Salt Typhoon has matured from a high-value espionage actor into an operator that treats global telecommunications and connected public sector networks as sustained campaign targets. In early 2025 the group continued to focus on provider edge and customer edge infrastructure, repeatedly exploiting known, unpatched weaknesses in widely deployed router and network operating systems to gain persistent footholds and covert exfiltration channels. These operations show a pattern: precision against telecommunications plumbing, patience for long dwell times, and deliberate steps to convert access into enduring operational advantage.
Tactically, 2025 activity sharpened around a handful of repeatable techniques. Operators scanned for internet-exposed management interfaces, leveraged documented privilege escalation flaws in Cisco IOS XE to create local privileged accounts, and then used router configuration changes to build covert tunnels that bypassed conventional perimeter controls. Recorded Future observed the attacker chain leveraging CVE-2023-20198 in the web UI followed by CVE-2023-20273 to elevate access, with GRE tunnels and modified device configurations used to sustain communication with operator infrastructure. This explains how intrusions could remain functionally invisible to ordinary enterprise telemetry while permitting large scale collection of metadata and authenticated traffic.
The operational objective has become clearer. Salt Typhoon is not only collecting intelligence; in several confirmed cases the group exfiltrated administrator credentials, internal network diagrams, and geo-spatial maps that materially increase options for future disruption or more targeted espionage. A Department of Homeland Security memo reported that one U.S. state Army National Guard network was extensively compromised, with attackers taking maps and traffic between that state and others. That kind of artifact harvesting is consistent with prepositioning activity that can enable strategic effects if geopolitical tensions escalate.
Convergence of tradecraft has been an important evolution. Analysts in 2025 reported overlapping infrastructure and domain registration patterns linking Salt Typhoon activity to other China-associated operators, which suggests either intentional infrastructure sharing inside a larger campaign architecture or deliberate mimicry to complicate attribution. Silent Push and other trackers uncovered additional domains and telemetry that expanded known infrastructure footprints, underscoring the need to tie device-level detections back to robust infrastructure and registration intelligence. Periodic reconnaissance sweeps followed by selective exploitation indicates a campaign that values judicious target selection over indiscriminate compromise.
For defenders the salient lesson is that classic perimeter defense is necessary but not sufficient. When routing platforms and management planes are the objective, defenders must treat the network control plane as a high risk attack surface. In practice this means isolating device management onto segmented networks, removing direct internet exposure for web UIs, enforcing public-key only administrative access where possible, and monitoring for configuration changes that create unusual tunnels or new privileged accounts. Recorded Future and incident reporting from affected organizations make clear that exploitation often exploited known and patchable vulnerabilities. Timely patching and visibility into exposed management interfaces are therefore first order priorities.
Hunting guidance must be concrete. Priorities should include: interrogating device-level logs and configuration histories for new local accounts and unrecognized ACLs; scanning egress telemetry for GRE and other encapsulation protocols originating from core routers; checking for sudden TACACS+ or RADIUS redirections; and validating signed firmware against vendor baselines to detect unauthorized modifications. Network telemetry that is normally low value, such as router management flows and neighbor adjacency exchanges, becomes high value in this threat context. Public sector organizations and telecom operators must pair these hunts with credential rotations and enhanced endpoint controls for any systems that manage networking infrastructure.
Strategically we must accept that threat actors view telecommunications as both intelligence targets and potential levers for future kinetic effect. The intrusion of a National Guard network demonstrates the danger when local and federal cyber hygiene diverge. Critical infrastructure operators, defense networks, and state-level systems are interconnected in ways that attackers can exploit. Public oversight and congressional attention have already increased, with lawmakers requesting briefings on communications sector risk management and programmatic gaps that Salt Typhoon exposed. That political attention is necessary because technical fixes alone will not prevent a persistent, patient adversary from exploiting systemic weaknesses.
Operational recommendations for 2025 and beyond are straightforward but require coordinated effort. Telecom providers should prioritize a rapid audit of internet-exposed management interfaces and apply vendor mitigations or access restrictions immediately. Governments should insist on sector-wide hardening standards that include mandatory management plane isolation, cryptographic authentication for administrative access, and interoperable incident response playbooks among providers. All high risk organizations must assume compromise until proven otherwise and plan coordinated evictions rather than piecemeal patching that leaves reentry points intact. Finally, threat intelligence sharing between industry and government must be faster and more actionable, moving beyond indicators of compromise to operational playbooks that include device configuration signatures and signed firmware hashes.
Salt Typhoon in 2025 illustrates a sobering truth for defenders of cyber-physical systems: the attacker tradecraft is adapting to the very architecture that enables modern communications. Defense requires equivalent adaptation. That means treating routers and management systems as first-class assets for monitoring, investing in the telemetry needed to detect subtle control-plane anomalies, and building the political and commercial mechanisms to enforce hygiene across an industry that spans borders. Absent that shift, the strategic risks we saw in 2025 will only compound, increasing the odds that future conflicts will be fought as much through exploited communications plumbing as through conventional means.