CISA director says threat hunters spotted Salt Typhoon on federal networks before telco compromises | CyberScoop<\/title> <meta name=\"description\" content=\"A top federal cybersecurity official said that threat hunters from CISA first discovered activity from Salt Typhoon on federal networks.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-government-jen-easterly-cisa\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"CISA director says threat hunters spotted Salt Typhoon on federal networks before telco compromises \"> <meta property=\"og:description\" content=\"A top federal cybersecurity official said that threat hunters from CISA first discovered activity from Salt Typhoon on federal networks.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/salt-typhoon-us-government-jen-easterly-cisa\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-16T01:29:55+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-16T01:33:26+00:00\"> <meta name=\"author\" content=\"djohnson\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736278014g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1732010462g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=ddc036fa194c40cf406f\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83154\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83154\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalt-typhoon-us-government-jen-easterly-cisa%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalt-typhoon-us-government-jen-easterly-cisa%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83154 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-government-jen-easterly-cisa\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.739130434783\">\n<div class=\"single-article__header-content\" readability=\"34.672451193059\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-government-jen-easterly-cisa\/\"> <span>Uncategorized<\/span> <\/a> <\/li>\n<\/ul>\n<p> The incident helped the federal government to seize a virtual private server used by the group and more quickly \u201cconnect the dots,\u201d Jen Easterly said. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83154\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"422\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises.jpg?resize=640%2C422&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg 5373w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=300,198 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=768,507 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=1024,675 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=1536,1013 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=2048,1351 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=600,396 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=255,168 255w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=511,337 511w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=1023,675 1023w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-2.jpg?resize=1278,843 1278w\" sizes=\"(max-width: 1023px) 100vw, 1023px\"><figcaption> CISA Director Jen Easterly testifies before a House Homeland Security Subcommittee on April 28, 2022, in Washington, D.C. (Photo by Kevin Dietsch\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"46.597886886265\"><body readability=\"92.891134588884\"><\/p>\n<p>A top federal cybersecurity official said Wednesday that threat hunters from the Cybersecurity and Infrastructure Security Agency first discovered activity from <a href=\"https:\/\/cyberscoop.com\/tag\/salt-typhoon\/\">Salt Typhoon<\/a> on federal networks, allowing public and private sector defenders to more quickly \u201cconnect the dots\u201d and respond to Chinese attacks on the U.S. telecommunications industry. <\/p>\n<p>Speaking at an event hosted by the Foundation for Defending Democracies, CISA Director Jen Easterly said threat hunters identified malicious activity from the group but didn\u2019t immediately recognize it as part of a larger Chinese hacking campaign.<\/p>\n<p>\u201cWe saw this before we understood it was Salt Typhoon,\u201d she said. \u201cWe saw it as a separate campaign, called another goofy cyber name.\u201d <\/p>\n<p>In a <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/strengthening-americas-resilience-against-prc-cyber-threats\">blog<\/a> released Wednesday on CISA\u2019s website, Easterly offered more details on the incident, saying the agency facilitated court orders that allowed the government to identify and seize virtual private servers being leased by the hackers, providing further insight into the scope of their campaign against telecommunications companies.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis information, along with industry tippers, is what allowed our law enforcement partners to gain access to images of actor-leased virtual private servers,\u201d Easterly wrote. \u201cThis, in turn, gave us and our federal government partners visibility into the breadth of the campaign and allowed us to notify and provide technical assistance to known or suspected private sector victims.\u201d<\/p>\n<p>Salt Typhoon is the name given to a Chinese hacking group that has compromised at least nine U.S. telecommunications firms, reportedly <a href=\"https:\/\/cyberscoop.com\/report-chinese-hackers-used-telecom-access-to-go-after-phones-of-trump-vance\/\">hacked into the phones<\/a> of President-elect Donald Trump and Vice President-elect JD Vance and <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-telecom-cybersecurity-gaps-white-house-response\/\">collected geolocation data<\/a> for hundreds of phones based around Washington D.C. over the past year at least. <\/p>\n<p>The widespread compromise of U.S. telecommunications infrastructure, as well as the persistent challenges in purging Salt Typhoon hackers from affected networks, underscores the challenge U.S. policymakers and the private sector face in securing critical infrastructure from foreign adversaries like China, Russia and Iran.<\/p>\n<p>Salt Typhoon is one of at least three known hacking campaigns from China that U.S. officials have been grappling with over the past year.<\/p>\n<p>The FBI and other agencies have also warned about a years-long campaign by another group, <a href=\"https:\/\/cyberscoop.com\/tag\/volt-typhoon\/\">Volt Typhoo<\/a>n, to <a href=\"https:\/\/cyberscoop.com\/china-critical-infrastructure-volt-typhoon\/\">burrow into the networks of U.S. critical infrastructure<\/a> and pre-position for potential destructive cyberattacks in the future.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>More recently, the Department of the Treasury said Chinese hackers used a third-party cybersecurity vendor to <a href=\"https:\/\/cyberscoop.com\/treasury-workstations-hacked-china-beyondtrust-identity-access-management\/\">break into<\/a> an unspecified number of workstations and steal data. <\/p>\n<p>While Salt Typhoon\u2019s motive is believed to be espionage, U.S. officials \u2014 including Easterly \u2014 have alleged that other groups like Volt Typhoon may be preparing to execute destructive attacks on American critical infrastructure in the event of a Chinese invasion of Taiwan.<\/p>\n<p>CISA maintains a list of nearly 500 \u201csystemically important\u201d critical infrastructure entities that are given extra attention and resourcing from the federal government, including red-teaming and tools for vulnerability scanning, attack-surface management and threat detection. In her blog, Easterly claimed CISA red-teamers and incident responders have used these tools to boot out Chinese hackers in the energy, transportation, water and telecommunications sectors, but notes that \u201cwhat we have found is likely just the tip of the iceberg.\u201d<\/p>\n<p>Easterly noted that many telecommunications companies are reliant on outdated technologies and architectures that are more vulnerable to cyberattacks because they were built for \u201cefficiency and availability,\u201d not security. They also use a host of technologies outside their network, like edge devices, that can offer pathways to compromise and are increasingly being leveraged by Chinese and Russian hackers.<\/p>\n<p>\u201cThose are edge devices like routers and firewalls and switches, which, you know, would likely never be a part of a systematically important entities list, but are really the connective tissue and the soft underbelly for our adversaries,\u201d she said. \u201cAnd that\u2019s really the vector that we\u2019ve sort of made easy for the cyber invasion of entities like Volt Typhoon, Salt Typhoon.\u201d<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4\">\n<div class=\"author-card\" readability=\"13\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises-1.jpg?w=640&ssl=1\" alt=\"Derek B. Johnson\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Derek B. Johnson<\/h4>\n<p> Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor\u2019s degree in print journalism from Hofstra University in New York and a master\u2019s degree in public policy from George Mason University in Virginia. <\/p>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/salt-typhoon-us-government-jen-easterly-cisa\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CISA director says threat hunters spotted Salt Typhoon on federal<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[325],"class_list":["post-6937","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-uncategorized"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6937","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6937"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6937\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6937,"date":"2025-01-15T19:29:55","date_gmt":"2025-01-16T01:29:55","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83154"},"modified":"2025-01-15T19:29:55","modified_gmt":"2025-01-16T01:29:55","slug":"cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/15\/cisa-director-says-threat-hunters-spotted-salt-typhoon-on-federal-networks-before-telco-compromises\/","title":{"rendered":"CISA director says threat hunters spotted Salt Typhoon on federal networks before telco compromises\u00a0"},"content":{"rendered":"