HAVE YOU SEEN US? FBI offers $10 million for information about Salt Typhoon members FBI accepts tips by TOR in likely attempt to woo China-based informants. Dan Goodin – Apr 25, 2025 4:38 pm | 29 Credit: Aurich Lawson Credit: Aurich Lawson Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The FBI is offering $10 million for information about the China-state hacking group tracked as Salt Typhoon and its intrusion last year into sensitive networks belonging to multiple US telecommunications companies. Salt Typhoon is one of a half-dozen or more hacking groups that work on behalf of the People’s Republic of China. Intelligence agencies and private security companies have concluded the group has been behind a string of espionage attacks designed to collect vital information, in part for use in any military conflicts that may arise in the future. A broad and significant cyber campaign The agency on Thursday published a statement offering up to $10 million, relocation assistance, and other compensation for information about Salt Typhoon. The announcement specifically sought information about the specific members of Salt Typhoon and the group's compromise of multiple US telecommunications companies last year. “Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale,” FBI officials wrote. “This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.” Salt Typhoon is one of several names the government and private researchers use to track the group, which they say has been active since at least 2019. Other tracking names include RedMike, Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286. Over the years, Salt Typhoon has been behind multiple compromises of telecommunications companies around the world, including many in the US. About a year ago, the group stepped up those activities. One of the most damaging attacks attributed to Salt Typhoon was detailed last October by The Wall Street Journal. The news outlet, citing people familiar with the matter, reported that group members breached networks belonging to Verizon, AT&T, and Lumen/CenturyLink in a campaign of “vast collection of Internet traffic from ISPs that served businesses and millions of their American customers.” As part of those incursions, The Washington Post said, Salt Typhoon may have gained access to systems used for court-authorized wiretaps of communications networks. The sources had no positive proof, but said evidence suggested US wiretapping systems had been penetrated. The FBI's reward announcement seems to confirm the access. In December, officials in the Biden administration told reporters Salt Typhoon had breached telecom companies in dozens of countries, including eight US telecom providers, doubling the previously known number. The attacks, the officials said, had likely been underway for one to two years. The officials said they didn’t know if the hackers had been fully evicted from the breached networks. Researchers at Recorded Future’s Insikt Group said in February that Salt Typhoon’s campaigns had continued through the new year, with a string of attacks targeting Internet-facing Cisco network devices used by telecom operators. The two primary vulnerabilities exploited in that campaign were CVE-2023-20198 and CVE-2023-20273, both of which had received patches more than a year before Salt Typhoon exploited them. The FBI has created a site on the dark web (he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion) and established a Signal number (+1-202-702-7843) that can receive tips, a likely attempt to make things easier for people in the heavily Internet-censored PRC to submit them. Tipsters can also contact the agency here. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 29 Comments