Aviatrix Blog 
The recent Salt Typhoon and Silk Typhoon cyber campaigns have raised significant alarms across the cybersecurity community. As Aviatrix Chief Product Officer Chris McHenry recently wrote about for Forbes, these sophisticated operations, attributed to nation-state actors, have demonstrated advanced techniques to compromise enterprise networks and maintain persistent access.
The U.S. government has responded forcefully: the FBI recently placed a $10 million bounty on members of Salt Typhoon, treating it as one of the most consequential cyber campaigns ever conducted against U.S. critical infrastructure.
As organizations continue their migration to cloud environments, understanding best practices of cloud network security, such as zero trust architecture and robust encryption, is more crucial than ever.
Understanding the Threat Landscape
Salt Typhoon and Silk Typhoon represent the new generation of advanced persistent threats (APTs). These campaigns targeted critical infrastructure and high-value enterprises across multiple sectors, using a combination of methods to establish footholds in victim networks:
- Supply chain vulnerabilities
- Credential theft
- Sophisticated lateral movement techniques
Salt Typhoon, in particular, was noted for gaining initial access through compromised edge infrastructure such as routers, VPN appliances, and firewalls in telecom environments—many of which support the operational backbone of cloud and internet traffic.
What makes these attacks particularly concerning is their exploitation of cloud-connected systems, identity infrastructure, and remote management pathways to maintain persistent access across hybrid environments. These threat actors are leveraging some of the very features that make the cloud powerful—global access, federated identity, and always-on connectivity—to hide in plain sight.
Salt Typhoon’s compromise of U.S. telecom firms has prompted an ongoing containment operation by federal agencies.
According to FBI Deputy Assistant Director Brett Leatherman, the agency is still awaiting clear signals that the group has been fully removed from compromised networks.
Beyond direct enterprise targeting, Salt Typhoon highlights a deeper systemic risk: telecom and ISP infrastructure—frequently the routing backbone for cloud service providers—has become a critical attack surface. By compromising routers, firewalls, and edge devices at these providers, attackers can gain visibility into CSP traffic paths, enabling traffic observation, manipulation, or disruption without directly breaching the CSP.
These compromises introduce systemic risk, as many CSP inter-region and hybrid connections depend on trusted telecom carriers. An attacker embedded in this infrastructure can intercept metadata, manipulate BGP routes, or enable man-in-the-middle attacks—even if CSP-native services remain technically uncompromised. While CSP-native controls may remain intact, threat actors embedded in telecom infrastructure can observe or route traffic between cloud regions, customers, and services—creating exposure through the broader ecosystem of trust.
Security leaders now warn that cloud-connected and hybrid infrastructure has become the front line of modern cyber conflict, and collaboration across public and private sectors is essential to reduce exposure.
These operations highlight critical gaps in how enterprise environments spanning cloud and on-prem systems are traditionally secured.
Key Vulnerabilities Exploited
The success of these campaigns highlights several critical vulnerabilities in enterprise environments:
- Inadequate network segmentation — allowing attackers to move laterally once inside the perimeter
- Insufficient authentication controls — particularly between cloud environments and on-premises systems
- Over-privileged service accounts — providing attackers with extensive access once compromised
- Poorly secured API gateways — offering entry points between different cloud environments
- Weak or unmonitored egress controls — enabling persistent command-and-control communications and data exfiltration
- Third-party infrastructure risk — cloud traffic that traverses compromised telecom routes can be intercepted or redirected, introducing risk even when CSP-native services remain uncompromised
Building Resilient Cloud Security
In my experience analyzing these threats, I’ve found that modern cloud security requires a fundamentally different approach than traditional network security. The lessons from Salt Typhoon and Silk Typhoon emphasize several core principles that should guide your security strategy:
1. Implement Zero Trust Network Architecture
Zero trust principles must be the foundation of your security strategy. This means implementing least-privilege access controls, continuous verification, and microsegmentation across all environments.
ZTMM 2.0 further recommends that encryption be centrally visible, automated, and policy-driven—only achievable through software-defined enforcement models.
2. Secure Multicloud Connectivity
As organizations operate across multiple cloud providers, securing the connections between these environments becomes critical. Implementing consistent security policies and visibility across all cloud and hybrid environments helps prevent attackers from exploiting gaps between different providers.
3. Prioritize Identity-Based Security
Both attack campaigns leveraged compromised credentials to gain and maintain access. Implementing strong identity verification, multi-factor authentication, and just-in-time access provisioning can significantly reduce these risks.
Salt Typhoon’s exploitation of federated identity and SSO pathways underscores the need to harden IAM configurations and monitor lateral movement across identity trust boundaries.
4. Maintain Comprehensive Visibility
You can’t protect what you can’t see. Comprehensive visibility across all cloud environments is essential for detecting suspicious activities and potential compromises before they expand.
Monitoring egress and east-west traffic is especially important, as both attack campaigns leveraged outbound connections to maintain persistence and evade detection.
Aviatrix: Fortifying Cloud Networking Security Against Threats like Salt Typhoon and Silk Typhoon
The Salt Typhoon attack demonstrated a fundamental truth about network security – traditional perimeter defenses are ineffective against sophisticated adversaries operating within hybrid and cloud-connected environments. Aviatrix’s Cloud Network Platform directly addresses these vulnerabilities by:
- Implementing network segmentation and micro-segmentation that follows zero trust principles.
- Providing comprehensive east-west traffic inspection and control, unlike conventional solutions that focus primarily on north-south traffic. This type of inspection is crucial for preventing lateral movement techniques used in both the Salt and Silk Typhoon attacks.
- Using distributed firewalling with centralized policy management to enable organizations to maintain consistent security controls across multicloud environments.
Filtering Egress Traffic: Protecting the Weak Point of Many Security Architectures
Another critical insight from the Silk Typhoon campaign was the exploitation of egress security gaps – the “backdoor” of many network security architectures. Traditional security solutions often focus on ingress traffic while neglecting egress security, allowing attackers to maintain persistent access and exfiltrate data undetected.
Aviatrix addresses this vulnerability through its Cloud Firewall solution, which uses a comprehensive approach to secure connectivity and a patented IPSec solution for securing and monitoring cloud connections. Unlike basic cloud provider tools, Aviatrix’s solution provides enhanced visibility into egress traffic patterns, allowing security teams to identify command-and-control communications and data exfiltration attempts before they succeed. This capability is particularly valuable for GRC (governance, risk, and compliance) teams who need to demonstrate compliance with increasingly stringent regulatory requirements for cloud security.
For sectors like telecom, healthcare, and critical infrastructure—where Salt Typhoon has already made an impact—egress inspection is no longer optional.
Moving Forward: Reducing Risk Exposure
The cybersecurity landscape will continue to evolve, with attackers constantly developing new techniques to bypass defenses. However, by implementing the right security architecture and practices, organizations can significantly reduce their risk exposure.
The recent FBI reward signals that cloud-targeted APTs are no longer isolated incidents—they are part of a sustained and strategic campaign. Organizations must assume compromise and design defensible architectures.
- Learn more about what the Salt Typhoon hack revealed about cloud security and how the typhoon threat is evolving.
- Explore how Aviatrix’s Cloud Firewall solution provides invaluable egress security, monitoring, network segmentation, and high-performance encryption.