Salt Typhoon: Forgotten But Not Gone

In this insane world, where things happen constantly, it is so easy to forget things, and forget to find out if we ever patched, fixed, remediated a thing that was big news. Not everything lies in our power to do, so doing our part for the things in our control is not just good practice, its civic duty.

I was in DC just a few weeks ago in Feb of 2026, and the topic of Salt Typhoon came up again. It’s not in public consciousness, and it’s certainly not making headlines, but for those of us who know how brittle the old networks are, we remain worried about the thing staying out there, unpatched with a new breach imminent any day.

A History of Salt Typhoon

Salt Typhoon is a name used by the cybersecurity industry for a China-linked espionage campaign that targets network infrastructure. It was described as a particular targeting observed since at least 2021 across sectors such as telecommunications, government, transportation, lodging, and military infrastructure. The reported objective centers on long-term access for intelligence collection rather than short, disruptive attacks.

In 2024, public reporting connected the campaign to compromises inside major United States telecommunications environments.

In September 2025, the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), and international partners published a joint advisory describing People’s Republic of China state-sponsored actors targeting networks globally, with emphasis on large backbone routers and edge devices used by telecommunications providers. The advisory explicitly notes overlap with industry reporting that uses the Salt Typhoon name.

What Happened After?

After the campaign became publicly associated with telecommunications compromises, the response centered on three tracks: coordinated advisories, investigation and reporting channels, and hardening guidance focused on network devices.

Governments and intelligence partners issued joint guidance to help defenders identify malicious activity and apply mitigations. CISA’s joint advisory urged organizations to hunt for malicious activity and apply mitigations to reduce risk from these actors, with detailed focus on network infrastructure compromises.

The FBI requested public tips related to the campaign and the compromise of multiple United States telecommunications companies, directing submissions through official reporting channels.

There was broad consensus that the successful intrusion relied on known, common vulnerabilities and gaps in operational hygiene, especially delayed patching and weak protections for management access.

The Problem

It turns out that while there were issued “best practice” guidelines, we remain woefully unaware of what data was stolen, how much data was exfiltrated, and which networks were collectively affected.

This is because many networks use older, unpatched devices with outdated security standards. We’re not talking about sophisticated complexities. We’re talking about systems that have been in place so long that people forget they aren’t up to date.

We’re talking about 

• Devices installed in devices as far back as the 90s that have not been patched
• Saved passwords on devices; passwords as common as “Cisco123”
• Open holes in older protocols like SNMP that were used for device monitoring way back when, and somehow are still in place
• A lack of good data telemetry to see what the pattern of data in transit is, and if it's behaving as expected, or suspiciously
• A lack of good encryption, with pre-shared keys, weaker encryption settings, and errors introduced in Access-Control-Lists (ACL) via bad copy/paste from Notepad

‍

Graphiant protects against future Salt Typhoon attacks via Data Assurance

Graphiant supports a defense posture by reducing exposure, keeping data protected in transit, and improving proof of policy enforcement and data movement.

1. Reduce operational complexity that creates security gaps
   Graphiant is a network service that avoids a mesh of security tunnels (with all the bad decryption and password/pre-shared key issues) and uses a stateless core that forwards traffic without decrypting customer data. This matters because sprawling tunnel configurations often increase the number of places where inconsistent settings and weak controls can appear.
2. Keep data encrypted edge to edge
   Graphiant keeps data encrypted from edge to edge (similar to Signal), and the backbone does not store customer data or have the keys to decrypt it. This is for true data-in-transit confidentiality, including traffic that crosses sites, clouds, and partner environments. Someone else’s network getting compromised should not take everyone down.
3. Verify data paths and produce audit-ready evidence
   Graphiant has an intelligence in the network woven into the service that observes flows, supports enforcement of policy, verifies paths, both domestic and foreign, in real time, and flags deviations with supporting context and timestamps. This supports faster detection of unexpected routing or policy drift, plus stronger evidence for audits and investigations. At any point, you should be able to ask where the data is going, and at any point, you should be able to command where the data is allowed to go.

The attacks will come fast and furious. And they aren’t the kind you see in movies with a hacker typing ferociously on a keyboard to somehow hack into a highly efficient system. It’s sadly the exact opposite. It’s a router, sitting in a cabinet, caked in dirt, that has a password like HelloWorld123 set on it in 2006 that someone found and used to get in.

We need to ask our providers, our partners, and our government for the ability to at least audit everything we have and provide assurance over the data, so we can at least shield ourselves from really bad things happening.

‍