Salt Typhoon is easy to misunderstand if you only look at the early U.S. headlines. The story is bigger than “China hacked a few American phone companies,” and it is more serious than a conventional corporate breach roundup. What the public record now shows is a long-running espionage campaign that has repeatedly targeted telecommunications providers, internet infrastructure, and edge devices in multiple regions. That matters because telecom networks are not ordinary enterprise networks. If you get deep enough into them, you are not just inside a company. You are inside a system that moves and stores other people’s communications.
TechCrunch’s March 9, 2026 overview makes the scope hard to ignore. It reports that FBI officials said Salt Typhoon hacked at least 200 companies worldwide. The same article ties the campaign to compromises at major U.S. telecom and internet providers including AT&T, Verizon, CenturyLink, Viasat, Charter, Windstream, and Consolidated Communications, while also describing activity or attribution in countries across Europe, Asia, Oceania, Africa, and the Americas. At that point, it stops looking like an isolated espionage success and starts looking like a durable access strategy aimed at communications infrastructure as a class of target.
The technical shape of the campaign is just as important as the victim list. TechCrunch’s earlier February 13, 2025 reporting on Recorded Future’s findings said the group had attempted to compromise more than 1,000 Cisco devices globally, focusing especially on telecom-related infrastructure. That tells you something important about how this operation scales. Telecom breaches do not always begin with some dramatic zero-click story. Sometimes they begin with old network equipment, uneven patching, and devices sitting in strategic locations. If an actor can repeatedly get footholds on edge infrastructure, it gains a staging ground that can support broader collection and persistence.
The U.S. government’s own language backs up the seriousness of the campaign. In a joint statement released on November 13, 2024, the FBI and CISA described the PRC targeting of commercial telecommunications infrastructure as a “broad and significant cyber espionage campaign.” They said the operation enabled theft of customer call-record data, compromise of private communications of a limited number of people involved mainly in government or political activity, and copying of information subject to U.S. law-enforcement requests. That is not a normal post-breach disclosure. It points to access with intelligence value.
Treasury’s January 17, 2025 sanctions announcement pushed the timeline and severity further. OFAC said Salt Typhoon had been active since at least 2019 and had compromised the infrastructure of multiple major U.S. telecommunication and internet service provider companies. That date matters because it frames Salt Typhoon as a persistent campaign rather than a quick smash-and-grab. The sanctions release also said the activity marked a dramatic escalation in Chinese cyber operations against U.S. critical infrastructure targets. That is stronger language than agencies usually use unless they are trying to make clear that the campaign crossed an important line.
What makes the March 2026 picture more alarming is how international the evidence has become. TechCrunch’s country-by-country roundup says governments or researchers have linked Salt Typhoon activity to the United Kingdom, Norway, the Netherlands, Italy, Poland, Finland, Japan, Australia, and New Zealand, among others. The article also notes targeting of university routers in Bangladesh, Indonesia, Malaysia, and Thailand. Even if each case does not involve the same depth of compromise, the pattern is consistent: communications-adjacent networks, network edge equipment, and organizations that can expand visibility or provide onward access.
That spread changes the defensive question. The old model was to ask whether your telecom provider had been compromised. The current model has to be wider: do you rely on telecom or internet infrastructure that may itself rely on brittle routing, interception, or identity systems that are difficult to monitor end to end? CISA’s December 4, 2024 hardening guidance for communications infrastructure makes the same shift. It warns that PRC-affiliated actors compromised major global telecommunications providers as part of a broad espionage campaign and focuses on strengthening visibility and hardening network devices. In other words, the response is not just “patch a box.” It is “improve visibility into the part of the network that was previously assumed to be trustworthy.”
There is also a policy consequence here. Telecom compromises hit a special category of risk because so much government, executive, legal, and business activity still assumes the underlying carrier layer is stable enough to support sensitive communications. The Salt Typhoon reporting undercuts that assumption. If a foreign espionage actor can move through providers, edge routers, and lawful-access systems, then the blast radius reaches far beyond one vendor or one carrier. It affects how officials communicate, how providers segment administrative access, and how much confidence users should place in network-level trust.
That is why the TechCrunch framing is useful. The article is not just a list of hacked names. It shows a campaign that kept widening as more countries and sectors disclosed activity. Once a story crosses from “major U.S. telcos were hit” to “hundreds of firms across multiple continents appear in the same orbit,” the correct frame is not scandal. It is infrastructure risk.
Summary
Salt Typhoon is no longer just a U.S. telecom breach story. Public reporting and government statements now point to a multi-year espionage campaign aimed at communications providers, routers, and related infrastructure across many countries. The scale matters, the target class matters, and the timeline matters. If there is one takeaway, it is that telecom security should be treated as a strategic trust problem, not a routine vendor incident.
References
- Salt Typhoon is hacking the world’s phone and internet giants. Here’s everywhere that’s been hit.
- China’s Salt Typhoon hackers continue to breach telecom firms despite U.S. sanctions
- Joint Statement from FBI and CISA on the PRC Targeting of Commercial Telecommunications Infrastructure
- Enhanced Visibility and Hardening Guidance for Communications Infrastructure
- Treasury Sanctions Company Associated with Salt Typhoon and Hacker Associated with Treasury Compromise