FBI: Threats from Salt Typhoon are ‘still very much ongoing’

A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors.

Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and government in the wake of the campaign while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday.

Companies who engaged with the FBI and federal agencies like CISA early after the campaign went public “have been without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions,” he claimed.

Last year, CyberScoop’s reporting found that the U.S. telecommunications sector was riddled with basic cybersecurity vulnerabilities and patchwork consolidated networks, and Salt Typhoon took advantage of these weaknesses to gain widespread, persistent access to major telecom networks.

Machtinger echoed a similar sentiment in describing lessons the FBI took away from the episode, saying that “despite all the advances in cybersecurity tools and strategies, it is still the most basic vulnerabilities that provide entry points.”

Cybersecurity leaders and network defenders have a responsibility to understand their own vulnerabilities and implement “fundamental” cybersecurity practices such as zero trust, least-privilege access, secure-by-design principles, end-to-end encryption and other protections.

Despite an increasingly complex threat and technology environment, phishing attacks or targeting vulnerable legacy systems are still the most common ways the FBI sees hacking groups gain access to their victims. While foreign intelligence agencies do use zero-day vulnerabilities and other sophisticated tools to compromise well-defended systems, “by and large this is not what we are seeing, and it is not what we saw in Salt Typhoon.”

“None of these concepts are new…and truthfully they’re not all that advanced, but they are increasingly essential as adversaries adapt their tactics and our attack surface becomes more widespread,” said Machtinger. “If we’re going to safeguard our personal and proprietary information, it is just as important for us to lock the doors inside the house as it is to lock the front door.”

But these lessons haven’t diminished the threat. Machtinger estimated that Salt Typhoon’s intrusions have impacted more than 80 countries, often following the same playbook of pairing broad access with “indiscriminate” targeting and collection.  

It is “important to recognize that the threat posed by Salt Typhoon actors and the rest of the PRC intelligence apparatus and enabling infrastructure is still very, very much ongoing,” Machtinger said.