Global Cyber AllianceOur new report from Meghal Donde Pradhan, “Salt Typhoon Across the Internet: What AIDE Honeypots Reveal About a Persistent State-Linked Campaign,” uses AIDE data to demonstrate Salt Typhoon’s operational characteristics through observable attack patterns spanning 2+ years. Salt Typhoon has been publicly attributed to actors based in China and assessed as state-sponsored; AIDE’s findings focus only on behavioral evidence and do not directly attribute the activity to Chinese authorities.
Between August 2023 and August 2025, AIDE recorded more than 72 million China-origin attack attempts against decoy systems emulating telecommunications networks. Within this broader dataset, AIDE identified patterns consistent with Salt Typhoon’s tactics, techniques, and procedures (TTPs)—providing an empirical view of the campaign’s operational tempo and corroborating indicators described in public advisories by CISA, the FBI, and industry partners.
Salt Typhoon is an active, evolving campaign requiring immediate action from infrastructure operators. This report offers defensive measures provides concrete protection against documented attack vectors.
Read the blog post summary and download the report here: https://globalcyberalliance.org/new-report-salt-typhoon-across-the-internet/
New Report: Salt Typhoon Across the Internet - GCA | Global Cyber Alliance
In September 2024, the FBI and CISA disclosed one of the most significant cyber espionage campaigns targeting U.S. critical infrastructure: Salt Typhoon. This operation compromised major telecommunications providers, breached government wiretapping systems, and established persistent access across global networks. Unlike typical cyberattacks seeking to steal customer data, Salt Typhoon focused on controlling communications infrastructure that […]