In a significant escalation of global cyber-espionage activities, U.S. satellite communications provider Viasat was recently identified as a victim of an advanced cyber intrusion carried out by a Chinese state-sponsored group known as Salt Typhoon. This breach, which occurred in 2024 and came to light in mid-2025, is part of a wider, long-running campaign targeting critical U.S. telecommunications infrastructure.
Who is Salt Typhoon?
Salt Typhoon, also tracked under names such as FamousSparrow or GhostEmperor, is a sophisticated Chinese advanced persistent threat (APT) group reportedly operating under the direction of China’s Ministry of State Security (MSS).
🛠️ Key Characteristics of Salt Typhoon:
- Focus on long-term, stealthy surveillance and espionage
- Skilled at living-off-the-land (LotL) tactics, using legitimate tools to evade detection
- Targets include telecoms, satellite networks, government agencies, and entities involved in political or military operations
- Known to exploit unpatched vulnerabilities in edge network devices like Cisco and Fortinet firewalls
🛰️ Why Viasat Was Targeted
Viasat provides secure satellite communication services for:
- U.S. and allied military operations
- Aviation and maritime navigation systems
- Emergency services and critical infrastructure
- Commercial and residential broadband
This makes Viasat a high-value target in any geopolitical cyber campaign aiming to gather intelligence, disrupt communications, or monitor strategic movements globally.
🔍 Details of the Intrusion
🔓 Entry Point
Salt Typhoon compromised a networked device inside Viasat’s infrastructure, potentially via a known but unpatched vulnerability, echoing the tactics used in prior breaches of major U.S. telecoms.
🧬 Tactics, Techniques, and Procedures (TTPs)
- Used initial foothold to pivot across internal systems
- Employed encrypted tunnels and fileless malware for persistence
- Prioritized metadata collection, geolocation, and call monitoring capabilities
- Maintained a low operational profile to avoid detection over time
🛡️ Impact and Mitigation
Despite the breach, Viasat confirmed after a joint investigation with federal cybersecurity agencies (likely CISA, NSA, and FBI) that:
- No customer data or services were affected
- No ongoing malicious activity is currently detected
- The compromised device was isolated and remediated
- They implemented enhanced monitoring and hardening of systems post-incident
This swift containment and transparent response is critical for a company trusted with secure communications across national and military domains.
🌐 Broader Context: A Coordinated Espionage Campaign
The attack on Viasat is not an isolated incident. Salt Typhoon is believed to be behind a systematic infiltration of at least nine major U.S. telecom companies, including:
- AT&T
- T-Mobile
- Verizon
- Lumen Technologies
- Charter Communications
These attacks aimed at collecting:
- Call records and location data
- SMS and VOIP intercepts
- Network telemetry for surveillance or disruption
The breach is believed to support Chinese strategic objectives, such as:
- Monitoring U.S. military and diplomatic communications
- Tracking political campaign activity, particularly around the 2024 U.S. presidential elections
- Building pre-positioning capability for potential future cyber conflict
💬 U.S. Government Response
- The NSA, CISA, and FBI issued urgent advisories warning of Salt Typhoon’s tactics
- The U.S. State Department offered a $10 million reward for actionable information on the group
- Lawmakers have called the intrusions “one of the most serious threats to U.S. national security in recent years”
🔐 Takeaway for Cybersecurity Professionals
- Edge devices (routers, VPN appliances, firewalls) are high-risk attack vectors
- Defense-in-depth strategies, including continuous monitoring and zero-trust architectures, are vital
- Threat intelligence sharing and global cooperation are key to mitigating state-sponsored APT activity
