**FBI Seeks Public's Help to Unmask Salt Typhoon Hackers Behind Widespread Telecom Breaches**
The Federal Bureau of Investigation (FBI) is urging the public for assistance in identifying and locating the Chinese state-sponsored hackers behind a string of high-profile breaches of telecommunications providers across the United States and worldwide.
In October, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) confirmed that Salt Typhoon hackers had compromised multiple telecom companies, including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream, among others. The breach also extended to dozens of countries.
While the attackers gained access to the U.S. telecoms' networks, they also accessed the U.S. law enforcement's wiretapping platform and obtained a limited number of private communications involving identified victims.
The FBI has now issued a public service announcement seeking tips that could help identify and locate the Salt Typhoon hackers. According to the agency, "Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale."
This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.
The FBI maintains its commitment to protecting the US telecommunications sector and the individuals and organizations targeted by Salt Typhoon by identifying, mitigating, and disrupting Salt Typhoon's malicious cyber activity. If you have any information about the individuals who comprise Salt Typhoon or other Salt Typhoon activity, the FBI would particularly like to hear from you.
**A Growing Threat: The Chinese Cyber-espionage Group**
China's Salt Typhoon Chinese cyber-espionage group, also tracked as Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286, has been breaching government entities and telecom companies since at least 2019. In recent months, it was uncovered that this state-backed hacking group is still actively targeting telecoms.
Between December 2024 and January 2025, the group breached more telecommunications companies worldwide by exploiting privilege escalation and Web UI command injection vulnerabilities in unpatched Cisco IOS XE network devices. These additional breaches include a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, an Italian ISP, a South African telecom provider, and a large Thai telecommunications provider.
**Custom Malicious Tool Used by Salt Typhoon**
Cisco has revealed that the Chinese hackers use a custom JumbledPath malicious tool to stealthily monitor network traffic and likely capture sensitive data from compromised U.S. telecommunication providers' networks.
**National Security Risk: TP-Link Routers Under Scrutiny**
U.S. authorities are considering banning TP-Link routers if an ongoing investigation finds their use in cyberattacks poses a national security risk. They are also reportedly planning to ban China Telecom's last active operations in the United States.
The FBI has already confirmed that the U.S. lost record $16.6 billion to cybercrime in 2024, and recent high-profile hacks have highlighted the need for increased vigilance against state-sponsored hacking groups like Salt Typhoon.
**International Cooperation**
The FBI is urging individuals with information about Salt Typhoon or other malicious cyber activities to come forward. The U.S. Department of State's Rewards for Justice (RFJ) program is also offering a reward of up to $10 million for information about government-linked foreign hackers linked to malicious cyber activities against U.S. critical infrastructure.
Belgium has also launched an investigation into whether Chinese hackers breached its intelligence service, while the FBI confirms that the Lazarus hackers were behind a $1.5B Bybit crypto heist.
Stay safe online, and stay informed.