| TechCrunch
techcrunch.com
Zack Whittaker
8:50 AM PDT · March 9, 2026
Salt Typhoon is by far one of the most prolific hacking groups in recent years, breaching some of the top American phone companies. Here are all the countries that have been targeted.
Salt Typhoon is behind one of the broadest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records about senior government officials.
The hacking group, attributed to China, is part of a wider cluster of hackers with the collective aim of helping China prepare for an eventual war with Taiwan, according to researchers. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.” Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to break in and taking control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.
While Salt Typhoon is focused on hacking telecom infrastructure, other China-hacked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of causing widespread disruption, and Flax Typhoon runs a botnet of hijacked internet-connected devices for hiding the hackers’ malicious internet traffic.
But Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.
The hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing that a foreign adversary could eavesdrop on their communications.
Salt Typhoon went even further, hacking at least 200 companies around the world, according to FBI officials. The list of affected countries keeps growing.
Here are the countries that have attributed hacks to Salt Typhoon.
United States
Some of the top U.S. phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink (now Lumen). T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails.
Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement to access the communications of others.
Internet and data providers Charter Communications (Spectrum) and Windstream were also named as Salt Typhoon victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.
The hackers didn’t just target phone and internet providers. Per several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access to other networks in every other U.S. state and several territories.
North and South America
According to security firm Recorded Future, its researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico and elsewhere.
Meanwhile, the Canadian government confirmed that its top telecommunications firms were hacked by China as part of Salt Typhoon’s extended espionage campaign. Canada also confirmed several Cisco routers at one telecom giant were hacked to steal data from the company.
The government in Ottawa warned it saw targeting of companies that were “broader than just the telecommunications sector.”
Trend Micro said it saw Salt Typhoon activity in Brazil, the most populous country in South America.
Asia, Africa, and Oceania
Recorded Future said it’s seen Salt Typhoon targeting at least one Myanmar-based telecoms provider, Mytel, by way of hacked Cisco routers, as well as a South African telecommunications provider. It’s also seen attacks targeting routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand.
Japan has also warned of the threat of Salt Typhoon to its networks.
Both the governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand said it also saw Salt Typhoon hackers across the government sector, as well as transportation, lodging, and military infrastructure networks.
Trend Micro also said it found at least 20 compromised organizations across the telecoms, consulting, chemical, and transportation industries, as well as government agencies and nonprofits in various countries, including Afghanistan, Eswatini, India, Taiwan, and the Philippines.
Europe
The British government has confirmed that a “cluster of activity” from Salt Typhoon was seen across the United Kingdom. While the activity wasn’t specified, news reporting suggests that senior U.K. government staff may have had their phone records tapped and text messages read.
Norway has also confirmed Salt Typhoon hacked several organizations in the country.
Dutch authorities in the Netherlands say that several smaller internet providers and web hosts were targeted and had access to routers, but their internal networks were not compromised.
An Italian internet provider was hacked, per Recorded Future.
And, according to Czech cybersecurity officials, incidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.
bleepingcomputer.com
By Sergiu Gatlan
March 9, 2026
Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.
Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.
Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide.
In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025.
After detecting the incident, the third-party vendor notified the FBI and hired external cybersecurity experts to assess the extent of the breach and its impact.
The investigation, which was completed last month, found that a total of 15,661 individuals had their data exposed in the incident. However, Ericsson noted that the compromised provider has yet to find evidence that the data has been misused since the breach.
"Based on the investigation, our service provider determined that a limited subset of files may have been accessed or acquired without authorization between April 17, 2025 and April 22, 2025," Ericsson said.
"As part of its investigation, it retained external data specialists to conduct a comprehensive review of the potential affected files to identify any personal information. That review was completed on February 23, 2026 at which time we determined that that some of your personal information was contained within the affected files."
According to a separate filing with the Texas Attorney General, the exposed information includes affected individuals' names, addresses, Social Security Numbers, Driver’s License numbers, government-issued ID numbers (e.g., passport, state ID cards), financial Information (e.g., account numbers, credit or debit card numbers), medical Information, and dates of birth.
Ericsson is now providing free IDX identity protection services, including credit monitoring, dark web monitoring, identity theft recovery, and a $1 million identity fraud loss reimbursement policy to affected people who enroll by June 9, 2026.
Although the company flagged this incident as a data theft attack, no cybercrime group has taken responsibility for the breach. This raises the possibility that either the third-party vendor paid the ransom demanded by the attackers or that the threat actors were unable to connect the breach to Ericsson.
When BleepingComputer reached out for more details on the breach, including the total number of affected individuals, an Ericcson spokesperson said they didn't have "anything to share beyond the letter."
Update March 10, 06:39 EDT: In a filing with Maine's Attorney General, Ericsson says the breach affects a total of 15,661 individuals.
calcalistech.com
Hofit Cohen Azulay
12:55, 12.03.26
Cyberattack affects platform advertising screens; national cybersecurity authorities investigate.
A cyberattack targeted advertising signs in the passenger halls at Herzliya Station and Shalom Train Station in Tel Aviv on Wednesday. It is estimated that Iranian hackers took control of the signs and posted messages claiming that the stations were expected to be attacked by Iranian missiles and instructing the public to evacuate immediately.
Israel Railways clarified that these signs are not connected to the railway infrastructure and are located on platforms as part of a private provider’s advertising and information system. Shortly after the incident, the screens were taken offline. The National Cyber Directorate, in cooperation with Israel Railways, began investigating the source of the malfunction. Railways officials emphasized that the affected screens are part of an external network unrelated to essential railway infrastructure. Therefore, there was no risk to critical systems or the railway's passenger information system (PIS).
Earlier, Iran’s Fars News Agency falsely claimed that Israel’s entire railway system had been hacked and disabled. The agency stated:
"Israel’s railways have been hacked. As a result of a cyberattack, the enemy’s railway system has been disabled. All [Israeli railway] stations are not safe until further notice."
Following the incident, Israel Railways announced on Thursday that, in accordance with Home Front Command guidelines, it is continuing efforts to resume service on travel routes, increase train frequency, and reopen additional stations.
| South China Morning Post
scmp.com
Ben Jiangin Beijing
Published: 10:14pm, 10 Mar 2026
Cybersecurity agency cautions that improper installation and use of the AI agent carry severe security and data risks.
China’s cybersecurity agency on Tuesday issued a second warning about security and data risks tied to OpenClaw, despite a rush among local governments and tech companies to adopt the artificial intelligence agent amid a nationwide frenzy.
At a time when major Chinese cloud service providers were touting easy deployment of OpenClaw to capitalise on its popularity, improper installation and use of the agent had also led to severe security risks, said the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), a non-governmental and non-profit cybersecurity technical platform, in a notice published on its WeChat account.
Released by Austrian developer Peter Steinberger late last year, OpenClaw is a software that is taking the world by storm for its ability to perform tasks on a user’s behalf, organising and responding to emails, drafting work reports and preparing slide decks.
CNCERT partly blamed OpenClaw’s security challenges on its ability to perform tasks autonomously, which required high-level permissions that heightened exposure to breaches.
The agency said OpenClaw was vulnerable to threats including “prompt injection”, in which attackers embed hidden malicious instructions in webpages which, when read by the software, could trick it into leaking a user’s system keys.
It was also prone to “operational errors”, in which the agent may misinterpret user commands and unintentionally delete critical information, including emails and important files, potentially causing significant data loss.
