Salt Typhoon Returns: Chinese Threat Actor Targeting Australian Telcos in 2026

Who is Salt Typhoon?

Salt Typhoon (also tracked as Earth Estries, GhostEmperor, and FamousSparrow by various threat intelligence vendors) is a sophisticated Chinese state-sponsored APT group assessed by Western intelligence agencies to operate under the direction of the Ministry of State Security (MSS). The group is distinguished by several characteristics that make it exceptionally dangerous:

• Long dwell times: Salt Typhoon routinely maintains persistent access inside victim networks for 6-18 months before any malicious activity is detected
• Living-off-the-land (LOTL) techniques: The group heavily leverages legitimate system tools and credentials to blend with normal network traffic, making detection extremely difficult
• Lawful intercept system targeting: Salt Typhoon specifically targets CALEA-equivalent wiretapping systems and carrier-grade network equipment — the same systems used by law enforcement for authorised surveillance
• Zero-day capability: The group has demonstrated the ability to weaponise zero-day vulnerabilities in network edge devices, particularly in Cisco and Fortinet equipment

The US Campaign: Setting the Context

Between 2024 and early 2025, Salt Typhoon conducted one of the most significant cyber espionage campaigns in US history. The group successfully compromised at least nine major US telecommunications carriers — including AT&T, Verizon, and T-Mobile — gaining persistent access to their network infrastructure. The objectives were multifaceted:

• Collection of call metadata and geolocation data on millions of Americans
• Real-time interception of communications belonging to high-value intelligence targets including US government officials and political figures
• Access to lawful intercept systems used by US law enforcement, potentially exposing active investigations

The scale and severity of the US campaign prompted an unprecedented joint statement from the FBI and CISA in November 2024, followed by formal attribution to the People's Republic of China.

The Australian Campaign: What We Know

According to the ASD-CISA joint advisory published on 29 April 2026, Salt Typhoon began probing Australian telecommunications infrastructure in Q4 2025, with confirmed intrusion activity detected in Q1 2026. Key findings from the advisory include:

• At least three Tier 1 Australian telecommunications carriers have been targeted, with confirmed unauthorised access in at least two cases
• Attack vectors have included exploitation of unpatched vulnerabilities in edge network devices (specifically Cisco IOS XE and Juniper Junos OS) and credential theft via spear-phishing campaigns targeting network operations staff
• Post-exploitation activity has focused on mapping network topology, identifying high-value communication links, and locating lawful intercept systems
• The group has demonstrated knowledge of Australian telecommunications regulatory requirements, suggesting prior intelligence collection on the Australian telecommunications sector

Indicators of Compromise (IOCs)

The joint advisory provides a comprehensive set of IOCs. Key indicators include:

• Anomalous SNMP polling activity from external IP ranges, particularly targeting network management interfaces
• Unusual CLI command sequences consistent with network topology enumeration on Cisco and Juniper devices
• Creation of new local accounts on network devices outside of change management windows
• Exfiltration of network configuration files via encrypted channels to known Salt Typhoon C2 infrastructure
• Use of legitimate remote management tools (including Cobalt Strike and custom tooling) loaded directly into memory

The full IOC list, including specific IP ranges, domain names, and file hashes, is available through ASD's ACSC portal and the CISA advisory AA26-119A.

Why Australian Telcos? Understanding the Strategic Motive

Australia's telecommunications infrastructure is strategically significant for several reasons that make it an attractive target for Chinese state-sponsored espionage:

1. Five Eyes intelligence sharing: Australia's SIGINT capabilities through the ASD are deeply integrated with the Five Eyes alliance. Compromising Australian carrier infrastructure provides a potential window into Five Eyes communications
2. Regional connectivity hub: Australian carriers operate submarine cable infrastructure connecting the Asia-Pacific region, making them a high-value target for traffic interception
3. Defence and government communications: Australian government agencies and defence contractors rely on commercial telecommunications infrastructure, creating opportunities for intelligence collection
4. Geopolitical timing: The campaign coincides with heightened Australia-China tensions over technology policy, Taiwan, and trade disputes

Recommended Actions: Different Advice for Different Audiences

Salt Typhoon is a threat to telecommunications carriers primarily, but the consequences extend well beyond the carriers themselves. Organisations whose communications traverse potentially compromised carrier infrastructure — which in practice means every large Australian enterprise — face a secondary threat that is different in character but real in consequence.

