FBI: Threats from Salt Typhoon are ‘still very much ongoing’

Salt Typhoon is still active. That’s the headline.

The same group that compromised parts of U.S. telecom wiretap infrastructure in 2024 is still operating. An FBI deputy assistant director for cyber intelligence confirmed that publicly and emphasized the need for stronger partnerships between government and telecom providers.

Did anyone think they stopped?

This was not a smash-and-grab campaign. This was a strategic compromise of sensitive infrastructure. You do not burn access like that and walk away after one press cycle.

The official messaging emphasized that cybersecurity leaders need to understand their own vulnerabilities and implement fundamentals like zero trust, least privilege, and secure-by-design principles. That’s fine — None of that is wrong. It’s also not new.

When you hear “implement zero trust” in 2026 after a telecom compromise of that magnitude, it lands differently. Most of the FBI guidance are things we’ve been talking about since 2009. Zero trust is not a novel idea. Least privilege is not an emerging concept. End-to-end encryption is not experimental. These are table stakes.

“Lock the Inside Doors” Is Not a Strategy

One of the analogies used was that we need to lock the inside doors, not just the front door. I get the metaphor: Defense in depth, internal segmentation, lateral movement controls. But that analogy feels like something out of a 2009 security awareness slide deck.

We are talking about a campaign attributed to China’s intelligence apparatus targeting load-bearing infrastructure. Telecom systems, lawful intercept mechanisms and national-level targets. And the public takeaway is “do cybersecurity better.”

There are entire teams inside organizations whose job has historically been to sit in the room and raise their hand and say, “have we thought about the security implications?” That role existed because business units are incentivized to ship, monetize, and move fast. Security people were there to slow the train down when needed.

At this point, we shouldn’t need to remind leaders that security matters. Everyone knows it matters. The issue is execution at scale against a persistent, well-resourced adversary.

When the public-facing message is still centered on fundamentals, it highlights a gap. Either those fundamentals are still not being implemented in critical infrastructure environments, which is a serious governance problem, or the messaging is lagging the reality of the threat.

Neither option is comforting.

The Ongoing Threat Is Real. The Conversation Needs to Catch Up.

Salt Typhoon remaining active is not surprising. The Chinese intelligence apparatus does not treat cyber operations as a quarterly KPI. These are long-term campaigns aligned to strategic objectives. Telecommunications infrastructure is a high-value target. It provides insight, leverage, and potential disruption capability.

What I was hoping for was more detail about tradecraft evolution. More about how the campaign adapted and what specifically telecom providers and other critical infrastructure operators should be doing right now.

Best practices matter, but those are architectural baselines, not new defensive innovations tailored to a specific campaign.

If you are running critical infrastructure, you already know you need layered defenses and that your attack surface is expanding. The conversation needs to move beyond “remember to do security.”

It needs to address operational realities like detection gaps, supply chain dependencies and visibility into how to intercept systems.

If the most visible takeaway after a telecom wiretap compromise is a reminder to lock internal doors, then we are still playing catch-up in how we talk about risk at the highest levels.