FBI Veteran Reveals Salt Typhoon Monitored Every American for Five Years: The Unprecedented Scale of Chinese Cyber Espionage

Breached Company

30 Nov 2025 — 11 min read

Bottom Line Up Front: Former FBI cyber official Cynthia Kaiser has claimed that it's nearly impossible to envision any American who wasn't impacted by the Salt Typhoon cyberattack—a five-year Chinese state-sponsored campaign that had "full reign access" to U.S. telecommunications data, monitoring phone calls, text messages, and movements of virtually the entire American population from 2019 to 2024.

Executive Summary

In what cybersecurity experts are calling one of the most comprehensive surveillance operations in modern history, the Chinese state-sponsored hacking group Salt Typhoon maintained persistent access to U.S. telecommunications infrastructure for five years, potentially affecting every American citizen. The campaign targeted not only high-profile political figures like former President Donald Trump, Vice President Kamala Harris, and Special Counsel John Vance, but also intercepted routine communications of ordinary citizens—including mundane conversations like a grandmother reminding family members to pick up groceries.

This revelation comes as FBI Director Kash Patel leads an intensive effort to root out Chinese influence on U.S. soil, with federal agencies conducting forensic examinations of compromised devices and interviewing individuals linked to affected systems. The operation's scope extends far beyond U.S. borders, impacting multiple countries across Europe, Asia, and the Middle East, with the FBI confirming that Salt Typhoon has compromised at least 200 companies across 80 countries.

The Unprecedented Breach: Five Years of Undetected Surveillance

Full Reign Access to American Communications

Pete Nicoletti, chief information security officer at Check Point, described the hackers' capabilities in stark terms: they had "full reign access" to telecommunications data. This access was so comprehensive that even non-targeted civilians' communications were intercepted and potentially monitored.

"They had full rein access," Nicoletti explained. "So, you know, your grandmother calling you to remind you to pick up groceries was not a targeted person and they're gonna listen into that call."

The sophistication of the operation allowed Salt Typhoon to establish persistent access over five years, exfiltrating communications and potentially mapping movements of Americans across the country. According to Nicoletti, the hackers "established a foothold and exfiltrated data for five years," which is "almost unprecedented" in the annals of cyber espionage.

Timeline and Attribution

The Salt Typhoon campaign represents a coordinated effort by entities working closely with China's Ministry of State Security and units within the People's Liberation Army. Three Chinese companies have been identified as key players in this operation:

Sichuan Juxinhe Network Technology Co., Ltd. - Sanctioned by the U.S. Treasury Department in January 2025 for direct involvement in Salt Typhoon operations
Beijing Huanyu Tianqiong Information Technology Co., Ltd.
Sichuan Zhixin Ruijie Network Technology Co., Ltd.

The FBI and National Security Agency released a joint advisory in September 2024 warning the public that Chinese intelligence agents were actively targeting multiple sectors of American infrastructure, including telecommunications, government networks, transportation systems, lodging facilities, and military installations.

The Expanding Target List: From Telecom to Critical Infrastructure

While Salt Typhoon initially focused on telecommunications providers like AT&T, Verizon, and Lumen Technologies, recent intelligence assessments reveal a dramatic expansion into critical data center infrastructure and residential internet providers.

Beyond Telecommunications

According to confidential sources, two major organizations have been identified as likely victims of this expanded campaign:

Digital Realty - A data center giant with over 300 facilities in 25 countries serving clients including Amazon Web Services, Google Cloud, IBM, Microsoft, and Nvidia
Comcast - The mass media titan providing internet services to millions of American households

This expansion is particularly concerning because, as cybersecurity analyst Eric Hanselman notes, access to data center infrastructure provides attackers with the ability to monitor intra-service and intra-application communications that don't normally traverse the public internet backbone.

The National Guard Breach

One of the most alarming aspects of Salt Typhoon's operations was the nine-month undetected breach of U.S. Army National Guard networks. Between March and December 2024, the attackers:

Stole network configuration files and administrator credentials
Exfiltrated personally identifiable information (PII) of service members
Accessed data traffic between state networks across all U.S. states and at least four territories
Created potential pathways to pivot to other government and military networks

The Current Threat: Are They Still Here?

Perhaps the most concerning aspect of the Salt Typhoon campaign isn't what happened in the past—it's what might be happening right now.

