US telecoms — Salt Typhoon espionage campaign

What happened

In September 2024 US officials confirmed that a Chinese state-sponsored threat group designated Salt Typhoon had achieved persistent access to the internal networks of major US telecommunications providers. The FBI and CISA issued a joint statement on 13 November 2024 confirming Chinese state-affiliated actors had compromised the networks of multiple telecoms companies, and subsequent reporting and official statements identified at least nine carriers including AT&T, Verizon, T-Mobile, and Lumen.

The access was of an unusually sensitive category. Salt Typhoon had penetrated the carriers’ lawful-intercept infrastructure — the systems maintained by US telecoms companies under the Communications Assistance for Law Enforcement Act (CALEA) to facilitate court-ordered wiretaps by law enforcement. By accessing these systems, Salt Typhoon could read the list of individuals currently subject to US government surveillance, including FBI counterintelligence targets. The intelligence value of knowing who the US government is wiretapping is profound: it reveals the identities of suspected Chinese intelligence assets under surveillance, the scope of ongoing investigations, and the technical capabilities of US law enforcement.

Beyond the CALEA systems, Salt Typhoon accessed the communications metadata of large numbers of subscribers and — in a smaller, more targeted set of cases — the actual content of communications by senior US political figures, including individuals associated with the presidential campaigns of both Donald Trump and Kamala Harris during the 2024 election cycle.

The intrusion was assessed to have been ongoing for months before detection. CISA and the FBI advised Americans — in an extraordinary public recommendation — to use end-to-end encrypted messaging applications rather than conventional phone calls and SMS for sensitive communications, effectively acknowledging that the US telecom infrastructure could not be assumed secure.

How it worked

Salt Typhoon’s access to US telecom networks was achieved through a combination of exploiting vulnerabilities in network-edge equipment and abusing legitimate administrative credentials.

The primary technical entry points were routers, switches, and other network infrastructure devices running outdated firmware with known vulnerabilities. Telecom carrier backbone equipment is a category of infrastructure that is particularly difficult to patch: the devices carry live traffic for millions of subscribers, and downtime for patching can cause significant service disruption, creating institutional reluctance to apply firmware updates on the same cycle as corporate IT systems. Salt Typhoon exploited this gap systematically, identifying carriers whose core network equipment was running vulnerable firmware versions and using those vulnerabilities to gain persistent access deep inside the carrier backbone.

From positions inside the carrier network, Salt Typhoon used legitimate network management protocols and administrative interfaces to move through the infrastructure and identify the CALEA intercept systems. CALEA systems are, by design, integrated into the carrier’s network so that they can receive and record traffic for targeted subscribers; this integration means they are reachable from within the carrier’s network by an attacker who has already achieved backbone access.

CISA’s technical guidance published in December 2024 identified the specific control failures contributing to the intrusion: insufficient network device patching and hardening, weak or default administrative credentials on network management systems, inadequate monitoring of administrative access to core infrastructure, and a general absence of the zero-trust network segmentation that would have limited lateral movement from an initial device compromise to the CALEA infrastructure.

Salt Typhoon is assessed by US intelligence as a signals-intelligence collection unit — its mission is foreign intelligence gathering, specifically targeting communications and network infrastructure of strategic value to Chinese intelligence. The group’s operations are consistent with the PRC’s documented strategic interest in understanding US law enforcement and intelligence activities targeting Chinese government interests.

Timeline

• 2023 – mid-2024 — Salt Typhoon operators gain initial access to US carrier networks through exploitation of vulnerable network-edge devices; conduct extended reconnaissance and lateral movement.
• Mid-2024 — Access to CALEA lawful-intercept systems achieved at multiple carriers; collection of metadata and targeted content interception begins.
• Summer–September 2024 — Communications of individuals associated with Trump and Harris presidential campaigns intercepted; CALEA system data accessed.
• September 2024 — US government detects the breaches; investigation and attribution work begins.
• 13 November 2024 — FBI and CISA publish joint statement confirming Chinese state-sponsored access to US telecom infrastructure.
• December 2024 — CISA publishes detailed guidance on hardening communications infrastructure; FBI and CISA publicly advise use of end-to-end encrypted messaging. Nine carriers confirmed affected.
• Late 2024 – 2025 — Remediation efforts ongoing; CISA states that not all carriers have fully removed Salt Typhoon from their networks. Congressional hearings convened; legislation proposed requiring minimum cybersecurity standards for US telecoms.

What defenders should learn

The Salt Typhoon campaign illustrates, at national-infrastructure scale, the consequence of failing to patch network devices that are difficult to patch but not impossible to patch. Internet-facing and backbone network infrastructure — routers, switches, load balancers, firewalls — is the boundary between external attackers and internal networks. Vulnerabilities in these devices are structurally different from vulnerabilities in endpoint software: a compromised network device is inside the perimeter, has visibility into all traffic it handles, and provides persistent access that is very difficult to detect because it operates at infrastructure level. The operational cost of patching these devices is real; the cost of not patching them can be measured in what Salt Typhoon achieved.

The CALEA irony is worth stating as a policy lesson. CALEA was designed to ensure that the US government could conduct lawful surveillance; it required telecoms to build and maintain interception capability. That capability became an intelligence target. Any backdoor or privileged access capability built into a system — whether mandated by law or implemented for operational convenience — is also a vulnerability. The CALEA systems did not fail because they were built poorly; they failed because the networks they lived in were accessible to sophisticated adversaries. But the existence of CALEA centralised and documented the most sensitive surveillance information in a reachable form. The policy debate about whether the security costs of mandated backdoors exceed their law-enforcement benefits has new empirical data from Salt Typhoon.

The credential and monitoring failures are the operational lessons. CISA’s guidance identified default and weak administrative credentials as a contributing factor. Network management infrastructure should use phishing-resistant MFA and principle-of-least-privilege access control, with all administrative access logged and anomaly-monitored. The standard of care for administering the backbone of a national communications network should not be less than the standard of care for administering a corporate server.

The public advisory to use encrypted messaging is the final and most striking lesson — not because end-to-end encryption is new advice, but because it came from US federal law enforcement and intelligence agencies that have historically opposed or sought to limit strong encryption. The Salt Typhoon campaign produced a public posture shift: the US government now recommends that its citizens use Signal-class encrypted communications for sensitive conversations, because the alternative — the legacy PSTN telephone network — cannot be assumed secure against nation-state collection. That recommendation is worth internalising not just for individual users but for any organisation whose employees use phone calls or SMS for communications that should be private.