state‑sponsored intrusions overlapping with “Salt Typhoon” and related clusters targeting telecoms and backbone networks since at least 2021. ^[1]
Investigators describe edge‑device and router‑centric tradecraft: modifying routing, traffic mirroring (SPAN/ERSPAN), tunneling (GRE/IPsec), containerizing tools on network gear, and harvesting TACACS+ authentication traffic. ^[2]
Crucially, the advisory notes: “Exploitation of zero‑day vulnerabilities has not been observed to date”; instead, actors chained known CVEs across widely deployed network equipment. ^[3]
AT&T’s CISO says copycats are now adopting Salt Typhoon’s approach, seeking places with weak or no EDR and limited logging; ex‑NSA cyber chief Rob Joyce warns defenders’ progress has pushed attackers into “exploits chained together” paths. ^[4]
FBI cyber chief Brett Leatherman says Salt Typhoon is “largely contained” in U.S. telecom networks—but access for espionage can be “pivot[ed]… to destructive action.” ^[5]
Reporting indicates the intrusions reached “lawful intercept” systems at U.S. providers, a sensitive target class designed to process court‑authorized surveillance. ^[6]
Washington has moved to sanction PRC‑linked firms and individuals tied to Salt Typhoon and Flax Typhoon (Jan. 3 and Jan. 17, 2025), reflecting a growing strategy to hit the contractor ecosystem. ^[7]
The U.S. intelligence community’s 2025 Annual Threat Assessment names China the leading cyber threat; Volt Typhoon is assessed to be pre‑positioning in critical infrastructure for potential disruption. ^[8]
Independent research finds a structural shift: since 2021, most high‑end Chinese intrusions are tied more to the Ministry of State Security (MSS) than the PLA—supported by a network of private contractors exposed by the i‑SOON leaks. ^[9]

The big picture: from “quiet persistence” to a global telecom dragnet

The past year has made clear that China’s cyber apparatus—centered on the Ministry of State Security (MSS) and buttressed by commercial contractors—has retooled for scale and stealth. A rare, globe‑spanning advisory issued by CISA, NSA, FBI, and allied cyber agencies documents how an MSS‑linked cluster overlapping with Salt Typhoon burrowed into telecoms and backbone providers across dozens of countries, abusing network edge devices and trusted interconnects more than individual laptops and servers. ^[10]

Rather than showcase pricey zero‑days, the campaign chain‑exploited widely known vulnerabilities in routers and firewalls (e.g., Ivanti, Palo Alto, Cisco IOS XE) to establish persistence, mirror traffic, and collect sensitive authentication data. Investigators even saw Linux containers running on network hardware to store tools and avoid detection. ^[11]

AT&T’s CISO Rich Baich summed up the copycat effect: attackers are “going to the areas of least resistance,” where organizations lack EDR coverage and logs are sparse or missing. Former NSA cyber director Rob Joyce added that defenders’ improvements have raised the bar so that “it just takes exploits chained together in multiple paths to get to success.” ^[12]

Why “Salt Typhoon” matters

What it did. The Salt Typhoon campaign (a Microsoft naming convention under the “weather” taxonomy) prioritized telecom and internet providers—core nodes that see other people’s traffic—so a single foothold yields many vantage points. The FBI has said nine U.S. telecom companies were victimized, with indicators of global spread. Some reporting notes intrusions touching lawful intercept platforms—systems that process court‑authorized wiretap data—raising obvious civil‑liberties and counterintelligence stakes. ^[13]

How it worked. The joint advisory paints a picture of living‑off‑the‑land operations at the network layer: enabling SSH on non‑default high ports, modifying access lists, manipulating routing, configuring SPAN/ERSPAN mirrors, tunneling via GRE/IPsec, and capturing TACACS+ (port 49) to replay credentials. It stresses that zero‑days were not required; hygiene failures on exposed devices were enough. ^[14]

Where it stands. According to the FBI’s Brett Leatherman, Salt Typhoon is “largely contained” and “dormant” in U.S. telecom networks; yet those same footholds could support destructive action if repurposed in a crisis—so containment is not the same as neutralization. ^[15]

How the MSS became a cyber powerhouse

Two complementary trends explain the surge:

