Full Report
Brett Leatherman told CyberScoop in an interview that while the group still poses a threat, the bureau is focused on resilience and victim support, and going on offense could be in the future. The post Top FBI cyber official: Salt Typhoon ‘largely contained’ in telecom networks appeared first on CyberScoop.
Analysis Summary
# Threat Actor: SALT TYPHOON
## Attribution & Identity
* **Identification:** A Chinese hacking group.
* **Alias/Association:** Mentioned in parallel with Volt Typhoon, though the FBI official notes Salt Typhoon was primarily an espionage campaign while Volt Typhoon is prepositioned for destructive action.
## Activity Summary
* **Nature of Activity:** Primarily described as an espionage campaign.
* **Current Status:** The group is reported to be "largely contained" and "dormant" within compromised telecommunications networks, "locked into the location they’re in" and "not actively infiltrating information" as of the interview (July 2025).
* **Campaign Scope:** Responsible for a massive breach impacting the telecommunications sector. Nine telecommunications companies in the United States have been confirmed victims. Additional victim companies in Europe and North America have been identified following information sharing.
* **Pivot Potential:** The FBI notes that access gained for espionage (Salt Typhoon's focus) can be pivoted to support destructive action, similar to the posture attributed to Volt Typhoon.
## Tactics, Techniques & Procedures
* The article does not list specific technical TTPs or MITRE ATT&CK IDs, but focuses on the success in gaining:
* Access to telecommunications infrastructure.
* Footholds within networks that are difficult to eradicate completely ("Kicking the hackers out... is difficult").
## Targeting
* **Sectors:** Telecommunications sector (primary focus).
* **Geography:** United States, and implicitly Europe and North America based on shared breach information.
* **Victims:** At least nine victimized telecommunications companies in the US. Viasat was also identified as a victim in related reporting.
## Tools & Infrastructure
* **Malware families used:** Not specified in the provided text.
* **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
* **Threat Assessment:** Despite being largely "contained" in telecom networks, the group still poses a significant threat due to the capability for destructive action that could be launched from the existing, entrenched access points.
* **Response Focus:** The immediate focus of federal agencies is on victim support, resilience, and deterrence, with offensive action being a future possibility pending "additional attribution."
## Mitigations
* Continued focus on **resilience** within critical infrastructure.
* **Victim support** remains a high priority for federal agencies.
* Agencies are working toward operations that will **impose costs** on the threat actors, which may include joint sequenced operations once further attribution is achieved.