Persistent, Undetected Presence

Nicoletti's "biggest concern is they're still in various organizations and undetected," raising the troubling possibility that Chinese operatives maintain active access to American systems even as investigations continue.

Former FBI official Cynthia Kaiser reinforces this concern, stating: "I can't imagine any American was spared given the breadth of the campaign."

According to Deputy National Security Adviser Anne Neuberger's December 2024 briefing, the hackers worked to identify device owners and then spy on phone calls and text messages if they were "government targets of interest."

Salt Typhoon in the Broader Context of Chinese Cyber Operations

Salt Typhoon is not an isolated threat actor but rather part of China's comprehensive cyber warfare ecosystem, which includes multiple sophisticated Advanced Persistent Threat (APT) groups:

The "Typhoon" Family of Threat Actors

The Microsoft Corporation assigns the "Typhoon" moniker to attributed threat actors with Chinese state sponsorship. Beyond Salt Typhoon, several related groups operate with different focuses:

Volt Typhoon - Targeting U.S. critical infrastructure with "living off the land" techniques, particularly focusing on pre-positioning for potential disruptive attacks on operational technology assets
Flax Typhoon - Associated with information security companies taking direction from the Chinese government, targeting Taiwan and U.S. critical infrastructure
Silk Typhoon (also tracked as HAFNIUM) - Recently shifted tactics to target IT supply chains and cloud applications

Sophisticated Tradecraft

Salt Typhoon's technical capabilities demonstrate a high level of sophistication:

Exploitation of Known Vulnerabilities - Rather than relying solely on zero-day exploits, Salt Typhoon has found remarkable success exploiting publicly known vulnerabilities in network infrastructure, particularly:
- CVE-2023-20198: Cisco IOS XE web UI authentication bypass
- CVE-2023-20273: Related privilege escalation flaw for root access
Living Off the Land (LOTL) - Using legitimate administrative tools and built-in system utilities to blend in with normal network traffic and evade detection
Windows Kernel-Mode Rootkit - Employing the Demodex rootkit (named by Kaspersky Lab) to gain remote control over targeted servers while using anti-forensic and anti-analysis techniques
Cisco Guest Shell Abuse - Manipulating legitimate Linux container environments on Cisco devices to run Python scripts and custom tools directly on network infrastructure

The Federal Response and Remediation Efforts

FBI Director Kash Patel's Leadership

FBI Director Kash Patel is spearheading efforts to mitigate Chinese influence on U.S. soil and identify ongoing threats linked to Salt Typhoon. Current response activities include:

Forensic Examinations - Conducting detailed analysis of affected devices, including phones, laptops, and servers
Witness Interviews - Speaking with individuals linked to compromised systems to map the attack's full scope
Intelligence Analysis - Investigating whether gathered intelligence has been used for political or economic gain over the past five years

Sector Risk Management Agency (SRMA) Coordination

The Cybersecurity and Infrastructure Security Agency (CISA) serves as the SRMA for the communications sector. The Salt Typhoon incident has prompted Congress to examine and potentially clarify SRMA roles in cybersecurity risk management, including:

Understanding sector companies and their vendor relationships
Frequency and type of information collection, analysis, and dissemination
Coordination between SRMAs and other federal agencies
SRMA responsibilities in incident response

International Cooperation

A joint cybersecurity advisory from 23 international agencies represents an unprecedented level of cooperation in sharing threat intelligence and attribution. Agencies from the United States, United Kingdom, Australia, Canada, and 10 other nations have coordinated to expose the sophisticated attacks against telecommunications providers, government networks, and critical infrastructure across multiple continents.

Global Impact: Not Just an American Problem

While the United States bore the brunt of the Salt Typhoon attack, the campaign's reach extended far beyond American borders.

International Scope

Multiple countries worldwide, spanning Europe, Asia and the Middle East, were also affected, though specific countries have not been publicly identified. The FBI has confirmed that at least 200 companies across 80 countries have been compromised.

Continued Active Operations

Even as awareness of Salt Typhoon has grown, the threat actors have continued their operations. According to Recorded Future's Insikt Group, between December 2024 and January 2025, Salt Typhoon conducted a campaign that:

Targeted over 1,000 unpatched Cisco edge devices globally
Successfully infiltrated five additional telecommunications providers
Compromised two U.S.-based companies
Targeted universities including UCLA, Loyola Marymount University, Utah Tech University, and California State University

What This Means for Individual Americans

The Privacy Implications

For the average American, the revelation that their communications may have been monitored for five years raises profound privacy concerns. While high-profile political figures were specifically targeted, the "full reign access" described by cybersecurity experts means that ordinary citizens' communications were also swept up in this dragnet surveillance.