Institutional shift: Open‑source assessments and practitioner research indicate that post‑2015 PLA reforms and 2024 creation of new PLA information forces coincided with a relative rise of MSS‑led operations—especially for long‑term espionage and counterintelligence abroad. Sekoia’s deep‑dive observes that “from 2021 onward… operations attributed to China were mostly linked to the MSS rather than the PLA.” ^[16]
Contractor ecosystem: The i‑SOON leak offered an unprecedented window into how private Chinese firms act as “digital quartermasters”, selling and sharing bespoke capabilities (e.g., ShadowPad, Winnti) across multiple MSS‑aligned sub‑teams, and explicitly targeting telecom call‑detail records for tracking people. ^[17]

U.S. policy has started to meet structure with structure: Treasury/OFAC sanctions now name specific PRC companies and people for Flax Typhoon and Salt Typhoon support, an attempt to raise costs on the supply chain of China’s offensive cyber machine. ^[18]

What’s new this month: copycats, techniques, and tone

Copycat tradecraft. AT&T’s CISO warns adversaries are emulating Salt Typhoon by operating where telemetry is weakest (unmanaged devices, “no‑logs” zones) and by relying on admin tools already in your environment. “They’re going to the areas of least resistance,” he said. ^[19]
Defenders’ dilemma. Joyce explains why: hardened endpoints and browsers now force attackers to “chain” multiple weaknesses—over time, that pushes them toward under‑monitored network infrastructure. ^[20]
Global scope affirmed. Allied agencies warn the same actor set is still active worldwide and share detection rules mapped to MITRE ATT&CK for enterprise and ICS. ^[21]

How this compares: China vs. Russia, Iran, North Korea

China (MSS; Salt/Volt Typhoon): Emphasis on pre‑positioning and persistent visibility in communications, energy, transport, and water/wastewater—with an eye to disruption in crisis. Volt Typhoon exemplifies “pre‑positioning” and LOTL methods in U.S. critical infrastructure, per CISA’s 2024 advisory. ^[22]
Russia (GRU/Sandworm): More openly disruptive ICS/OT operations—e.g., repeated attacks on Ukraine’s power grid and OT experiments—where impact is the point, not just access. (See Google/Mandiant and Congressional Research Service coverage.) ^[23]
Iran (IRGC‑linked and affiliates): Opportunistic infrastructure probing and hack‑and‑leak operations; U.S. agencies warned in mid‑2025 of near‑term risks to poorly secured U.S. networks; 2023–24 campaigns hit Unitronics PLCs in water and other sectors. ^[24]
North Korea (Lazarus): Prioritizes revenue generation—stealing hundreds of millions in crypto annually—alongside espionage; recent research highlights fake‑job lures and supply‑chain implants. ^[25]

Bottom line: China’s approach looks more like persistent battlespace preparation at scale, especially in networks that carry other people’s traffic; Russia’s hallmark is visible disruption; Iran skews to ideological/retaliatory campaigns; North Korea to funding the state via theft.

What senior officials are saying

FBI Director Christopher Wray: “PRC hackers are targeting our critical infrastructure”—including water, power, and transportation—and the risk “requires our attention now.” ^[26]

FBI Cyber chief Brett Leatherman: “You can pivot from access in support of espionage to access in support of destructive action.” ^[27]

NSA’s Rob Joyce: Today it “just takes exploits chained together in multiple paths to get to success.” ^[28]

CISA and partners: in the Salt‑overlap intrusions, “exploitation of zero‑day vulnerabilities has not been observed to date.” ^[29]

Policy response and legal signals

Sanctions & naming: In January, OFAC sanctioned a Beijing firm for Flax Typhoon support and later sanctioned an individual and Sichuan Juxinhe tied to Salt Typhoon and a U.S. Treasury breach. This is part of a broader strategy to isolate the contractor ecosystem that enables MSS operations. ^[30]
Joint advisories: The August–September advisories represent one of the broadest multinational alignments to date on a single PRC‑linked cluster, sharing granular TTPs, CVEs, and mitigations. ^[31]
Threat framing: The 2025 ATA underscores China as the top cyberthreat and highlights the potential for coordinated disruption alongside Russia, Iran, and North Korea. ^[32]

Practical takeaways for operators, CISOs, and policymakers

1) Treat network devices as endpoints.
Instrument routers, firewalls, and switches with configuration change monitoring, secure SNMPv3 (disable write where possible), restrict TACACS+ exposure, and alert on non‑default SSH/HTTP ports appearing on network gear. (The advisory lists concrete commands and artifacts to hunt for.) ^[33]

