A recently identified Chinese government-backed hacker group, known as ‘Salt Typhoon,’ has reportedly infiltrated several US Internet service providers (ISPs) in an effort to steal sensitive information, according to a Wall Street Journal report. Sources familiar with the investigation revealed that the group has been active for months, potentially accessing routers that manage critical traffic for US ISPs.

The attackers are suspected of targeting core network infrastructure, specifically routers, to gain access to confidential data. Investigators are currently exploring the possibility that Salt Typhoon accessed Cisco Systems routers, which play a key role in directing traffic for many ISPs.

For its part, Cisco said it is conducting its own investigation into the matter and that there is no indication so far that Cisco routers were involved in Salt Typhoon activity.

Salt Typhoon, aka FamousSparrow and GhostEmperor, first attracted attention in October 2021, following the discovery of a sophisticated cyber espionage campaign targeting Southeast Asia.

GhostEmperor’s campaign involved a rootkit called Demodex, which allowed the hackers to remain undetected while infiltrating high-profile organizations in countries like Malaysia, Thailand, Vietnam, and Indonesia. The group also reportedly targeted organizations as far afield as Egypt, Ethiopia, and Afghanistan.

In July 2024, cybersecurity firm Sygnia disclosed that one of its clients had been compromised by Salt Typhoon in 2023, when the hackers breached a business partner's network. During their investigation, Sygnia identified that several servers and workstations had been infiltrated, with the attackers deploying communication tools linked to command-and-control (C2) servers. One of the tools was identified as a variant of the Demodex rootkit.

The revelation of Salt Typhoon’s hacking campaign comes after the US authorities disrupted a 260,000-device botnet called ‘Raptor Train,’ which was operated by another Beijing-linked hacker group, Flax Typhoon.