FBI Warning: Salt Typhoon Has "Broken the Norms of Communication" — 200 Companies, 80 Countries: The "Silent Intruder" Chinese Salt Typhoon Outlines the Contours of Global Surveillance

1) What Happened: From "9 Companies" to "200 Companies"

On August 27 (U.S. time), the head of the FBI's cyber division stated that intrusions by Salt Typhoon had reached at least 200 companies within the U.S. Since the discovery of breaches in 9 major telecommunications and internet companies in the U.S. last year, the targets have expanded both horizontally and vertically. This statement, widely shared through TechCrunch reports, symbolizes the shift in investigative authorities' perspective to a "cross-industry sector" threat.TechCrunch

This assessment is backed by a joint cyber advisory signed by 13 countries (U.S., UK, Australia, Canada, NZ, Germany, Italy, Japan, Netherlands, Finland, Czech Republic, Poland, Spain). The document aligns with reports indicating impacts across "80 countries," affecting sectors from telecommunications to government, transportation, hospitality, and military-related areas.CISAThe Washington PostThe Wall Street Journal

2) How Deep Was the Breach?

According to reports from major U.S. newspapers, the operation has been ongoing since around 2019, potentially accessing call records, some location information, and even information related to law enforcement communication systems. The FBI has issued alerts to about 600 companies and organizations, distributing technical information for detection and containment.The Wall Street Journal

Salt Typhoon is a term coined by Microsoft, referring to a "cluster" of espionage activities allegedly involving China. Other aliases such as OPERATOR PANDA, GhostEmperor, UNC5807/UNC2286, and FamousSparrow appear in literature, with observations overlapping among various companies and agencies.CISAMicrosoft Learnvaronis.comtrustwave.com

3) How Did They Get In: Key Points of TTP

Based on the joint advisory and technical explanations from various media, the core of the TTP (Tactics, Techniques, and Procedures) can be summarized into three key points.

• Exploitation of Known Vulnerabilities in Boundary Devices: Starting with unpatched areas in routers, VPNs, firewalls, and expanding laterally.Concealing Configuration Changes and Tampering with Log Transfers to prolong their stay.CISAThe Hacker News

• Credential Theft and Device "Persistence": Extracting credentials on devices, adding virtual environments or network tunnels for covert connections to external C2.CISA

• Targeting Communication Data: Accessing call metadata and understanding network control to identify high-value surveillance targets.The Wall Street Journal

The advisory provides Indicators of Compromise (IOC) and detection rules in formats like JSON, urging the elevation of device firmware integrity verification and configuration difference audits to "standard practice for continuous operation."CISA

4) Reactions on Social Media: The Gap Between the Field and Public Opinion

• The official FBI encouraged referencing the joint advisory on X, calling on network defenders to implement specific measures. The tone was a reaffirmation of the "ongoing threat."X (formerly Twitter)

• Among security journalists, the scale of **"200 companies, 80 countries"** was emphasized as a signal, with widespread sharing on Mastodon. Posts referencing a series of reports from The Washington Post were prominent.Mastodon hosted on mastodon.socialThe Washington Post

• Official accounts of industry media reported that "Salt Typhoon was positioned as the top threat in the international joint advisory," recommending CVE management and retention of boundary device logs.X (formerly Twitter)

On social media, the three practical themes trending were "promotion of E2EE messaging," "revising identity verification relying on calls and SMS," and "version control of device settings." In contrast, geopolitical exchanges saw the spread of denials of Chinese government involvement, presenting an aspect of information warfare.Reuters

5) Implications for Japan: Becoming a "Stakeholder" in the Joint Statement

Japan is a signatory to the joint advisory, and domestic critical infrastructure (communications, transportation, hospitality, public) is a "stakeholder" in countermeasures. In particular,

• audit of boundary device settings (unused tunnels and suspicious NAT/ACL)

• external preservation of device logs (SIEM transfer + tamper detection)

• automatic visualization of on-site operations (configuration differences and firmware integrity)
  have become "baseline" practices that should be normalized even at the cost of operational expenses.The Hacker NewsCISA

6) Specific Actions That Can Be Taken Now (For CISO/Operations Teams)

1. Immediate Tasking of Advisory Application: Acquire and apply AA25-239A's IOC/detection rules, hunting through logs from the past 90 days.CISA

2. "Full SBOM + Version Inventory" of Boundary Devices: Inventory vulnerable versions on Cisco/Juniper/Palo Alto/other devices, and plan replacements for EoL/EoS.The Hacker News

3. Withdrawal from Call/SMS-Based Authentication: High-risk departments should move to encrypted messaging or FIDO2, with confidential communication over voice lines generally prohibited. Internal guidelines should formalize the background of the reports.The Wall Street Journal

4. Continuous Audit of "Configuration Differences": Hash and compare device configurations daily. Detect traces of hidden tunnels/virtual environment creation.CISA

5. Revamping of Incident Tabletop Exercises: Redesign tabletop exercises with cross-sector scenarios for telecommunications, hospitality, and transportation.The Washington Post

7) The Context of a "Dual Structure" of "State x Private Sector"

The joint advisory and reports from various newspapers suggest that the activities of Salt Typhoon are supported by a "dual structure" of state agencies and outsourced private companies