Salt Typhoon Expands Its Reach: Chinese-Backed Hackers Breach 200 U.S. Companies and 80 Countries Worldwide

The FBI has confirmed that Salt Typhoon, a Chinese-backed hacking collective already linked to a string of telecom intrusions, has compromised at least 200 American companies in one of the most far-reaching espionage campaigns ever attributed to Beijing.

FBI assistant director Brett Leatherman disclosed the scale of the breaches in an interview with The Washington Post, describing the campaign as “ongoing” and far broader than previously acknowledged. Until now, Salt Typhoon was primarily known for penetrating nine U.S. telecom and internet providers—including AT&T, Verizon, Charter Communications, Lumen, and Windstream—but Leatherman revealed that the group has also infiltrated organizations in more than 80 countries, underscoring its global reach.

Mapping Calls, Tracking Power

Investigators say Salt Typhoon has been fixated on call metadata, targeting records that reveal who senior American politicians and officials were contacting—and in some cases, who the U.S. was legally surveilling. The FBI even went so far as to advise Americans at one point to switch to encrypted messaging apps, given the attackers’ ability to intercept communications.

A multi-agency advisory published Wednesday by the FBI and nearly two dozen partner nations provided fresh technical details about Salt Typhoon’s tactics, warning that the hackers primarily compromise company routers to siphon network traffic. Security teams were urged to review new indicators of compromise and harden defenses against ongoing infiltration attempts.

Corporate Support for a State-Backed Threat

The advisory went further than previous reports, linking three Chinese companies—Huanyu Tianqiong Information Technology Co., Sichuan Zhixin Ruijie Network Technology Co., and Sichuan Juxinhe Network Technology Co.—to Salt Typhoon’s operations. One of those companies was sanctioned by the U.S. earlier this year.

Pete Luban, Field CISO at AttackIQ, stressed the gravity of that revelation. “A joint advisory from cybersecurity agencies across 13 different countries has been released in regards to recent campaigns from threat group Salt Typhoon. The report accuses three Chinese organizations of providing Salt Typhoon with resources and intelligence to conduct attacks on critical global infrastructure.”

According to Luban, Salt Typhoon has already proven itself capable of headline-grabbing disruptions, including intercepting communications during the 2024 U.S. presidential election and infiltrating the U.S. National Guard’s networks for nearly a year without detection. “Salt Typhoon is already an Avengers-level threat, having shown the ability to disrupt key systems while remaining undetected,” Luban warned.

APT With Corporate Backing

Nick Tausek, Lead Security Automation Architect at Swimlane, said the corporate ties explain the group’s unprecedented scale. “Salt Typhoon’s ties to major Chinese corporations put its scale and success into sharper focus. The group is threatening enough on its own, given its ability to infiltrate major telecommunications systems, with the eight major US companies breached in December 2024 being the most prolific example.”

Tausek emphasized that the global sweep of Salt Typhoon’s campaigns—over 600 organizations across 80 countries last year—would have required vast resources and insider knowledge. “Having corporate backing explains how the group was able to conduct these operations as successfully as they did,” he noted.

But understanding the “how” doesn’t neutralize the risk. “Unfortunately, just because we understand how it happened doesn’t mean the threat is now gone,” Tausek cautioned. “Salt Typhoon is still just as dangerous as ever, and companies need to be prepared.”

What Comes Next

The advisory’s technical guidance underscores the urgency. Security experts are encouraging organizations to follow NSA-led recommendations, assess how deep the intrusions go, and only then execute remediation to avoid tipping off adversaries.

With Salt Typhoon’s campaigns still active and corporate backers identified, the U.S. and its allies now face not just a stealthy cyber adversary but one with an industrial base behind it. As Luban put it, their “breadth for potential attacks widens dramatically”—and that breadth is already global.