FBI Tracks Persistent Chinese Espionage Threats Across Telecom and Government Networks

Chinese state-sponsored threat activity remains a central focus for U.S. cyber authorities, with the FBI continuing efforts to mitigate the risk to critical infrastructure posed by espionage-focused groups. Speaking with Recorded Future News at RSA Conference 2025, Brett Leatherman, FBI deputy assistant director of cyber operations, provided updates on Salt Typhoon’s ongoing activity, reaffirming that "The number is still nine, minimum, victims. We continue to work with a lot more telcos and companies where there may be suspected breaches." Salt Typhoon, which infiltrated major U.S. telecom networks, is still considered active, with containment underway but full eradication yet to be confirmed. The FBI remains engaged with impacted companies and is supporting efforts to eliminate persistence mechanisms while leveraging legal authorities to deter future breaches. Containment operations are complex due to the broad footprint of telecom infrastructure, and progress remains dependent on third-party remediation efforts and ongoing cooperation with the victims.

Leatherman also confirmed that Volt Typhoon remains operational and continues targeting legacy and end-of-life devices to build proxy networks that can be leveraged for access and obfuscation. While the FBI does not currently assess Volt Typhoon as having reached a new phase of large-scale disruption, the group’s tactics remain a concern. The bureau, alongside federal partners, is actively publishing guidance to reduce the likelihood of critical mass in future campaigns. Silk Typhoon, previously linked to breaches at the Treasury Department, is not currently believed to be active, but the FBI has not ruled out future operations. Meanwhile, Leatherman declined to confirm any link between Silk Typhoon and a separate incident involving the Office of the Comptroller of the Currency, stating only that the investigation into Treasury-related intrusions is ongoing.

In addition to direct cyber operations, the FBI continues to target entities supporting Chinese offensive cyber capabilities. Leatherman pointed to I-Soon, a contractor tied to China’s hacking efforts, as one such target. The agency views actions such as public indictments and intelligence sharing as critical tools for both disruption and deterrence, aiming to limit financial and operational resources available to groups like I-Soon. Overall, the FBI’s focus remains split between immediate containment, long-term eradication of persistent access, and building defenses to deter future state-sponsored intrusions.