Who is Salt Typhoon Really? Unraveling the Attribution Challenge
How overlapping APT groups and Chinese companies complicate attribution in state cyber operations
Our previous post about Salt Typhoon provided an initial commentary on the Joint Cybersecurity Advisory on Salt Typhoon issued on August 27, 2025. The advisory identified three Chinese companies - Sichuan Juxinhe Network Technology Co. Ltd. (四川聚信和网络科技有限公司), Beijing Huanyu Tianqiong Information Technology Co., Ltd. (北京寰宇天穹信息技术有限公司), and Sichuan Zhixin Ruijie Network Technology Co., Ltd. (四川智信锐捷网络科技有限公司) - as suppliers of products and services to Salt Typhoon and other overlapping groups such as OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. After examining these three Chinese companies and their possible roles in Salt Typhoon-related cyber operations, we presented a few questions worth further exploration. In this post, we will address questions about the involvement of Chinese companies in state-sponsored cyber operations and share some observations on threat attribution from the joint advisory.
First, an update: The Company Webpage of Sichuan Zhixin Ruijie is Found
Previously, the Natto Team could not locate a company website for Sichuan Zhixin Ruijie, even though the company appeared to operate as a legitimate business. Public business registration records contained no website information. We concluded, “it is likely the company has chosen to keep its website private—if one exists—or does not require an online presence due to its dedicated government and military clientele, as described in company materials.” However, after our previous post appeared, Dakota Cary, a China-focused consultant at SentinelOne, shared the webpage of Sichuan Zhixin Ruijie, which he and his team managed to locate. We are grateful for the community we are in and the collaboration and help we have received since launching Natto Thoughts.
Why is it so difficult to locate the website of Sichuan Zhixin Ruijie? It appears the company decided to keep its website private or hidden. We discovered that the website of Sichuan Zhixin Ruijie has had no website filing record since at least mid-November 2023.
According to Chinese laws and regulations, website record filing (网站备案) is mandatory. Two types of filings must be completed before a website goes live: ICP (Internet Content Provider) filing and Public Security Network Filing (or Computer Information System International Network Filing). Both filing numbers must be displayed at the bottom of a website. The ICP filing is managed by the Ministry of Industry and Information Technology (MIIT), while the Ministry of Public Security oversees the public security network filing. All websites operating within China must complete ICP filing first; otherwise, they cannot be accessed. After completing ICP filing, website owners must also submit required documents to public security authorities, such as website content, domain name, and owner information. The purposes of website record filing are stated as “ensuring content legality and security” and “preventing the dissemination of harmful content.”
The Natto Team discovered that an ICP filing record for the domain name of Sichuan Zhixin Ruijie—“0eye[.]com”— existed from June 12, 2019, to November 16, 2023. The filing number was “Shu ICP Filing 19017979-1” (蜀ICP备19017979号-1). The character “蜀” (shú) indicates that the filing number was issued by the Sichuan Communications Administration (SCCA), the provincial bureau of MIIT. However, the most recent website filing information shows that the domain “0eye[.]com” has had no filing record since May 22, 2025.
Additionally, the Natto Team tracked down a series of official announcements from the Sichuan Communications Administration’s list of Sichuan Province Shell Websites Data. The SCCA defines “shell websites” as websites that lack the names of website service providers in their filing information. It appears that “0eye[.]com” likely fell into this list. If the company did not provide information about service providers, the SCCA could have deregistered its website.
Finally, checking cached copies of the Sichuan Zhixin Ruijie website on the Wayback Machine suggests that the website likely went dark around 2023. The Wayback Machine has 20 captures of “0eye[.]com” from July 6, 2002, to June 27, 2022. The website displaying information about Sichuan Zhixin Ruijie first appeared in the captures on August 7, 2018, shortly after the company’s business registration date of July 25, 2018. The last capture was on June 27, 2022.
Why would a legitimate business hide its website from the public? Evidently, as of this writing, Sichuan Zhixin Ruijie is still in operation, having submitted its 2024 annual report in April 2025. However, as we noted in our previous post, it is possible that the company’s dedicated government and military clientele, as described in company materials, may prefer the company to avoid unnecessary attention. It is also possible that the relevant public security authorities have directed Sichuan Zhixin Ruijie’s website to go dark. The Sichuan Communications Administration might not have been informed and, during routine website management, added the domain to the shell website data list.