Practical Security Recommendations

Although any illicit surveillance is concerning, the average American probably has little to worry about from Salt Typhoon. It's unlikely that family phone calls or text messages to friends are of interest to the Chinese government. However, security-conscious individuals can take steps to enhance their privacy:

Use End-to-End Encrypted Messaging - Services like Signal, FaceTime, or Apple Messages provide encryption that makes interception significantly more difficult
Strengthen Authentication - Avoid default or easily guessed passwords on devices, including home routers, and implement two-factor authentication on critical accounts
Stay Vigilant - Report suspicious activity to appropriate authorities and maintain awareness of unusual device behavior

Organizational Recommendations: Defending Against State-Sponsored Threats

For organizations, particularly those in critical infrastructure sectors, the Salt Typhoon campaign provides crucial lessons:

Immediate Actions

Prioritize Patching Network Infrastructure - Network devices require the same urgent attention to patching as traditional IT systems. The exploitation of CVE-2023-20198 and CVE-2023-20273 occurred because many organizations failed to patch quickly enough
Enhanced Monitoring and Visibility - Implement comprehensive logging and monitoring for:
- Network device activities and configuration changes
- Application, access, and security logs stored in centralized systems
- VPN or account logon times, frequency, duration, and locations
- Windows ESENT Application Logs for potential proxy activities
Strengthen Identity and Access Management:
- Implement phishing-resistant multi-factor authentication (MFA)
- Enforce least-privilege access principles
- Regularly audit administrator credentials and service accounts

Strategic Considerations

Assume Breach Mentality - Organizations should operate under the assumption that sophisticated adversaries may already be present in their networks and validate detection capabilities accordingly
Supply Chain Security - Given Salt Typhoon's demonstrated ability to compromise trusted vendors and service providers, organizations must:
- Map and monitor vendor relationships
- Implement zero-trust architectures
- Validate security postures of third-party suppliers
Incident Response Preparedness - Ensure cybersecurity programs are adequately staffed and funded to detect and respond to advanced persistent threats

The Broader Geopolitical Context

China's Cyber Strategy

The Salt Typhoon campaign must be understood within the broader context of China's comprehensive cyber warfare strategy. Former NSA analyst Terry Dunlap has described Salt Typhoon as "a component of China's 100-Year Strategy," indicating that these operations serve long-term strategic objectives rather than opportunistic intelligence gathering.

The Intelligence Community Assessment

The U.S. Intelligence Community (IC) assesses that the PRC is "the most active and persistent cyber threat" to U.S. institutions. The Office of the National Cyber Director has highlighted China's ambitions to hold at risk U.S. and allied critical infrastructure, shape U.S. decision-making in times of crisis, and use cyber capabilities to augment PRC geopolitical objectives.

Comparison to Other Nation-State Threats

Senate Intelligence Committee Chairman Mark Warner (D-VA) has called Salt Typhoon "the worst telecom hack in our nation's history" and noted that it makes prior cyberattacks by Russian operatives look "like child's play" by comparison.

The Sanctions Response

Treasury Department Actions

The U.S. Department of the Treasury has taken aggressive action to impose costs on entities involved in Salt Typhoon operations. On January 17, 2025, the Treasury's Office of Foreign Assets Control (OFAC) sanctioned Sichuan Juxinhe Network Technology Co., LTD., citing the company's direct involvement with Salt Typhoon and responsibility for breaching multiple U.S. telecommunication and internet service provider companies.

Deputy Secretary of the Treasury Adewale O. Adeyemo stated: "The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically."

Pattern of Sanctions

The Sichuan Juxinhe designation follows a series of Treasury sanctions actions aimed at combating increasingly reckless cyber activity by China and Chinese-based actors, including:

January 3, 2025: Designation of Integrity Technology Group, Inc. for its role in Flax Typhoon malicious cyber activity
December 10, 2024: Designation of Sichuan Silence Information Technology Company, Ltd.

The Unanswered Questions

As investigations continue, several critical questions remain:

Has Salt Typhoon Been Fully Eradicated?

