In the ever-shifting arena of cyber threats, state-sponsored groups like China's Salt Typhoon are not just executing bold intrusions—they're setting trends that ripple across the hacker community. According to recent insights from AT&T's chief information security officer, Rich Baich, the group's innovative techniques in breaching major telecom networks are inspiring other cybercriminals to adopt similar "unconventional" methods. Speaking at the Google Cloud Cyber Defense Summit on September 23, 2025, Baich detailed how Salt Typhoon's playbook is reshaping attack strategies, forcing defenders to rethink their approaches. This development comes amid ongoing revelations about Salt Typhoon's global espionage campaign, which has targeted telecom providers in over 80 countries, including the U.S., UK, and Australia. As we delve into the specifics, it's clear that understanding these tactics is crucial for bolstering defenses in an increasingly creative threat landscape.

Who is Salt Typhoon? A Quick Primer

Salt Typhoon, also tracked as a Chinese advanced persistent threat (APT) group linked to state-sponsored espionage, has made headlines for its sweeping hacks into telecommunications infrastructure. Since at least 2024, the group has exploited vulnerabilities in networks to steal vast amounts of data, potentially affecting millions of users worldwide. Their operations have hit firms like AT&T, Verizon, and international counterparts, enabling surveillance on calls, texts, and internet traffic. The FBI has confirmed the group's reach extends to over 80 nations, underscoring its role in China's broader intelligence-gathering efforts. Despite evictions from some networks, like AT&T's, the group's persistence highlights the challenges in countering state-backed actors.

The Unconventional Techniques Fueling Imitation

Baich outlined three core strategies that set Salt Typhoon apart and are now being emulated by other hackers:

1. Targeting Weak EDR Points: Instead of attacking heavily fortified systems, Salt Typhoon focuses on platforms that lack robust endpoint detection and response (EDR) tools. As Baich explained, “Salt Typhoon’s approach was a little bit different. They said, ‘Well, what about all the other platforms that traditionally don’t have an EDR?’ And those platforms then can be utilized in many fashions, carrying out different types of actions.” This shift exploits overlooked areas, allowing stealthy persistence.
2. Exploiting Log-Free Zones: Hackers are gravitating toward network segments without logging, minimizing their digital footprint. Baich noted, “They’re going to the areas of least resistance and not spending time trying to combat traditional security controls.” By avoiding logged activities, attackers evade forensics and prolong undetected access.
3. Living Off the Land (LotL): Salt Typhoon leverages legitimate administrative tools already present in the environment for malicious purposes. Baich emphasized, “Third thing that they are doing is using the actual administrative tools that we use to perform those functions, so [a lesson for potential victims is] making sure that those are locked down and you understand all the administrative tools that you have in your environment.” This technique blends malicious actions with normal operations, making detection arduous.

These methods, combined with efforts to erase tracks, represent a departure from brute-force attacks, inspiring non-state actors to refine their own operations for greater efficiency.

Expert Perspectives: Evolution Through Adversity

Former NSA cybersecurity director Rob Joyce, also speaking at the summit, attributed this evolution to defensive advancements. He observed that strong protections in common technologies have "evolved the attackers," pushing them toward novel exploits: “At the same time, we’ve evolved the attackers through that activity. I think by calling out some of the bad behavior, by highlighting the things that have worked or not worked, we’ve pushed people into new exploit methodology.” This cat-and-mouse dynamic means that as defenses improve, threats become more inventive— a cycle that's accelerating with groups like Salt Typhoon leading the charge.

Baich urged a proactive mindset: “We have to think outside the box. It’s not just about just having the technology; it’s understanding how to use the technology and understanding how your technology can be used against us.” This call to action resonates amid reports of Salt Typhoon's infrastructure, including over 45 unreported domains used for command-and-control.

Implications and Defensive Strategies

The inspiration drawn from Salt Typhoon could lead to a surge in sophisticated, low-detection attacks across sectors beyond telecoms. For organizations, this means traditional tools alone won't suffice—creativity is key.

To counter these trends:

1. Expand EDR Coverage: Extend protections to all platforms, including non-traditional ones like IoT or legacy systems.
2. Enhance Logging: Implement comprehensive logging across the network, with AI-driven anomaly detection to spot gaps.
3. Secure Administrative Tools: Inventory and restrict access to built-in tools; use least-privilege principles and monitor for misuse.
4. Foster Threat Intelligence Sharing: Collaborate via forums like CISA or industry groups to stay ahead of evolving tactics.
5. Train for Innovation: Encourage security teams to simulate unconventional attacks in red-team exercises.

As Salt Typhoon's influence spreads, the cybersecurity community must adapt swiftly. By learning from these intrusions, we can turn inspiration for attackers into innovation for defenders.