TL;DR: Per the August 2025 joint CISA/NSA/FBI advisory AA25-239A and March 2026 reporting from TechCrunch, China's "Salt Typhoon" advanced persistent threat (linked to the PRC Ministry of State Security) has compromised at least 200 companies globally, including major telecoms, government networks, transportation, lodging, military infrastructure, and a confirmed list of small internet providers in Europe. The FBI's Cyber Talks confirmed in 2026 that "the threat posed by Salt Typhoon actors is still very, very much ongoing". The tradecraft is the part that matters for NC SMBs: persistence on edge routers, customer-edge (CE) and provider-edge (PE) devices, and unpatched perimeter appliances that smaller businesses often run for 5-10 years without firmware updates.
Key takeaway: Salt Typhoon does not need to target your business directly to harm it. The group's confirmed playbook is to compromise edge devices, sit quietly for months, and use them as pivot points into adjacent networks. Any NC SMB running an unpatched router, firewall, or VPN appliance at the perimeter is a potential pivot - not a target, but a stepping stone.
Need an edge device hardening sprint? Preferred Data Corporation runs perimeter audits and managed firewall services for NC small businesses. Call (336) 886-3282 or request an edge defense review.
Who is Salt Typhoon and what have they done in 2026?
Salt Typhoon is an advanced persistent threat group attributed by CISA, NSA, and FBI to the Chinese Ministry of State Security (MSS). Per reporting from SecurityWeek, TechCrunch, and the Congressional Research Service brief:
- At least 200 organizations globally confirmed compromised, per FBI officials.
- Target sectors: Telecommunications backbone, internet providers, government networks, transportation, lodging, military, and increasingly small commercial ISPs in the Netherlands, Italy, and Poland.
- Persistence strategy: Modify routers and edge appliances to maintain long-term access, then pivot into adjacent customer and partner networks via trusted connections.
- Status: FBI confirmed in 2026 that the threat is "still very much ongoing" and has not been remediated globally.
The group's Wikipedia entry and Volt Typhoon companion analysis place this campaign as one of the most consequential nation-state cyber operations of the decade.
Why does a campaign against telecoms matter for an NC SMB?
Because Salt Typhoon's tradecraft does not stop at the original target. Per the CISA advisory AA25-239A, the group "leverage[s] compromised devices and trusted connections to pivot into other networks." Three implications for NC small businesses:
- Your ISP's edge equipment may be compromised even if you are not the target. A compromised provider-edge router can capture, redirect, or inspect traffic for every downstream customer.
- Your own edge devices are a known target class. Per SC Media's analysis, Typhoon-class groups specifically prefer end-of-life and lightly-patched edge devices (Cisco, Fortinet, Palo Alto, Sophos, SonicWall, Ivanti, Citrix) because the firmware patch cadence is slower than the operating system patch cadence on the same network.
- A supplier or customer on your VPN may already be a pivot point. Trusted connections (site-to-site VPN, IPsec tunnels, partner VPN concentrators, hosted service provider links) are how Salt Typhoon expands laterally after the initial edge compromise.
For an NC manufacturer with site-to-site VPN to a logistics provider, a professional services firm with a customer extranet, or a distributor with a partner integration over IPsec, the threat model now includes "what happens if a peer of mine is compromised."
What does the Salt Typhoon attack chain look like on a small business edge?
Three stages, each of which is observable if the right controls are in place but invisible otherwise.
| Stage | Activity | NC SMB Detection Surface |
|---|---|---|
| Initial access | Exploit unpatched CVE on edge router, firewall, or VPN appliance | Firmware version drift, missed CVE patch SLA |
| Persistence | Install rogue firmware, add hidden admin account, modify route tables | Configuration drift, unexpected admin accounts on appliances |
| Pivot | Use trusted VPN tunnel or PE router to reach downstream networks | Unexpected east-west traffic, atypical outbound to hosted ASNs |
Per the CISA advisory and Help Net Security's coverage of the 2026 DBIR, vulnerability exploitation has overtaken stolen credentials as the top breach entry point in 2026 (31% of breaches), and edge devices are the most common exploited asset class.
Is my NC SMB exposed to Salt Typhoon-class tradecraft?
Use this six-question screen. If any answer is "yes" or "I am not sure," the perimeter is exposed.
| Screen question | Why it matters |
|---|---|
| Is your edge firewall or router running firmware older than 12 months? | Typhoon-class groups specifically target slow-patched edge devices |
| Do you have any end-of-life network appliances still in production? | EOL means no security updates, period |
| Is your IPsec or SSL VPN appliance from a vendor with KEV-listed CVEs in 2025-2026? | Cisco ASA, Fortinet, Ivanti, SonicWall, Sophos all have recent KEV entries |
| Do you have site-to-site VPN to vendors, customers, or partners? | Trusted connections are the documented pivot path |
| Do you log inbound and outbound firewall traffic centrally? | Without logs, persistence is invisible |
| Do you have an inventory of every admin account on every edge appliance? | Hidden admin accounts are the Typhoon group's signature |
A fast self-check: open the management UI of every edge appliance, compare the firmware version to the vendor's current stable release, and review the admin account list against your documented inventory. If the firmware is more than two minor versions behind or any admin account is unrecognized, escalate immediately.
What is the right edge defense playbook for an NC SMB?
Five controls. Each is achievable inside 30 days for the typical NC SMB perimeter.
