Beijing’s Salt Typhoon cyberspies had been seen in US government networks before telcos discovered the same foreign intruders in their own systems, according to CISA boss Jen Easterly.

Speaking at a Foundation for Defense of Democracies (FDD) event on Wednesday, the agency director said her threat hunters detected the Chinese government goons in federal networks before the far-reaching espionage campaign against people’s telecommunications providers had been found and attributed to Salt Typhoon.

“We saw it as a separate campaign, called it another goofy cyber name, and we were able to, based on the visibility that we had within the federal networks, connect some dots,” and tie the first set of snoops to the same crew that burrowed into AT&T, Verizon, and other telecoms firms’ infrastructure, Easterly noted.

By compromising those telcos – specifically, the systems that allow the Feds to lawfully monitor criminal suspects – Salt Typhoon had the capability to geolocate millions of subscribers, access people’s internet traffic, and record phone calls at will.

This visibility into federal government networks, combined with private-industry tips coming into CISA, led to the FBI and other law enforcement agencies obtaining court-approved access to Salt-Typhoon-leased virtual private servers. 

“That then led to cracking open the larger Salt Typhoon piece,” Easterly said.

Still, she cautioned, “what we have found is likely just the tip of the iceberg” when it comes to Chinese intrusions into American critical infrastructure.

“China is the most persistent and serious cyber threat to the nation and to our national critical infrastructure,” Easterly warned, adding that Salt Typhoon isn’t her biggest worry when it comes to Middle Kingdom cyberthreats.

“What I’ve been more concerned about are the efforts to burrow deeply into our most sensitive critical infrastructure, whether that’s water or transportation or power or communications, for the purposes of launching disruptive or destructive attacks in the event of a major crisis in the Taiwan Strait,” Easterly said, referring to the earlier Volt Typhoon break-ins across American critical facilities.

The Feds first sounded the alarm on Volt Typhoon in early 2024, after the FBI disrupted the gang’s botnet, which had been built to break into US critical infrastructure.

The public later learned that the same PRC-backed crew had compromised at least one large US city’s emergency services network, been conducting reconnaissance on “multiple” American electric companies, and was still lurking inside power, water, and comms systems, preparing to “wreak havoc” on American infrastructure and “cause societal chaos” in the US. 

Despite America’s best efforts to boot the Chinese from its networks, “we don’t know what the size of that iceberg is, because we do think that they are intent on disruption,” said Easterly, who is stepping down from her role as the White House changes over in administration.

These types of destructive attacks are expected to coincide with a potential invasion of Taiwan as Chinese President Xi Jinping has repeatedly stated his intent for “reunification” with the island nation.

“Whether that’s militarily or peacefully, we know that analysts believe that this will happen sometime before the end of the decade, if not sooner,” Easterly said on Wednesday. 

“We also know that there are moves afoot by the PRC to be able to hold our critical infrastructure at risk” in an effort to dissuade America from aiding Taiwan, she added. “This is a world where a crisis in Asia is accompanied with massive disruptions here in the US, whether that’s telcos or pipelines or water systems or power grids, all to induce societal panic by their doctrine and to deter our ability to marshal military might and citizen will.” ®