At the last, the timing of the website’s disappearance aligns with public revelations of activities of Salt Typhoon and other overlapping groups. Sichuan Zhixin Ruijie appears to have been heavily involved in providing products and services to Salt Typhoon related threat activities during 2021–2023, according to the advisory. After global cybersecurity researchers reported on threat activities conducted by Salt Typhoon and overlapping groups in the same period, threat actors might have adjusted their operations and asked supporting companies such as Sichuan Zhixin Ruijie to keep a low profile.
The bottom line is that Sichuan Zhixin Ruijie has been a dedicated government contractor.
Who is Really Salt Typhoon?
Threat attribution is often complicated. The Joint Cybersecurity Advisory on Salt Typhoon and other overlapping groups issued on August 27, 2025, appears to take a thoughtful approach, with careful language to communicate the complexity of these threat actor networks and the limited consensus among the government authors of the advisory.
No Exact Correlation to Particular Named Threat Groupings
The Joint Cybersecurity Advisory did not attribute the described threat activity—mainly targeting telecommunications providers and edge routers—to a particular threat group. Although “this activity partially overlaps with cyber threat actor reporting by the cybersecurity industry—commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others,” as stated in the advisory, the authoring agencies chose not to adopt a particular naming convention. Instead, they used “Advanced Persistent Threat (APT) actors” to refer to those responsible for the cyber threat activity.
The most likely reason for this approach, as the advisory states, is that cybersecurity companies use different methods to track and attribute cyber actors, and the authoring agencies may not have a complete view of each company’s methods; thus, they cannot make a 1:1 correlation. Alternatively, the authoring agencies may not agree on which named threat group is most representative of the cluster of cyber threat activity. It is also possible that each agency has its own perspective on the threat activity, which may overlap with or differ from others.
The Natto Team believes the authoring agencies’ approach is a step forward in avoiding further confusion around threat attribution related to Salt Typhoon and other overlapping groups. It highlights the importance of seeking common ground to mitigate Chinese state-sponsored cyber activity: we may not agree on which threat group name to use, but we can share what we have seen in common in terms of threat activity clusters and help network defenders mitigate and evict these threats.
Salt Typhoon, OPERATOR PANDA, etc., and Three Chinese Companies: Linked in Various Ways
In our previous post, the Natto Team asked: How were the three Chinese companies named in the advisory involved in supporting threat activities conducted by Salt Typhoon and other overlapping groups, beyond supplying products and services? This question leads to a follow-up: Who is behind Salt Typhoon and other overlapping groups if these companies were only suppliers?
As many may recall, several U.S. Department of Justice indictments have directly attributed entities and associated personnel to cyber threat groups in the past. For example, in August 2020, a U.S. court indicted three alleged hackers—Qian Chuan (钱川), Jiang Lizhi (蒋立志), and Fu Qiang (付强) - who operated the company Chengdu 404, as part of threat group APT41 (note: for the Natto Team’s reporting on APT41 and Chengdu 404, see here, here and here.)
Another example: in May 2017, threat intelligence analysts identified three members of Boyusec, a China-based infosec company, as being behind APT3, acting as a contractor for the Chinese Ministry of State Security. Six months later, in November 2017, the U.S. Department of Justice indicted these three members for compromising the networks of three U.S. companies.
However, the August joint advisory may be the first time an official advisory has identified three Chinese companies linked to APT threat activities by providing “cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army (PLA) and Ministry of State Security (MSS),” but did not state that these Chinese companies were behind the APT actors. This means that uniformed personnel of China’s intelligence services may have conducted the threat activity directly using these companies’ products, or they could have hired these companies and directed them to perform services such as network intrusions. In either scenario, China’s intelligence services—such as units in the PLA and MSS—could be the direct operators of the threat activities.
All things considered, the August joint advisory highlights the complexity of Salt Typhoon and other overlapping threat groups, leading the authoring agencies to move away from industry threat actor designations and naming conventions, instead referring to them as “APT actors.” The joint advisory also illustrates the difficulty of attributing intrusions to those behind the keyboard or the entities responsible. However, one thing is clear: Chinese threat campaigns will likely continue to take advantage of China’s growing cybersecurity industry.
For those who may have missed them, Natto Thoughts posts - such as “Flax Typhoon-Linked Company Integrity Technology: a Competitor, Business Partner and Client of i-SOON” and “Sichuan Silence Information Technology: Great Sounds are Often Inaudible”- have explored the complex role of China’s cybersecurity industry in state-associated threat activities.
People switch jobs, projects recruit, and orgs have their own cultures. My point is the nationality is the major concern…. Not so much who. Buuuuuuttt Bob MSS, MPS, Mil Cyber and whatever else isn’t listed all have their own authorities and agendas…. Yeah but they share one - ALL YOUR BASE ARE BELONG TO US.