Salt Typhoon: When State-Sponsored Hackers Infiltrate Telecom Infrastructure 📡

The Largest Telecommunications Breach in U.S. History

In what cybersecurity experts are calling the most significant cyber espionage campaign in history, a Chinese state-sponsored hacking group known as Salt Typhoon successfully infiltrated America’s telecommunications backbone, compromising at least nine major U.S. telecom providers and affecting potentially every American citizen. This sophisticated attack, which remained undetected for up to two years, represents a watershed moment in cyber warfare and raises critical questions about the security of our nation’s critical infrastructure.

What Is Salt Typhoon?

Salt Typhoon is an advanced persistent threat (APT) actor widely believed to be operated by China’s Ministry of State Security (MSS), the country’s foreign intelligence service and secret police. The group, which goes by multiple names including GhostEmperor, FamousSparrow, Earth Estrie, and RedMike depending on which security vendor is tracking them, has been active since at least 2019, though some forensic evidence suggests their operations may have begun even earlier.

According to research, Salt Typhoon has infiltrated over 200 targets in over 80 countries, making this a truly global espionage operation. Former NSA analyst Terry Dunlap has characterized the group as part of China’s long-term strategic objectives, describing them as a component of the nation’s comprehensive geopolitical strategy.

The group demonstrates remarkable sophistication and organization. Security researchers have found that Salt Typhoon consists of multiple distinct operating teams, each responsible for different victim sectors and operational responsibilities. This level of organization indicates not just technical prowess, but also significant institutional backing and resources.

The Anatomy of the Breach: How They Got In

The Salt Typhoon campaign represents a masterclass in patient, methodical cyber espionage. Rather than launching a single massive attack, the hackers employed a multi-phase approach that allowed them to maintain persistent, undetected access to critical telecommunications infrastructure.

Initial Access and Exploitation

The attackers exploited vulnerabilities in Cisco network devices, specifically CVE-2023-20198 and CVE-2023-20273, both of which were disclosed as zero-day flaws in October 2023. These vulnerabilities, despite having available patches, remained unpatched in thousands of devices, creating an easy entry point for the sophisticated hackers.

The first vulnerability allowed attackers to create local user accounts with administrative privileges, while the second enabled them to gain root access to the devices. By chaining these exploits together, Salt Typhoon operatives could take complete control of core network infrastructure.

Persistence and Stealth Tactics

Once inside, Salt Typhoon employed numerous sophisticated techniques to maintain access and avoid detection:

Network Device Manipulation: The group modified access control lists to add their own IP addresses, essentially giving themselves permanent backdoor access. They also exposed services like SSH, RDP, and FTP on both standard and non-standard ports, making their activities harder to detect.

Container-Based Operations: Perhaps most ingeniously, the hackers ran commands inside Linux containers on Cisco networking devices using a feature called Guest Shell. This allowed them to stage tools, process data, and move laterally through networks completely undetected, as activities inside these containers are typically not monitored by security teams.

Advanced Rootkit Deployment: Salt Typhoon deployed a Windows kernel-mode rootkit called Demodex, which gave them remote control over targeted servers while using anti-forensic and anti-analysis techniques to evade detection.

Multi-Hop Pivoting: The group used open-source multi-hop pivoting tools to relay commands from their command and control servers, making it extremely difficult for security teams to trace their activities back to the source.

The Staggering Scope of Compromise

Nine Major U.S. Telecom Providers Breached

The confirmed victims include Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream, along with two additional unnamed providers. These companies collectively serve hundreds of millions of Americans, making this breach unprecedented in its potential impact.

AT&T, Verizon, and Lumen have publicly confirmed the intrusions, though the full extent of the compromise across all affected companies remains under investigation. White House officials have indicated that even as of late 2024, authorities had not been able to fully ascertain the scope and severity of the attack or completely remove the attackers from compromised systems.

Metadata and Geolocation Tracking of Millions

The hackers accessed metadata from over a million users’ calls and text messages, including timestamps, source and destination IP addresses, and phone numbers, with most targets located in the Washington D.C. metro area. This metadata provides an incredibly detailed picture of communication patterns, social networks, and daily routines.

White House officials stated that the Chinese operatives had the capability to geolocate millions of individuals and record phone calls at will. This geolocation capability is particularly concerning because it could allow foreign intelligence services to track the movements of government officials, military personnel, intelligence assets, and other high-value targets in real-time.

High-Profile Political Targets

The breach specifically targeted individuals involved in government or political activities. In some cases, hackers obtained audio recordings of telephone calls from high-profile individuals, including staff from the Kamala Harris 2024 presidential campaign, as well as phones belonging to Donald Trump and JD Vance.

Deputy National Security Advisor Anne Neuberger revealed that a significant number of the individuals whose data was directly accessed were classified as government targets of interest. The FBI estimated that fewer than 100 individuals had their actual call content and text messages directly intercepted, though the number affected by metadata collection and geolocation tracking was exponentially higher.

