Dutch Intelligence Exposes Salt Typhoon: China-Linked APT Targets Critical Infrastructure in the Netherlands

TL;DR

Dutch intelligence agencies MIVD and AIVD have confirmed that the China-linked APT group Salt Typhoon (also known as RedMike) targeted critical infrastructure in the Netherlands. Unlike previous attacks on major telecom providers, this campaign focused on smaller internet service and hosting providers, compromising routers without penetrating deeper into internal networks. The operation is part of a global cyberespionage campaign linked to Chinese state-sponsored actors, raising concerns about national cyber resilience and the need for constant monitoring.

---

Dutch Intelligence Warns of China-Linked Cyberespionage Campaign Targeting Critical Infrastructure

Dutch intelligence and security services, MIVD (Military Intelligence and Security Service) and AIVD (General Intelligence and Security Service), have issued a warning about a large-scale cyberespionage campaign conducted by the China-linked APT group Salt Typhoon (also referred to as RedMike). This campaign targeted the Netherlands, focusing on smaller internet service and hosting providers, rather than major telecom companies.

The revelation aligns with findings from U.S. intelligence agencies, which exposed a global cyberespionage operation in late 2024. According to reports, Salt Typhoon breached telecommunications companies in dozens of countries, including at least eight U.S. firms¹. The campaign, active for 1–2 years, highlights the strategic risks posed by state-sponsored cyber threats.

---

Global Scope of the Salt Typhoon Campaign

The Salt Typhoon campaign is not limited to the Netherlands or the United States. Intelligence agencies worldwide, including Germany’s BND, Finland’s SUPO, the UK’s NCSC, and Italy’s AISE, have endorsed warnings from the NSA, CISA, and FBI, emphasizing the campaign’s global reach and strategic implications².

In December 2024, Anne Neuberger, Deputy National Security Adviser to U.S. President Biden, confirmed that Salt Typhoon had compromised telecommunications providers in multiple countries³. The Wall Street Journal reported that the campaign targeted dozens of nations, underscoring its scale and sophistication⁴.

---

Focus on Smaller Providers in the Netherlands

Unlike previous attacks that targeted major telecom operators, the Dutch investigation revealed that Salt Typhoon focused on smaller internet service and hosting providers. According to the Ministry of Defence advisory:

“An investigation by the MIVD and AIVD has revealed that the Chinese hacking organization had access to routers belonging to the Dutch targets. As far as we know, the hackers did not penetrate any further into their internal networks.”⁵

Dutch authorities have emphasized that while advanced cyber operations require constant monitoring, the risks can only be reduced, not entirely eliminated. This poses a significant challenge to national cyber resilience.

---

Link to Chinese Tech Firms and State Actors

A joint Cybersecurity Advisory (CSA) issued by the NSA, NCSC, and allied agencies linked the malicious activities to three Chinese tech firms:

1. Sichuan Juxinhe Network Technology Co. Ltd.
2. Beijing Huanyu Tianqiong Information Technology Co., Ltd.
3. Sichuan Zhixin Ruijie Network Technology Co., Ltd.

These firms are alleged to provide cyber products and services to China’s Ministry of State Security and People’s Liberation Army⁶. The advisory outlines the tactics, techniques, and procedures (TTPs) used by these actors, providing guidance for mitigation.

---

Mitigation and Global Response

The joint advisory from the NSA and its allies offers detailed mitigation strategies to counter the threats posed by Salt Typhoon and other Chinese state-sponsored actors. Key recommendations include:

• Enhancing network monitoring to detect unusual activity.
• Strengthening router security to prevent unauthorized access.
• Sharing threat intelligence with relevant stakeholders.

Dutch intelligence has already shared critical threat intelligence with affected providers and other relevant parties to bolster defenses.

---

Why This Matters

The Salt Typhoon campaign underscores the growing threat of state-sponsored cyberespionage targeting critical infrastructure. As nations become increasingly reliant on digital networks, the risk of disruption and espionage poses a significant challenge to global security. This incident serves as a reminder of the importance of cyber resilience and international cooperation in countering advanced persistent threats.

---

Conclusion

The exposure of Salt Typhoon’s cyberespionage campaign in the Netherlands highlights the persistent and evolving threat posed by state-sponsored actors. While Dutch authorities and their allies have taken steps to mitigate risks, the incident underscores the need for continuous vigilance, robust cybersecurity measures, and global collaboration. As cyber threats grow in sophistication, nations must adapt and strengthen their defenses to protect critical infrastructure and national security.

---

Additional Resources

For further insights, check:

• NSA Joint Cybersecurity Advisory on Chinese State-Sponsored Actors
• Dutch Ministry of Defence Advisory on Salt Typhoon
• Wall Street Journal: Dozens of Countries Hit in Chinese Telecom Hacking Campaign

---

References

1. U.S. National Security Adviser (2024). “Dozens of Countries Hit in Chinese Telecom Hacking Campaign”. The Wall Street Journal. Retrieved 2025-08-29. ↩︎

2. NSA, CISA, FBI (2025). “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System”. U.S. Department of Defense. Retrieved 2025-08-29. ↩︎

3. Security Affairs (2024). “China-linked APT group Salt Typhoon breached telecommunications companies in dozens of countries”. Security Affairs. Retrieved 2025-08-29. ↩︎

4. The Wall Street Journal (2024). “Dozens of Countries Hit in Chinese Telecom Hacking Campaign”. The Wall Street Journal. Retrieved 2025-08-29. ↩︎

5. Dutch Ministry of Defence (2025). “Dutch Providers Targeted by Salt Typhoon”. Dutch Ministry of Defence. Retrieved 2025-08-29. ↩︎

6. NSA (2025). “NSA and Others Provide Guidance to Counter China State-Sponsored Actors Targeting Global Infrastructure”. National Security Agency. Retrieved 2025-08-29. ↩︎