FBI Confirms Salt Typhoon Breached 200 US Companies

FBI: Salt Typhoon’s global espionage now hits 200 US firms

The FBI’s top cyber official confirmed a significant escalation in a China-linked hacking campaign known as Salt Typhoon. What was previously reported as intrusions into a handful of U.S. telecommunications and internet providers is now understood to include at least 200 American companies and organizations across 80 countries.

Salt Typhoon primarily compromises company routers and edge infrastructure to siphon sensitive network traffic. Targets included major carriers previously named—AT&T, Verizon, Lumen, Charter, and Windstream among them—and extended to other sectors whose networks carry politically sensitive communications.

A particularly sensitive goal of the intrusions was access to call records for senior U.S. politicians and officials. With that data, attackers can reconstruct call graphs: who called whom, frequency of contact, and even infer which individuals were under legal surveillance—information with clear national security implications.

At the height of the campaign the risk was serious enough that the FBI advised Americans to switch to encrypted messaging apps to protect calls and messages from interception. The agency and nearly two dozen international partners published an advisory providing technical indicators and guidance for identifying router compromises and mitigating the threat.

Why this matters now

The scale and method of Salt Typhoon change the threat picture for both public and private networks. Unlike commodity ransomware or isolated intrusions, traffic-siphoning attacks against network infrastructure provide long-term visibility into communications patterns and can persist undetected if logging and monitoring are weak.

This is a supply-chain and edge-security problem: attackers exploit router firmware, management interfaces, or weak configurations to gain a passive, high-value vantage point. The result is systemic risk across customers, partners, and government agencies that rely on those networks.

Immediate steps organizations should take

• Harden and patch routers and edge devices; verify firmware integrity and vendor-signed updates.
• Enable comprehensive logging and centralize NetFlow/packet captures for retrospective analysis.
• Segment networks and enforce least privilege for management interfaces and APIs.
• Adopt encryption for sensitive communications and reduce reliance on plaintext call records.
• Run threat-hunting exercises keyed to router compromise techniques and develop incident response playbooks for exfiltration scenarios.

Attribution to a state-backed group raises geopolitical stakes. The FBI’s warning that the threat is “ongoing” means this will be a persistent risk vector. Public-private collaboration—sharing indicators, telemetry, and mitigation playbooks—will be essential to reduce dwell time and prevent widespread data exposure.

QuarkyByte approaches incidents like Salt Typhoon by combining network-traffic analytics, historical baselining, and focused tabletop exercises to surface stealthy router compromises quickly. For telecom operators, that means tailored detection rules for edge routing telemetry, validated firmware inventories, and playbooks for call-record integrity checks. For government and enterprise IT leaders, that means risk-scoped monitoring and coordinated response workflows that shrink attacker advantage.

The Salt Typhoon disclosures are a reminder that network infrastructure is a high-value target. Organizations should treat routers and edge appliances as first-class assets in their cybersecurity programs—not just as plumbing. With faster detection, better logging, and cross-sector cooperation, the window of exposure can be narrowed and attacker impact limited.