The most pressing question is whether Salt Typhoon operatives have been completely removed from compromised networks. Nicoletti's concern that "they're still in various organizations and undetected" suggests that remediation efforts may be incomplete.

What Data Was Exfiltrated and How Has It Been Used?

While we know that Salt Typhoon had comprehensive access to telecommunications data, the full extent of what information was stolen and how Chinese intelligence services have utilized this data remains unclear. Federal investigations are attempting to determine if gathered intelligence has been used for political or economic gain.

How Deep Does the Compromise Extend?

With Digital Realty and Comcast identified as likely victims in addition to the confirmed telecommunications providers, the question remains: how many other critical infrastructure providers have been compromised but not yet identified?

What About Allied Nations?

While the campaign affected countries across Europe, Asia, and the Middle East, specific details about which nations were targeted and to what extent remain undisclosed. The international cooperation through the 23-agency advisory suggests significant global impact.

Looking Forward: The Evolution of State-Sponsored Cyber Threats

A New Normal in Cyber Warfare

The Salt Typhoon campaign represents what cybersecurity experts increasingly view as the "new normal" in state-sponsored cyber operations—persistent, patient, and comprehensive campaigns that target fundamental infrastructure rather than individual endpoints.

The Challenge of Attribution and Deterrence

Despite the clear attribution of Salt Typhoon to Chinese state-sponsored actors and the imposition of sanctions, Beijing continues to deny allegations. The Chinese embassy in New Zealand denied all allegations, saying it was "unfounded and irresponsible smears and slanders."

This pattern of denial, coupled with the use of commercial cybersecurity companies as operational fronts, complicates diplomatic responses and raises questions about how to effectively deter future attacks.

The Role of Artificial Intelligence

As cyber threats evolve, defenders and attackers alike are incorporating artificial intelligence and machine learning into their operations. Organizations must prepare for an era where AI-powered threats operate at machine speed, potentially identifying and exploiting vulnerabilities faster than human analysts can detect and respond.

Industry and Government Collaboration

The Federal Communications Commission's Response

The Federal Communications Commission has taken an aggressive stance, threatening companies with fines for failing to bolster their defenses against Chinese hacking. This regulatory pressure represents a shift toward holding critical infrastructure providers accountable for cybersecurity failures that affect national security.

Enhanced FedRAMP Requirements

For organizations working with the federal government, the Department of Defense has released updated guidance clarifying stringent FedRAMP moderate "equivalency" requirements, demanding 100 percent compliance with the latest security control baseline through assessments conducted by FedRAMP-recognized Third Party Assessment Organizations (3PAOs).

The Need for Transparency

The Microsoft case involving China-based engineers maintaining Pentagon cloud systems underscores the urgent need for transparent contractor security protocols and rigorous government oversight of supply chain security.

Conclusion: A Watershed Moment for American Cybersecurity

The revelation that Salt Typhoon potentially monitored every American for five years represents a watershed moment in the history of cybersecurity and national security. This campaign demonstrates that:

Critical Infrastructure Vulnerability - Despite billions of dollars invested in cybersecurity, sophisticated nation-state actors can achieve persistent access to foundational communications infrastructure
The Insider Threat Evolution - Modern state-sponsored operations exploit the interconnected nature of global technology supply chains, making traditional perimeter defenses insufficient
The Attribution Challenge - Even with clear evidence and international consensus, holding nation-state actors accountable remains diplomatically and politically complex
The Urgency of Action - Organizations cannot afford to delay patching, monitoring, and security improvements—the adversary is already inside the network

As FBI Director Kash Patel continues efforts to root out Chinese influence and as federal agencies work to understand the full scope of the compromise, one thing is clear: the Salt Typhoon campaign has fundamentally changed how we must think about telecommunications security, critical infrastructure protection, and the ongoing challenge of defending against persistent, well-resourced nation-state adversaries.

For American citizens, the knowledge that their communications may have been monitored for five years is deeply unsettling. For cybersecurity professionals and policymakers, it's a stark reminder that the threats we face are not theoretical—they are active, ongoing, and extraordinarily sophisticated.

The question is no longer whether we will face such campaigns in the future, but whether we can build the resilience, detection capabilities, and response mechanisms necessary to mitigate their impact before they achieve five years of undetected access.

This article incorporates the latest information as of November 30, 2025, based on statements from former FBI officials, cybersecurity experts, and official government advisories. The situation continues to evolve as investigations progress.