[Air-L] Global Cyber Alliance report “Salt Typhoon Across the Internet: What AIDE Honeypots Reveal About a Persistent State-Linked Campaign”

Joly MacFie joly at punkcast.com
Sat Dec 20 20:05:48 PST 2025 

[image: image.png]

https://globalcyberalliance.org/new-report-salt-typhoon-across-the-internet/

Overview and Context
The report analyzes the *Salt Typhoon* cyber-espionage campaign, a
long-running and highly sophisticated operation publicly attributed by U.S.
authorities to state-linked actors. The campaign focuses on global
telecommunications and critical internet infrastructure and is assessed as
persistent, strategic, and ongoing rather than opportunistic.

Data Source and Methodology
The analysis is based on data from the Automated Internet Defense
Environment (AIDE), a global network of honeypots operated across more than
25 countries. These decoy systems emulate vulnerable internet-facing
services, particularly those used in telecommunications environments.
Between August 2023 and August 2025, AIDE recorded more than 72 million
attack attempts originating from China-based IP space. Behavioral patterns
observed in this data align closely with previously documented *Salt
Typhoon* tactics, techniques, and procedures.

Key Findings

   -

   Multi-Phase Campaign Evolution:
   The activity follows a clear lifecycle:
   -

      Initial reconnaissance and scanning (mid-2023 to late-2024)
      -

      Targeted exploitation and credential attacks (late-2024 to early-2025)
      -

      Persistence, lateral movement, and advanced operations (early- to
      mid-2025)
      -

   Targeting Patterns:
   Attackers consistently focused on internet-exposed remote access
   systems, especially VPN gateways and network management interfaces. Vendors
   and platforms commonly observed include Cisco, Ivanti, Palo Alto Networks,
   and Fortinet, mirroring public vulnerability disclosures during the same
   period.
   -

   Operational Techniques:
   The campaign relies heavily on “living-off-the-land” techniques, using
   legitimate administrative tools alongside custom payloads to evade
   detection. Common behaviors include credential harvesting, webshell
   deployment, command-and-control preparation, and staged data exfiltration.
   -

   Geographic Reach:
   Activity consistent with *Salt Typhoon* was observed globally, with
   notable concentrations affecting North America, Europe, and the
   Asia-Pacific region. The campaign appears designed to scale across borders
   rather than focus on a single national target.

Observed Scale and Indicators
Across the observation period, AIDE recorded:

   -

   Tens of thousands of exploitation attempts
   -

   Widespread credential-based attacks
   -

   Large volumes of potential data exfiltration activity
   -

   Coordinated use of multiple IP addresses across different campaign phases

These indicators point to sustained resourcing and centralized coordination
rather than isolated threat actors.

Strategic Implications
The report emphasizes that *Salt Typhoon* represents a deliberate effort to
gain long-term access to communications infrastructure. Such access could
enable surveillance, intelligence collection, or future disruption of
essential services. Telecommunications networks are highlighted as
especially high-value targets due to their role in lawful intercept systems
and national communications resilience.

Defensive Recommendations
Organizations operating critical or internet-facing infrastructure are
urged to:

   -

   Audit and harden all VPN and remote access systems
   -

   Patch known vulnerabilities in network devices promptly
   -

   Enable detailed logging and monitor for anomalous administrative behavior
   -

   Enforce strong authentication, including multi-factor authentication
   -

   Conduct proactive threat hunting aligned with observed attacker behaviors

Conclusion
The report concludes that *Salt Typhoon* remains an active and serious
threat. By combining large-scale honeypot telemetry with known adversary
behaviors, it provides a data-driven view of a persistent state-linked
campaign and underscores the need for immediate and sustained defensive
action across the global internet ecosystem.

RESOURCES

   -

   Full Report
   <https://globalcyberalliance.org/wp-content/uploads/2025/12/PUBLIC-REPORT-Salt-Typhoon-Across-the-Internet.pdf>



--
--------------------------------------
Joly MacFie  +12185659365
--------------------------------------
-

More information about the Air-L mailing list