The sophisticated state-sponsored adversary Salt Typhoon has executed one of the most consequential cyber campaigns against U.S. critical infrastructure, exposing systemic flaws in traditional network security. This is not just another threat—it's a wake-up call. Like most threat actors, Salt Typhoon relies on a consistent set of preferred tools, tactics, procedures, and processes. This report allows various organizations to map their behaviors and articulate the best methods to defeat their current strategies. Vendor solutions must be aligned with the latest threats to align to the goals of most security programs. Salt Typhoon is a sophisticated nation-state adversary known for its advanced TTPs, primarily focusing on exploiting systemic weaknesses in traditional network security.
Salt Typhoon is a known Chinese threat actor, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Their common tactics involve extensive reconnaissance to map network vulnerabilities, leveraging unpatched edge devices like VPNs and firewalls for initial compromise, and employing advanced methods such as kernel-mode rootkits and various dynamically evolving tools to establish and maintain long-term persistence. They are adept at lateral movement within compromised networks and blend with normal traffic to exfiltrate sensitive data, making detection and eradication exceptionally challenging for conventional security measures.
Table 1. Attacker Profile – Salt Typhoon
| Target: Critical Infrastructure | Method: Exploit the Edge & User Permissions |
Goal: Persistence & Espionage |
| Infiltrated at least nine major U.S. telecom providers, targeting core network routers to access sensitive user metadata and communications. | Leverages unpatched vulnerabilities in trusted security devices—firewalls, VPNs, and routers—turn defensive and normal administrator tools into attack vectors (also known as Living off the Land (LOL). | Designed to maintain long-term, undetected access for data exfiltration, remaining active in networks even after discovery. |
Figure 1. Common Attack Overview – Salt Typhoon
Salt Typhoon's operations begin with meticulous reconnaissance. They actively scan visible networks, specifically targeting and mapping attack surfaces to identify unpatched vulnerabilities in critical edge devices such as firewalls, VPNs, SOHO routers, and other trusted security components. Their deep understanding of network architectures allows them to identify systemic weaknesses, transforming traditional defensive tools into potential entry points. This initial phase is crucial for planning their subsequent intrusion and access campaigns.
Following reconnaissance, Salt Typhoon executes the initial compromise by exploiting the identified unpatched vulnerabilities. They specifically target critical infrastructure, as seen in their successful intrusions into at least nine major U.S. telecommunications providers. These intrusions often leverage flaws in devices like Cisco routers, gaining a crucial foothold within the target organization's core network. This phase involves turning defensive security tools into attack vectors, highlighting a fundamental flaw in perimeter-based security.
Once inside, Salt Typhoon moves laterally through the "trusted" network, seeking out critical assets and sensitive data. They reconfigure compromised systems to exfiltrate information undetected for extended periods, sometimes months. This includes the theft of sensitive user metadata (timestamps, IP addresses, phone numbers) and, in some cases, audio recordings of telephone calls from high-profile individuals. Their ability to blend with normal network traffic by compromising VPNs and SOHO routers allows them to operate stealthily and evade detection by traditional threat hunting methods.
A defining characteristic of Salt Typhoon is their formidable ability to maintain long-term persistence. They deploy sophisticated tools, such as the Windows kernel-mode rootkit Demodex, to establish remote control over targeted servers. Even if an access point is patched or initial intrusions are detected and evicted, Salt Typhoon can often exploit another chain of vulnerabilities or leverage previously deployed persistence mechanisms to regain access. Their continued presence in U.S. networks underscores the limitations of reactive cybersecurity models against such a determined and adaptable adversary.
“Salt Typhoon turned our trusted infrastructure into attack vectors. That changes everything.”
Salt Typhoon's success reveals a critical architectural failure in legacy security. They exploit the static, visible nature of traditional networks, where trust in devices is implicit and perimeters are brittle. This necessitates a paradigm shift towards preemptive cybersecurity.
A Preemptive Paradigm Shift
Detecting and responding is no longer enough; security practitioners are mired in data, overwhelmed by mounds of detection. Unfortunately, these tools are not effective. Dispersive Stealth Networking offers a different answer to defense, one that changes the game on attackers like Salt Typhoon. Rather than relying on detection and response, Dispersive focuses on built-in prevention capabilities and techniques to perform preemptive cyber defense, a technological approach that focuses on neutralizing attacks before they start, built on a simple yet revolutionary principle: You can't hack what you can't see.
Learn how how Automated Moving Target Defense (AMTD), in conjunction with Zero Trust principles, is revolutionizing cybersecurity, enabling preemptive defense against advanced threats. Download the Gartner White Paper: Emerging Tech: Enabling Preemptive Cybersecurity Through Zero Trust With AMTD
Secure your network with a preemptive defense built for the modern threat landscape. Make your infrastructure invisible, resilient, and unassailable.
