Salt Typhoon: A Wake-Up Call for Infrastructure Security in the Age of Connected Devices

Recent revelations about Salt Typhoon’s extensive cyberespionage campaign serve as a stark reminder of the evolving threat landscape facing critical infrastructure worldwide. This China-linked advanced persistent threat (APT) group has been systematically compromising backbone and edge routers globally for years, demonstrating the sophisticated tactics adversaries employ to gain persistent access to sensitive networks across multiple industries and government agencies.

The Scope and Nature of Salt Typhoon

Salt Typhoon, also tracked as GhostEmperor and Operator Panda, represents one of the most significant nation-state cyberespionage campaigns targeting critical infrastructure in recent memory. The group has successfully compromised network infrastructure across multiple major U.S. telecommunications companies and internet service providers, marking what U.S. Treasury officials describe as “a dramatic escalation in Chinese cyber operations against U.S. critical infrastructure targets.”

The attack methodology employed by Salt Typhoon reveals the group’s sophisticated understanding of modern network architectures. Salt Typhoon exploited vulnerabilities in edge network devices and routers, including specific CVEs in Cisco devices such as CVE-2023-20198 and CVE-2023-20273, to gain initial access and escalate privileges. The group utilized custom-developed backdoor malware, including GhostSpider, to gain persistent access to compromised systems, enabling prolonged espionage activities within critical telecommunications networks. This approach—gaining initial access through infrastructure device vulnerabilities and then leveraging custom tools for persistence—has enabled the group to maintain access while evading detection for extended periods.

Perhaps most concerning is the scale of the operation. In August 2025, the FBI stated that Salt Typhoon had hacked at least 200 companies across more than 80 countries. The group’s focus on telecommunications providers creates problematic access to sensitive communications, compromising both privacy and national security.

The Growing Threat to Connected Infrastructure

Salt Typhoon’s success highlights a broader challenge facing organizations worldwide: the security of interconnected devices and infrastructure systems. While this particular campaign focused primarily on telecommunications infrastructure, it underscores the vulnerability of all connected devices within enterprise environments.

The statistics paint a sobering picture of the current threat landscape. According to Verizon’s 2024 Data Breach Investigations Report, one in three breaches now involves an IoT device. This represents a significant shift in attack vectors, with cybercriminals increasingly targeting connected devices as entry points into organizational networks. The trend is accelerating, with the 2024 SonicWall Cyber Threat Report noting an approximate 107% surge in IoT malware attacks during the year.

These attacks don’t occur in isolation. They’re part of a broader trend of increasing cyber aggression, with the second quarter of 2024 seeing a 30% increase in cyberattacks compared to Q2 2023, the highest increase in the last two years. For healthcare organizations and other critical infrastructure providers, this represents a perfect storm of increasing attack volume, sophisticated adversaries, and expanding attack surfaces through connected medical devices and IoT systems.

The healthcare sector, in particular, faces unique challenges. Medical devices, building management systems, and other connected infrastructure often operate with limited security controls and infrequent updates. These systems, designed for reliability and uptime rather than security, present attractive targets for adversaries seeking persistent access to sensitive networks.

Lessons Learned: The Critical Need for Comprehensive Device Visibility

The Salt Typhoon campaign demonstrates several critical security principles that every CISO must consider when evaluating their organization’s security posture. Securing connected devices against similar attacks is no longer an option; it’s a necessity.

Key Tactics & Necessities for Preventing IoT Cyberattacks

Luckily, there are clear steps and tactics organizations can employ to thwart cyberattacks on IoT to prevent similar campaigns from disrupting operations.

1. Comprehensive Asset Discovery and Visibility: One of the most challenging aspects of defending against sophisticated adversaries is understanding what you’re protecting on your network. Traditional IT asset management tools often miss connected devices, creating blind spots that attackers can exploit. The Salt Typhoon campaign’s success in targeting network infrastructure devices highlights the importance of maintaining comprehensive visibility into all connected assets, including those that might not traditionally be considered “IT” devices.
2. Behavioral Monitoring: Static security controls proved insufficient against Salt Typhoon’s tactics. The group’s ability to maintain persistence for extended periods suggests that traditional signature-based detection methods failed to identify their presence. This underscores the importance of behavioral monitoring that can identify anomalous device communications and activities that might indicate compromise.
3. Risk Assessment and Prioritization: Not all devices pose equal risk to an organization. However, without proper visibility and assessment capabilities, security teams cannot make informed decisions about where to focus their limited resources. The Salt Typhoon campaign targeted specific, high-value infrastructure devices—a strategy that organizations must anticipate when developing their own security priorities.
4. Continuous Monitoring – Designed for Sensitive IoT: The extended timeline of the Salt Typhoon campaign—operating for years before detection—highlights the insufficiency of point-in-time security assessments. Modern threat actors operate with patience and sophistication, requiring security programs that provide safe, continuous monitoring and assessment of device security posture.

Building Cyber-Resilience in the Era of Sophisticated IoT Attacks

The Salt Typhoon campaign represents a new chapter in the evolution of cyber threats against critical infrastructure. The sophistication of the attack, the extended dwell time, and the global scale of the operation illustrate that traditional security approaches are insufficient against nation-state adversaries with strategic patience and advanced capabilities.

For healthcare organizations and other critical infrastructure providers, the message is clear: security must evolve beyond perimeter defense to encompass comprehensive visibility, continuous monitoring, and intelligent risk management across all connected devices and systems. The attack surface has expanded far beyond traditional IT infrastructure to include every connected device within the enterprise.

Organizations that invest in comprehensive device security programs—including complete asset discovery, continuous risk assessment, behavioral monitoring, and automated response capabilities—will be better positioned to detect and respond to sophisticated threats before they can establish persistence and achieve their objectives.

As we continue to learn from incidents like Salt Typhoon, one thing becomes increasingly clear: in our interconnected world, security is only as strong as the weakest connected device. The time for comprehensive device security programs is not tomorrow—it’s today.