Chinese state-backed hackers have infiltrated government and military infrastructure networks worldwide in one of the most significant cyber-espionage campaigns ever uncovered.

The group, known as Salt Typhoon, exploited weaknesses in networks to gain persistent access to critical systems across more than 80 countries, intelligence and cybersecurity agencies from 13 countries have warned in a joint statement, raising serious concerns about the integrity of military communications and command networks.

“People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks,” the statement said.

The years-long campaign has been described by Western intelligence agencies as “indiscriminate” and “unprecedented” in scale. Officials believe that data relating to nearly all Americans may have been swept up in the intrusion, according to The New York Times, a reflection of just how deep the compromise ran through national telecoms infrastructure. 

Salt Typhoon was first thrust into the spotlight in December 2024, when US officials disclosed that the group had pulled off what they called the worst cyber intrusion in the country’s history. The revelation that major telecom carriers and government-connected systems had been breached prompted urgent warnings in Washington and demands to treat the incident as a full-blown national security emergency.

Subsequent investigations have shown that the operation stretches back much further, with officials now believing that Salt Typhoon has been performing malicious operations globally since at least 2021.

The joint advisory, issued by the US, UK, Germany, Italy, Finland, Spain, Canada, Australia, Japan, and South Korea, said that by compromising backbone, provider-edge, and customer-edge routers, the China-backed attackers were able to establish footholds deep inside networks that support day-to-day communications and military infrastructure. 

The advisory noted that once inside, Salt Typhoon could intercept voice and data traffic, collect metadata, and potentially monitor or disrupt military operations.

Investigators have linked the Salt Typhoon campaign to three China-based technology firms active since at least 2019, though the scale of their activities only came to light last year. (The three firms are not recognised names. They are Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司); Beijing
Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司); and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司.)

According to the joint statement, these three companies were working on behalf of both China’s intelligence services, including multiple units in the People’s Liberation Army and the Ministry of State Security, to conduct overseas operations.

This equipped Chinese intelligence services with “the capability to identify and track their targets’ communications and movements around the world,” according to the statement. 

“We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale,” Dr Richard Horne, chief executive of the UK’s National Cyber Security Centre, said in a statement sent to Resilience Media. “It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors, who have been exploiting publicly known – and so therefore fixable – vulnerabilities.”

The technical details revealed in the joint advisory, which highlights that Salt Typhoon has been exploiting common vulnerabilities in products from major IT suppliers Ivanti, Palo Alto Networks, and Cisco — these are named in the advisory — underline the scale of the task now facing militaries and their suppliers.

Defence ministries have been urged to adopt zero-trust principles across their IT and operational technology environments, enforce stricter segmentation between critical systems, and deploy active hunt teams to search for evidence of persistent access. (We are reaching out to the three IT companies and will update this post as we learn more.)

The campaign has also underscored the importance of allied collaboration. Intelligence-sharing across NATO members and partners in Asia has been credited with helping to piece together the scale of Salt Typhoon’s activity. Officials say that the same collaborative approach must now extend to hardening networks, particularly where military operations depend on commercial telecoms and satellite links.

In response to the joint statement, the Chinese Foreign Ministry pushed back, accusing the US and its allies of “smearing” China under the guise of cybersecurity and framing the campaign as a political stunt.

Spokesperson Guo Jiaku alleged that the Salt Typhoon narrative was built to justify increased US budgets and deflect attention from America’s own cyber-intrusion practices, and urged Washington to “reflect more on what it’s doing instead of forming small groupings to smear others.”