Salt Typhoon
G10451 reportsaliases · Salt Typhoon
1
Reports
12
Techniques
6
Tactics
5
Countries
26%
Hunt coverage
1
Aliases
Analyst assessment — key judgments
- Signature techniques: T1583 (Acquire Infrastructure), T1003 (OS Credential Dumping), T1602 (Data from Configuration Repository).
- Primary targeting: RU, US, AU, CA.
- Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 31 new technique(s), 35 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 26% of 31 observed techniques (23 gap(s)).
- Assessment confidence: high (95).
Activity & trend
Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-13 · last 2026-07-13
1
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1583T1003T1602T1590.005T1584.008T1588.006T1071T1584.003T1190T1602.002T1595.002T1595Targeting gained
AUCANZRUUSNew infrastructure
https://www.ic3.gov/PSA/2025/PSA250820https://media.defense.gov/2026/Jul/09/20https://www.cve.org/CVERecord?id=CVE-201https://www.cve.org/CVERecord?id=CVE-200https://media.defense.gov/2025/Aug/22/20https://www.nsa.gov/About/Cybersecurity-https://media.defense.gov/2022/Jun/15/20https://www.cyber.gc.ca/en/guidance/routhttps://www.cyber.gc.ca/en/guidance/secuhttps://www.cyber.gc.ca/en/guidance/guidhttps://www.cyber.gc.ca/en/guidance/basehttps://www.cyber.gc.ca/en/guidance/top-Vulnerabilities in this actor's reporting · 2
- CVE-2008-4128KEV1 rpt
- CVE-2018-0171KEV1 rpt
Overview
Analyst triage
Intelligence summary
Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1583 · Acquire Infrastructureconf 951
- T1003 · OS Credential Dumpingconf 951
- T1602 · Data from Configuration Repositoryconf 951
- T1590.005 · IP Addressesconf 951
- T1584.008 · Network Devicesconf 951
- T1588.006 · Vulnerabilitiesconf 951
- T1071 · Application Layer Protocolconf 951
- T1584.003 · Virtual Private Serverconf 951
- T1190 · Exploit Public-Facing Applicationconf 951
- T1602.002 · Network Device Configuration Dumpconf 951
- T1595.002 · Vulnerability Scanningconf 951
- T1595 · Active Scanningconf 951
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|