The Rapid7 Threat Focus: Salt Typhoon report profiles one of the most sophisticated and persistent state-sponsored threat actors operating today. Salt Typhoon, a Chinese espionage advanced persistent threat (APT) group linked to the Ministry of State Security (MSS), has spent years infiltrating global telecommunications and government networks, including U.S. infrastructure.
For federal, state, and local agencies, the Salt Typhoon campaign underscores an uncomfortable truth: Persistent nation-state threats are no longer limited to federal intelligence targets. They are probing every layer of U.S. governance – from military networks to state communications systems and the vendors that support them.
Why Salt Typhoon matters to the public sector
Salt Typhoon isn’t just another advanced persistent threat. It represents a deliberate, long-term effort to establish access across networks that form the backbone of U.S. government operations. According to the report, the group has compromised at least eight major U.S. telecom carriers and a state Army National Guard network. As much as espionage, this type of activity suggests pre-positioning for disruption.
This “sleeper agent” approach means the adversary is already inside and quietly gathering intelligence, mapping networks, and waiting for the right moment to act. The lesson for the public sector is clear: Protecting sensitive data and systems can’t stop at the perimeter. Defenders must assume compromise and proactively design systems for containment, resilience, and recovery.
Key takeaways from the threat report
The Salt Typhoon threat report highlights several themes with direct implications for public sector security teams:
Espionage with operational intent: While data theft is the primary goal, the group’s sustained presence in military and telecom environments points to potential for sabotage in a crisis scenario.
Supply chain and partner risk: Many intrusions began not with direct government access but through compromised service providers, contractors, and telecom vendors.
Deep persistence and stealth: The actor’s toolkit – including the Demodex rootkit and backdoors such as SparrowDoor and GhostSpider – allows it to maintain hidden access for years.
Global reach, local impact: Though Salt Typhoon targets critical infrastructure worldwide, the U.S. remains its primary focus. Federal, state, and local entities must consider themselves part of that target set.
Top 5 defensive priorities for agencies
Adopt a zero trust mindset
Assume compromise. Every connection, device, and user must be continuously verified. Critical systems such as emergency communications, intelligence databases, or public safety platforms should be isolated so that no single intrusion can grant broad access. Network segmentation and strict identity controls are essential, even for internal traffic.
Tighten patch and vulnerability management
Salt Typhoon frequently exploits known vulnerabilities in VPNs, firewalls, and email servers. Agencies should prioritize high-impact systems for accelerated patching and adopt continuous vulnerability scanning. Rapid7 research found that even short delays in patch cycles can leave agencies exposed to exploitation windows measured in days, not weeks.
Strengthen identity and credential hygiene
Nearly every Salt Typhoon campaign leveraged stolen credentials. Federal and state agencies should enforce multi-factor authentication (MFA) universally, deploy privileged access management (PAM) tools, and routinely audit accounts for privilege creep. Temporary credentials, monitored admin sessions, and “no standing privileges” policies help prevent escalation.
Enhance detection with extended visibility
The group’s hallmark is stealth. Agencies should deploy endpoint detection and response (EDR) or extended detection and response (XDR) solutions that can flag subtle behaviors such as lateral movement through tools like PsExec and WMIC. Continuous monitoring of outbound traffic – particularly encrypted HTTPS and DNS channels – is vital to spotting command-and-control (C2) communications.
Build resilience through collaboration
No single organization can manage this threat alone. Information sharing between agencies and trusted partners remains critical. Early sharing of indicators and tactics can expose coordinated campaigns faster and improve sector-wide readiness.
What this means for the public sector
Salt Typhoon’s long-term infiltration strategy is a reminder that modern cyber defense is as much about proactive endurance as innovation. For every exploit patched and alert investigated, these adversaries persist. However, the cost of a breach could be astronomical compared to the cost of a solution like Rapid7’s vulnerability management (VM) capabilities that can help quickly prioritize the vulnerabilities most critical for remediation.
This means federal workers can more effectively meet the demanding requirements of mandates like those in the new executive order. Both Rapid7's VM and cloud security capabilities provide the continuous monitoring required for maintaining a strong security posture.
Both federal and state defenders should emphasize proactive threat hunting and cross-sector coordination. Those working specifically in the state, local, and educational (SLED) sector as well as non-criminal justice agencies (NCJAs), however, are becoming more frequent targets due to compliance-related issues. This can be attributed to several factors:
Government agencies are considered an easy target by malicious actors.
Small local agencies may inadvertently provide malicious actors with a portal into sensitive data in Criminal Justice Information Services (CJIS) databases.
Law enforcement and public safety agencies – as well as their third-party vendors – are increasingly using unauthorized mobile devices to transmit and store CJIS data.
To underscore all of the above, state and local governments are typically less secure and less funded than their federal counterparts. However, a solution like Rapid7’s automated workflow capabilities can provide the AI-powered automation needed to streamline security operations and enforce compliance standards across hybrid cloud environments.
The message is simple-yet-urgent: Long before conflict begins, sophisticated espionage campaigns attempt to shape the digital battlefield to the advantage of threat actors. Whether you manage a state network, a fusion center, or a federal communications platform, the same principles apply: visibility, verification, and vigilance.
Stay ahead of adversaries who plan years ahead. Read the full Rapid7 Threat Focus: Salt Typhoon report to understand how your agency can safeguard and strengthen the defenses of critical systems that keep the United States running.
- Compliance
- Government
- Research