- Edge firmware patch SLA. Establish a documented 30-day patch SLA for firewalls, routers, VPN concentrators, and wireless controllers. Confirm CISA Known Exploited Vulnerabilities (KEV) entries are patched within 14 days. Subscribe to vendor PSIRT bulletins.
- Decommission end-of-life appliances. Any device past the vendor's last support date is a permanent exposure. Replace with current-generation hardware on a 6-12 month schedule.
- Privileged access management on appliances. Centralize admin credentials in a PAM solution. Rotate device passwords quarterly. Enable MFA on management interfaces. Restrict management plane access to a dedicated administrative VLAN.
- Centralized logging and network detection. Forward firewall, router, and VPN logs to a SIEM or MDR platform. Alert on configuration changes, new admin accounts, firmware modifications, and anomalous outbound traffic to hosted ASNs.
- Segmentation and trust review. Audit every site-to-site VPN and partner extranet. Apply least-privilege firewall rules between you and every peer. Treat any peer as potentially compromised - that is the lesson of Salt Typhoon.
Quotable definition: An edge device is any network appliance (router, firewall, VPN concentrator, wireless controller, gateway) that sits at the boundary between an internal network and an external network. Edge devices are high-value targets because compromise yields persistent positioning that is invisible to endpoint-focused security tools.
Why is the standard SMB antivirus + firewall stack blind to this?
Because the standard SMB stack monitors workstations and servers, not the appliances themselves. Three architectural blind spots:
- Endpoint Detection and Response (EDR) does not run on a firewall. EDR runs on Windows and Mac endpoints; the firewall is opaque to it.
- Generic firewall logs go to local storage and rotate out. Without centralized SIEM or MDR, evidence of compromise is overwritten in days.
- Most SMBs do not have a firmware patch SLA. Per Verizon DBIR 2026, the median patch delay on edge devices is 60+ days, well inside the Typhoon-class attacker's persistence window.
What does cyber insurance say about edge device compromise?
Per the 2026 SMB cyber insurance environment, most carriers' 2026 questionnaires now ask about edge appliance patch SLA, end-of-life device inventory, and MFA on management interfaces. A documented unpatched KEV-listed CVE on a perimeter device after a known exploitation alert is increasingly a path to:
- Reduced payout on the breach claim.
- Exclusion of nation-state losses (most policies now have a "war exclusion" or "hostile nation-state exclusion" that carriers are testing against Typhoon-class incidents).
- Non-renewal or substantial premium increase at the next cycle.
Need a perimeter audit and managed firewall service? Call (336) 886-3282 or request an edge defense review.
How does Preferred Data Corporation help?
PDC supports NC small businesses with the three layers that close the edge gap:
- Network services with managed firewall and managed router service, documented firmware patch SLA, centralized logging to PDC's SIEM, and quarterly perimeter audit.
- Managed cybersecurity with 24/7 SOC monitoring of edge appliance logs, identity threat detection on management interfaces, and incident response retainer for nation-state-class events.
- Managed IT services with asset inventory, end-of-life appliance replacement planning, PAM rollout for admin credentials, and segmentation reviews on every site-to-site VPN.
PDC has served NC small businesses, manufacturers, and distributors for over 37 years with on-site coverage within 200 miles of High Point. The combination of local presence, manufacturing and OT depth, and national-grade network engineering is what closes the gap between a Salt Typhoon-class threat model and an NC SMB perimeter that was last hardened in 2019.
Frequently Asked Questions
Is Salt Typhoon still active in 2026?
Yes. Per FBI testimony at Cyber Talks 2026, the threat is "still very, very much ongoing," and the group has not been fully evicted from compromised networks globally. The campaign has been active for multiple years and continues to expand.
Does Salt Typhoon target small businesses directly?
Not usually. The group's confirmed targets are telecoms, government networks, transportation, lodging, military infrastructure, and increasingly small ISPs. However, the tradecraft is to pivot from any compromised edge into adjacent networks via trusted connections, which makes SMBs that connect to compromised peers a downstream exposure.
What CVEs has Salt Typhoon exploited?
Per the CISA advisory AA25-239A, the group has exploited multiple CVEs in Cisco IOS XE, Cisco ASA, Ivanti Connect Secure, Fortinet FortiOS, and other edge appliances. The CISA Known Exploited Vulnerabilities catalog is the canonical list, and edge appliance CVEs in 2025-2026 are the priority patch class.
What is the difference between Salt Typhoon and Volt Typhoon?
Per CISA's analysis and the Abhishek Gautam comparative brief, Salt Typhoon focuses on espionage and intelligence collection from telecoms and infrastructure. Volt Typhoon focuses on pre-positioning for disruption against US critical infrastructure (water, power, gas). Both are attributed to PRC state actors but with different operational objectives.
How do I know if my edge device has been compromised?
Engage an MDR or incident response partner for an appliance forensic review. Indicators include unexpected admin accounts, firmware checksum mismatches, unusual configuration changes, anomalous outbound traffic to hosted ASNs (DigitalOcean, OVH, Hetzner, Vultr, Linode), and inbound connections from cloud provider IPs to management interfaces.
Related Resources
- Managed Network Services for NC Businesses - Managed firewall, edge patch SLA, segmentation
- Managed Cybersecurity Services for NC Businesses - 24/7 SOC, edge log monitoring
- Managed IT Services for NC Businesses - Asset inventory, PAM, end-of-life planning
- CISA China-Nexus Router & IoT Compromise - Companion guide
- Third-Party Data Breaches & Supply Chain Defense - Trusted connection risk
- Contact Preferred Data Corporation - Schedule a perimeter audit