2) Patch, then verify.
Prioritize CVEs already exploited in your environment—not mythical zero‑days. Validate whether Ivanti, PAN‑OS, and Cisco IOS XE versions match exploited ranges; then hunt for persistence (tunnels, ACL changes, containers) that survive patching. ^[34]

3) Close the “no‑logs” gaps.
Salt Typhoon thrives where logs don’t exist: unmanaged appliances, private interconnects, and provider‑to‑provider links. Capture flow data at those seams and retain it long enough to spot slow‑burn campaigns. ^[35]

4) Protect special systems.
Harden and segregate lawful intercept platforms and other “crown jewels” where data sensitivity is extreme. Limit admin paths and establish out‑of‑band integrity checks. ^[36]

5) Plan for “pre‑positioning.”
Assume adversaries may be lying in wait. Exercise cross‑sector playbooks that move from containment to simultaneous eviction—the advisory warns partial responses can tip off intruders. ^[37]

6) Use the sanctions map.
Update vendor and third‑party risk programs against sanctioned PRC entities to prevent accidental resourcing of the offensive ecosystem. ^[38]

Context: MSS vs. PLA—and the “digital quartermasters”

Multiple analyses suggest an MSS‑led offensive posture, with provincial MSS bureaus outsourcing work to private contractors that share malware and infrastructure across missions. The i‑SOON documents illustrate how one firm supported telecom targeting and maintained modular tool families like ShadowPad that reappear across unrelated clusters—exactly what defenders would expect if a “services” model supports the state. ^[39]

Sekoia’s research is blunt on the trend line: MSS activity up; PLA activity down in global espionage since 2021. Meanwhile, PLA restructuring in 2024 created new information‑focused forces, but open reporting suggests foreign espionage at scale increasingly flows through the MSS and its contractors. ^[40]

How this story will evolve

More contractor exposes and sanctions: Expect additional naming of PRC firms and brokers that sell access or data (e.g., Flax Typhoon support networks). ^[41]
More TTPs without zero‑days: The Salt overlap advisory underscores that tradecraft beats novelty; defenders should act accordingly. ^[42]
Continued “pre‑positioning” in critical infrastructure: The Volt Typhoon model—quiet access now, optional disruption later—remains central to U.S. threat framing. ^[43]

Sources & further reading

CISA/NSA/FBI + allies: Countering Chinese State‑Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System (Sept. 3, 2025) and companion alert (Aug. 27, 2025). Technical TTPs, CVEs, and mitigations. ^[44]
CyberScoop: AT&T CISO and Rob Joyce on why Salt Typhoon’s tactics are spreading (Sept. 22, 2025); FBI’s Leatherman on the current risk (July 2, 2025). ^[45]
ODNI 2025 Annual Threat Assessment: China as leading cyber threat; broader context on PRC, Russia, Iran, DPRK. ^[46]
CISA (Feb. 7, 2024): Volt Typhoon “pre‑positioning” advisory across U.S. critical infrastructure. ^[47]
Recorded Future (Mar. 20, 2024): Attributing i‑SOON—how private contractors enable MSS operations; telecom CDR targeting and “digital quartermasters.” ^[48]
Treasury/OFAC (Jan. 3 & 17, 2025): Sanctions on entities tied to Flax Typhoon and Salt Typhoon. ^[49]
Nextgov (Aug. 27, 2025): Breach of lawful intercept systems amid Salt Typhoon investigation. ^[50]
CRS & Google/Mandiant: Russian Sandworm ICS/OT disruptions in Ukraine. ^[51]
NSA/CISA/FBI (Jun. 30, 2025) & CISA (Dec. 18, 2024): Iran‑linked threat advisories, including Unitronics PLC incidents. ^[52]
The Verge/ESET (2025): North Korea/Lazarus crypto‑funding operations and evolving lures. ^[53]

Editor’s note on scope

This report synthesizes current open‑source intelligence and official advisories relevant to the topic the user provided. Some paywalled or robot‑blocked articles could not be accessed directly; where that occurred, we corroborated the core facts with primary advisories and mainstream outlets to ensure accuracy and verifiability. ^[54]

If you want an industry‑specific version (e.g., for telecoms, power, ports, or water utilities), I can tailor the mitigations and indicators to your sector’s tech stack—using only sources suitable for Google News and Discover.

How China Is Building an Army of Hackers