Skip to main content
Request a Demo

Salt Typhoon Intelligence Dashboard Immediately Available for ThreatConnect

Salt Typhoon—also known in industry and U.S. government reporting as OPERATOR PANDA, RedMike, UNC5807, or GhostEmperor — is a sophisticated, state-sponsored Chinese cyber-espionage group expected to operate under the Ministry of State Security. Active since at least 2019, Salt Typhoon has executed one of the most expansive and consequential global hacking campaigns in modern history.

Salt Typhoon has exploited vulnerabilities in telecommunications infrastructure—particularly routers and core systems—to penetrate networks globally. According to a report in The Wall Street Journal on August 27, 2025, the campaign has affected over 80 countries and 600 organizations, including telecom operators, government agencies, and military infrastructure. Notably, it allowed access to over 1 million call records, including metadata and wiretap-related systems, raising profound national security concerns.

A Joint Cybersecurity Advisory issued by the FBI, CISA, NSA, and numerous international partners categorizes Salt Typhoon’s activity as unprecedented in scale and targeting. FBI Cyber Division Assistant Director Brett Leatherman underscored that Salt Typhoon’s “global indiscriminate targeting isn’t just espionage—it exceeds norms of cyberspace operations.”

The new Salt Typhoon Dashboard in ThreatConnect offers security teams powerful, centralized visibility into this critical threat.

Key Benefits:

  • Centralized Intelligence: Aggregates Salt Typhoon-related IOCs, TTPs, intrusion sets, and telemetry from open sources, commercial feeds, and internal data.
  • Continuous Threat Tracking: Monitors real-time updates on actor infrastructure, victimology, exploitation methods, and global trends.
  • Accelerated Incident Response: Provides contextualized, enriched intelligence to compress time from detection to response.
  • Visual Reporting & Executive Insights: Interactive charts, campaign timelines, and executive-tailored dashboards streamline communication and prioritization.
  • Automated Correlation: Leverages ThreatConnect’s automation engine to align Salt Typhoon indicators across adversary profiles, aiding triage and escalation.

With Salt Typhoon’s intrusion into critical networks, including those of major telecom carriers, adversaries now hold the capability to map communications, track movements, and infiltrate high-impact infrastructures.

The Salt Typhoon Dashboard equips defenders with the means to visualize these threats, integrate global context, and act decisively—right within the ThreatConnect platform.

Note: In order to realize the full value of this dashboard, customers may require integration with premium or commercial threat intelligence sources such as those provided by Mandiant, Recorded Future, or CrowdStrike. 

Lead Contributor – Andy Smith, Customer Success Engineer

To gain access to the Salt Typhoon Dashboard, please connect with your Customer Success team or reach out to us through our contact form.

Further Resources

For more detailed information and resources on Salt Typhoon, please refer to the following:

Resource Description Link
The Wall Street Journal Per their website, The Wall Street Journal was founded in July 1889. Ever since, the Journal has led the way in chronicling the rise of industries in America and around the world. WSJ Article
Reuters Reuters is a leading global news organization, recognized for its fast, accurate, and impartial reporting on international business, politics, technology, and current events. Reuters Article
Joint Cyber Security Advisory The National Security Agency (NSA) and other U.S. and foreign organizations have released a joint Cybersecurity Advisory to expose advanced persistent threat (APT) actors sponsored by the Chinese government targeting telecommunications, government, transportation, lodging, and military infrastructure networks globally and outline appropriate mitigation guidance. Cybersecurity Advisory

 

We urge all organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing these recommendations, you can significantly reduce your risk and protect your critical assets.

About the Author

Andy Smith

Andy Smith is a Customer Success Engineer at ThreatConnect. He previously worked as an integrations analyst, technical enablement manager, and cloud support engineer across various industries, including academia, healthcare, and cybersecurity. Andy has a background in education and linguistics, as well as over 20 years in IT/IS. When not working on cybersecurity, Andy enjoys traveling, cooking with his wife, and playing guitar.