Salt Typhoon is behind one of the broadest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records about senior government officials.

The hacking group, attributed to China, is part of a wider cluster of hackers with the collective aim of helping China prepare for an eventual war with Taiwan, according to researchers. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.” Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to break in, and taking control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.

While Salt Typhoon is focused on hacking telecom infrastructure, other China-hacked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of causing widespread disruption; and Flax Typhoon runs a botnet of hijacked internet-connected devices for hiding the hackers’ malicious internet traffic.

But Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.

The hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing that their communications could be eavesdropped on by a foreign adversary.

Salt Typhoon went even further, hacking at least 200 companies around the world, according to FBI officials. The list of affected countries keeps growing.

Here are the countries that have attributed hacks to Salt Typhoon.

United States

Some of the top U.S. phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink (now Lumen). T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails.

Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement to access the communications of others. 

Internet and data providers Charter Communications (Spectrum) and Windstream were also named as Salt Typhoon victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.

The hackers didn’t just target phone and internet providers. Per several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access to other networks in every other U.S. state and several territories.

North and South America

According to security firm Recorded Future, its researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico and elsewhere. 

Meanwhile, the Canadian government confirmed that its top telecommunications firms were hacked by China as part of Salt Typhoon’s extended espionage campaign. Canada also confirmed several Cisco routers at one telecom giant were hacked to steal data from the company. 

The government in Ottawa warned it saw targeting of companies that were “broader than just the telecommunications sector.”

Trend Micro said it saw Salt Typhoon activity in Brazil, the most populous country in South America. 

Asia, Africa, and Oceania

Recorded Future said it’s seen Salt Typhoon targeting at least one Myanmar-based telecoms provider, Mytel, by way of hacked Cisco routers, as well as a South African telecommunications provider. It’s also seen attacks targeting routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand.

Japan has also warned of the threat of Salt Typhoon to its networks. 

Both the governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand said it also saw Salt Typhoon hackers across the government sector, as well as transportation, lodging, and military infrastructure networks.

Trend Micro also said it found at least 20 compromised organizations across the telecoms, consulting, chemical, and transportation industries, as well as government agencies and non-profits in various countries, including Afghanistan, Eswatini, India, Taiwan, and the Philippines.

Europe

The British government has confirmed that a “cluster of activity” from Salt Typhoon was seen across the United Kingdom. While the activity wasn’t specified, news reporting suggests that senior U.K. government staff may have had their phone records tapped and text messages read.

Norway has also confirmed Salt Typhoon hacked several organizations in the country. 

Dutch authorities in the Netherlands say that several smaller internet providers and web hosts were targeted and had access to routers, their internal networks were not compromised.

An Italian internet provider was hacked, per Recorded Future.

And, according to Czech cybersecurity officials, incidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.