For Telecommunications Carriers: This Is an Active Incident

Carriers should not be reading this advisory as a future-risk management document. The ASD advisory is explicit that active intrusion activity has been confirmed against Australian networks. The first priority is a comprehensive audit of all network device credentials — every router, switch, and network management system should have its account lists reviewed against authorised configurations, and any unknown or unauthorised accounts removed immediately. Salt Typhoon's standard playbook includes creating persistent local accounts on network devices as a fallback access mechanism; these are specifically what you are looking for.

SNMP — the Simple Network Management Protocol used for device monitoring — has been a consistent Salt Typhoon exploitation vector. Community strings should be reviewed, default strings changed if any remain, and SNMP access restricted to known, authorised management hosts through access control lists. Simultaneously, edge device patching should be treated as emergency work rather than routine maintenance: Cisco IOS XE and Juniper Junos devices facing the internet need to be at current patch levels immediately, not in the next quarterly maintenance window.

Perhaps most importantly: engage the ACSC directly. The ASD has threat hunting capability and access to classified IOCs that are not available through commercial channels. Given that the average Salt Typhoon dwell time in US carrier networks was 14 months, assuming your environment is clean without an active threat hunt is not a defensible position.

For Enterprise Customers: Assume the Carrier Layer Is Not Secure

The uncomfortable reality for enterprise organisations is that you cannot audit your carrier's security posture, and you cannot wait for carriers to confirm whether their infrastructure is clean before deciding how to protect your communications. The rational response is to treat the carrier layer as untrusted and implement end-to-end encryption for all communications where the content would be genuinely damaging if intercepted — which includes board and executive communications, M&A discussions, legal privilege communications, and anything relating to critical infrastructure operations.

This is not paranoia; it is sound security architecture applied to a specific known threat. End-to-end encrypted messaging platforms, encrypted voice communications, and encrypted email are all mature, deployable technologies. The question of which specific tools to use should be guided by your threat model and information classification framework. The question of whether to use them at all has been answered by the ASD advisory.

The Broader Geopolitical Context

Salt Typhoon's expansion to Australian targets is consistent with a broader pattern of Chinese cyber espionage campaigns targeting Five Eyes nations. In the same period, UK and Canadian intelligence agencies have reported similar intrusion attempts against their telecommunications infrastructure, suggesting a coordinated campaign designed to maximise intelligence collection across the alliance.

The campaign also underscores the growing convergence of telecommunications security and national security. As Australia progresses with its Critical Infrastructure legislation and the Cyber Security Act amendments, the Salt Typhoon campaign provides a stark real-world justification for the regulatory requirements being imposed on telecommunications providers.

CyberSec.au Assessment

Salt Typhoon represents one of the most capable and persistent threats operating in the Australian threat landscape. The group's demonstrated ability to maintain long-term, undetected access inside some of the world's most security-conscious telecommunications providers should serve as a sobering reminder that traditional security controls are insufficient against nation-state level adversaries.

Australian telecommunications carriers must treat this advisory as an urgent operational matter requiring immediate executive attention, not a routine security advisory to be processed through standard patch cycles. The window between initial intrusion and detection in previous Salt Typhoon campaigns has averaged 14 months — meaning some Australian carriers may already have persistent compromises that have yet to be discovered.

For enterprise customers, the key takeaway is that network-level encryption and communication security hygiene are no longer optional security controls — they are fundamental risk management requirements in an environment where carrier infrastructure can no longer be assumed to be uncompromised.