On September 4, the New York Times revealed(nowe okno) details of Salt Typhoon — a Chinese state-sponsored hacking campaign(nowe okno) that quietly infiltrated US enterprise software used by millions of people. The methods will sound familiar to anyone in tech, security, or government: compromised routers, stolen metadata, unpatched vulnerabilities. But the scope is what makes Salt Typhoon(nowe okno) different.
The attack is an ongoing systematic takedown of the infrastructure our digital world runs on. But more than that, it is an alarm bell reminding us that stockpiles of scraped data, routine surveillance practices, and government pressure across the globe to weaken encryption(nowe okno) are putting more and more of our information at risk.
A global espionage system hiding in plain sight
Salt Typhoon is part of a broader operation led by China’s Ministry of State Security. These actors have quietly gained access to telecoms(nowe okno), government networks, transportation, lodging, and military systems, not just in the US, but across more than 80 countries(nowe okno), including the UK, Canada, Germany, Japan, and others.
Salt Typhoon was linked to the AT&T hack in late 2024, in which it was disclosed that Chinese state actors could geolocate and record the calls(nowe okno) and texts of tens of millions of people in the US.
This latest report suggests that Salt Typhoon now affects so many systems that officials suspect it may have stolen information from nearly every American(nowe okno).
The Cybersecurity Advisory(nowe okno) (CSA) — made up of multiple security agencies, including the NSA, CISA, FBI, and international partners — has confirmed that Salt Typhoon is not a one-off event. Instead, it’s an enduring, coordinated espionage campaign targeting critical infrastructure globally(nowe okno), feeding what the advisory describes as a “global espionage system.”
What is Salt Typhoon?
Salt Typhoon is a hacking campaign that began in 2021 and has been linked to entities with ties to the Chinese intelligence services. It attacks internet infrastructure: the backbone routers, edge devices, and VPNs that telecoms depend on. It takes advantage of known bugs in common equipment from Cisco, Ivanti, and Palo Alto that have gone unpatched.
Once inside, Salt Typhoon targets tools that already exist within the hardware, essentially turning ordinary network management operations into tools of covert surveillance.
By hiding within core infrastructure, Salt Typhoon has been able to quietly copy credentials, records, and metadata for months without drawing any attention. The CSA noted that Salt Typhoon stayed hidden for over 18 months, maintaining control of the system while collecting data in hard-to-detect batches.
What you can do to stay safe
Much of the damage from Salt Typhoon has already been done, but there are steps you can take to reduce your risk and protect your communications. These apply whether you’re an individual, a business, or a larger enterprise:
- Use encrypted services: Choose end-to-end encrypted tools like Signal(nowe okno), WhatsApp(nowe okno), or Proton Mail.
- Keep everything updated: Patch your phone, laptop, router, and any connected devices that need updates.
- Turn on multi-factor authentication (MFA): MFA adds a second layer of defense when logging in to your accounts. It’s a universally recommended way to keep your accounts secure.
- Be careful how you share sensitive information: Stick to encrypted channels or meet face-to-face. Avoid SMS for anything private.
- Hold companies accountable: Instead support services that prioritize security and privacy.
- Hold governments accountable: Push back against attempts to weaken end-to-end encryption and demand stronger privacy protections.
End-to-end encryption is essential to security
Salt Typhoon proves that any network vulnerability is just an open door waiting to be found.
End-to-end encryption ensures that even if a network is compromised, the attacker might be able to collect some metadata, but they cannot access a file or message’s content. Without E2EE, an attacker who infiltrates telecommunications infrastructure, like Salt Typhoon, can monitor conversations and texts in real time.
The Cybersecurity and Infrastructure Security Agency (CISA) has even urged highly targeted individuals — senior officials, journalists, political leaders — to use end-to-end encrypted tools like Signal to protect themselves(nowe okno). The same logic applies to everyone.
Everyday people face constant threats, too, including identity theft, financial fraud, corporate surveillance, and garden-variety hackers looking to exploit weak links. If the most powerful people in government need end-to-end encryption, so do the rest of us.
And this is why ongoing efforts to undermine encryption — from the UK’s Investigatory Powers Act to Australia’s Assistance and Access Act to proposed laws in the EU — are so dangerously misguided. Salt Typhoon shows us exactly what happens when backdoors exist: adversaries find them. Encryption either protects everyone, or it protects no one.
Encryption must hold
Security will always be difficult in a world built on surveillance. Like the recent Salesloft Drift breach, this attack shows how fragile our infrastructure is when companies collect too much information and fail to adequately secure it. But systems that are private by design are also more secure by design, and that’s the model we need to move toward.
Proton was founded on the principle that privacy is a fundamental human right. That’s why we offer services — email, VPN, calendar, file storage — all secured with end-to-end encryption. And that’s why we’ll continue to fight every attempt to weaken it.
