Threat Actor Profile
High APT
Description

Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at major U.S. telecommunication and internet service providers (ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN 2025)(Citation: Cisco Salt Typhoon FEB 2025)

Confidence Score
90%
Known Aliases
Salt Typhoon
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (14)
T1602.002 - Network Device Configuration Dump
Collection
T1572 - Protocol Tunneling
Command and Control
T1040 - Network Sniffing
Credential Access
T1110.002 - Password Cracking
Credential Access
T1070.002 - Clear Linux or Mac System Logs
Defense Evasion
T1562.004 - Disable or Modify System Firewall
Defense Evasion
T1048.003 - Exfiltration Over Unencrypted Non-C2 Pr…
Exfiltration
T1190 - Exploit Public-Facing Application
Initial Access
T1021.004 - SSH
Lateral Movement
T1098.004 - SSH Authorized Keys
Persistence
T1136 - Create Account
Persistence
T1590.004 - Network Topology
Reconnaissance
T1587.001 - Malware
Resource Development
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Salt Typhoon'],
 'created': '2025-02-24T20:45:14.093Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a '
                "People's Republic of China (PRC) state-backed actor that has "
                'been active since at least 2019 and responsible for numerous '
                'compromises of network infrastructure at major U.S. '
                'telecommunication and internet service providers '
                '(ISP).(Citation: US Dept. of Treasury Salt Typhoon JAN '
                '2025)(Citation: Cisco Salt Typhoon FEB 2025)\n',
 'external_references': [{'external_id': 'G1045',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G1045'},
                         {'description': 'Cisco Talos. (2025, February 20). '
                                         'Weathering the storm: In the midst '
                                         'of a Typhoon. Retrieved February 24, '
                                         '2025.',
                          'source_name': 'Cisco Salt Typhoon FEB 2025',
                          'url': 'https://blog.talosintelligence.com/salt-typhoon-analysis/'},
                         {'description': 'US Department of Treasury. (2025, '
                                         'January 17). Treasury Sanctions '
                                         'Company Associated with Salt Typhoon '
                                         'and Hacker Associated with Treasury '
                                         'Compromise. Retrieved February 24, '
                                         '2025.',
                          'source_name': 'US Dept. of Treasury Salt Typhoon '
                                         'JAN 2025',
                          'url': 'https://home.treasury.gov/news/press-releases/jy2792'}],
 'id': 'intrusion-set--1c3dcf91-b859-4aae-a09c-ae26dc8b6390',
 'modified': '2025-03-06T20:09:16.402Z',
 'name': 'Salt Typhoon',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.0'}
Quick Actions
Related TTPs (14)
Network Device Configuration …
Collection
Protocol Tunneling
Command and Control
Network Sniffing
Credential Access
Password Cracking
Credential Access
Clear Linux or Mac System Logs
Defense Evasion
View All 14 TTPs
Back to Threat Actors
Dashboard Home