Nation States now have the ability to execute attacks at scale, with pre-planned intelligence against targets. They now have extensive historical context on success and actively scaling attacks against working methodologies of attack. Namely, compromise, move lateral, use authority of users, live off the land so they can’t be detected. So, we have to focus on preemptive prevention first and detection as a secondary measure. Otherwise, we stay mired in detection and response, overwhelmed by current threats and threat noise.
Our platform provides nation-state-proof Stealth Networking, which has been designed to fundamentally re-architect security for resilience, performance, and future-proof defense of transport infrastructure. The vision was simple - make a network that can self-defend through movement, change and morphing the attack surface. Compared to other solutions which focus on post-exploitation defense of later stages of attack, Dispersive Stealth Networking focuses on defeating attacks earlier in the lifecycle. Improving zero trust between assets, enhancing authentication of users through context aware authentication and authorization, and morphing the network infrastructure attack surface so that threat actors no longer can triage easily through lateral movement or attacks against the infrastructure itself.
Increasing resilience in the face of any kind of automated attack, Dispersive moves the infrastructure under attack through automation. Imagine a scenario like “The Matrix” in the movie, where the infrastructure itself moves around to defend itself as bullets fly by. This is the future of cyber security.
Eliminating the attack surface for VPN threats must be a core goal of entities being targeted by Salt Typhoon. Dispersive Stealth Networking and our focus on resilience and attack surface reduction at the infrastructure layer, complements existing security controls to enhance protection against advanced persistent threats. By separating the control plane and data plane, there no longer is a data plane infrastructure visible to attack.
Figure 2. Dispersive Stealth Networking Alignment to Salt-Typhoon
Dispersive Answer: Salt Typhoon's initial phase involves extensive reconnaissance, where they map target networks and identify visible components like VPNs, firewalls, and routers to exploit. Dispersive counters this by employing Stealth Networking and Endpoint Obfuscation, making the entire network infrastructure invisible and denying attackers any attack surface. This architectural shift prevents Salt Typhoon from gathering the foundational intelligence needed to initiate their operations, effectively neutralizing their reconnaissance efforts before they can begin.
Dispersive Answer: Salt Typhoon excels at lateral movement, spreading quickly within compromised networks to access sensitive data and critical assets. Dispersive thwarts this by implementing a Network-Centric Zero Trust and Micro-Segmentation. This means each user, device, and application operates within its own secure, encrypted tunnel. No common encryption is used to attack, which consequently, if one segment is breached, the attacker is contained and cannot move laterally to other parts of the network, effectively preventing the spread of the threat.
Dispersive Answer: Salt Typhoon's objective is to steal sensitive data, often remaining undetected for extended periods. Dispersive thwart this by using Split-Session Multi-Path™ Technology, which fragments and disperses data packets across multiple, randomized, and independent network paths. This makes it virtually impossible for attackers to intercept and reconstruct the complete data stream. Furthermore, with all data encrypted at every hop and network metadata obfuscated, Salt Typhoon's ability to identify traffic flows and analyze stolen fragments is severely hindered, rendering their exfiltration efforts useless.
Dispersive Answer: Salt Typhoon aims to establish long-term persistence in compromised networks through rootkits and re-exploitation. Dispersive directly combats this by deploying Automated Moving Target Defense (AMTD), which ensures the network is never static. AMTD continuously fragments and rotates network pathways and encryption keys, creating a dynamic, unpredictable environment that prevents attackers from establishing a stable foothold or maintaining persistent command-and-control channels within the network.
Moving to Dispersive Stealth Networking offers a paradigm shift in defending against threats like Salt Typhoon, primarily by embracing a preemptive cybersecurity approach. Its core benefits include Stealth Networking, which renders infrastructure invisible to attackers, eliminating the attack surface entirely.
Automated Moving Target Defense (AMTD) and Split-Session Multi-Path™ technology ensure data is fragmented and dynamically routed, making exfiltration and persistence virtually impossible. Furthermore, Network-Centric Zero Trust and Micro-Segmentation contain any potential breaches, preventing lateral movement, while quantum-resistant encryption future-proofs data, collectively providing unwavering resilience and continuous operation even under sophisticated nation-state attacks.
Salt Typhoon’s campaign is only the latest proof that traditional network defenses are no longer enough. Reactive tools can’t stop what they can’t see and adversaries are already exploiting that fact. Dispersive Stealth Networking changes the game by making your infrastructure invisible, adaptive, and resilient by design. If you’re defending high-value infrastructure, the time for incremental fixes is over. Future-ready security starts with eliminating your attack surface. Let’s make your network something they can’t find. Schedule a personalized demo to see how.
Explore more blogs by Lawrence Pingree.
=> Cybersecurity Needs Satellite Navigation, Not Paper Maps
=> Defending Against the Chinese Telecom Hack with Stealth Networking
=> Your Network Is Showing - Time to Go Stealth
=> Secure AI Workspaces Need More Than a VPN
=> When Good Tools Go Bad: Dual-Use in Cybersecurity
Header image courtesy of Michael Förtsch.