The Most Dangerous Element: Compromised Lawful Intercept Systems

Perhaps the most alarming aspect of the Salt Typhoon campaign was the group’s ability to compromise lawful intercept systems—the private portals that telecommunications companies provide to law enforcement and intelligence agencies for court-authorized wiretapping.

By accessing these systems, Salt Typhoon may have obtained information about which Chinese spies and informants U.S. counterintelligence agencies were monitoring. This represents a catastrophic counterintelligence failure, as it could allow China to identify and protect its intelligence assets operating within the United States, or potentially silence dissidents and journalists who communicate with U.S. contacts.

These lawful intercept systems were designed with security in mind, but they fundamentally created a single point of failure—a centralized repository of surveillance data that, once compromised, provides attackers with unprecedented visibility into government intelligence operations. The Salt Typhoon breach validates decades of warnings from cybersecurity experts about the inherent risks of mandated backdoors, even those designed for legitimate law enforcement purposes.

The Two-Year Campaign That Went Undetected

Timeline of Discovery

The Salt Typhoon campaign represents a failure of detection on a massive scale. U.S. officials stated that the campaign was likely underway for one to two years prior to its discovery in September 2024, though some intelligence sources suggest the group may have had access to telecommunications networks since as early as 2022 or even earlier.

The first public reports of the breach emerged in September 2024, when media outlets began reporting on a severe cyberattack that had compromised U.S. telecommunications systems. However, forensic analysis revealed that Salt Typhoon had been operating with impunity for an extended period before detection.

Sources have placed Salt Typhoon’s formation as far back as 2019, with broad agreement that the group had been present in telecom networks since at least mid-2023. This means the hackers likely enjoyed no less than a year of unrestricted access to these systems before any public disclosure.

Why Detection Took So Long

Several factors contributed to the extended period of undetected access:

Segmented Security Oversight: Lawful intercept systems are often managed separately from customer-facing platforms, meaning they fall outside the more mature cybersecurity governance frameworks used to protect subscriber data. This segmentation created blind spots that Salt Typhoon expertly exploited.

Living Off the Land Techniques: The attackers used legitimate administrative tools and standard system utilities to conduct their operations, making their activities blend seamlessly with normal network traffic. This approach, known as “living off the land,” is extremely difficult to detect because the tools themselves are authorized and expected on the network.

Distributed Attack Infrastructure: By spreading their operations across multiple access points and using multi-hop pivoting techniques, Salt Typhoon made it nearly impossible for security teams to identify the full scope of the compromise. Even when one intrusion point was discovered and closed, others remained active.

Sophistication and Patience: Unlike typical cybercriminals seeking quick financial gains, Salt Typhoon demonstrated remarkable patience and operational security. They collected data in small, hard-to-detect batches over extended periods, avoiding the kind of mass data exfiltration that might trigger security alerts.

Beyond Telecommunications: The Full Scope of Compromise

Army National Guard Network Breach

The Salt Typhoon threat extends far beyond civilian telecommunications infrastructure. Between March and December 2024, Salt Typhoon extensively compromised a U.S. state’s Army National Guard network, exfiltrating administrator credentials, network traffic diagrams, geographic location maps, and personally identifiable information of service members.

This nine-month undetected breach of military networks represents a serious escalation. The stolen network diagrams and administrator credentials could facilitate follow-on attacks against National Guard units in all 50 states and at least four U.S. territories. Since National Guard units in 14 states are integrated with state fusion centers responsible for sharing threat information, this compromise could undermine local cybersecurity efforts to protect critical infrastructure nationwide.

Additional Government and Infrastructure Targets

The scope of Salt Typhoon’s operations extended well beyond telecommunications and military networks. Between January and March 2024, the group exfiltrated configuration files from at least two U.S. state government agencies and multiple critical infrastructure entities. At least one of these stolen configuration files later revealed the compromise of a vulnerable device on another government agency’s network, demonstrating how each successful intrusion enabled additional attacks.

Recent research has identified that Salt Typhoon possibly targeted universities including UCLA, California State University, Loyola Marymount University, and Utah Tech University, likely seeking access to telecommunications and engineering research.

Global Reach

The campaign wasn’t limited to the United States. Reports confirm that Salt Typhoon compromised telecommunications and critical infrastructure in several dozen countries, including targets in Canada, Australia, New Zealand, the United Kingdom, and nations across Europe and the Indo-Pacific region. An unnamed Canadian telecommunications company was breached in February 2025, and Viasat, a U.S. telecommunications provider, was named as a victim in June 2025.

The Government Response and Ongoing Threat

Federal Agency Actions

In December 2024, a coalition of U.S. and international cybersecurity agencies, including CISA, the NSA, the FBI, and their counterparts in Australia, New Zealand, and Canada, released comprehensive guidance titled “Enhanced Visibility and Hardening Guidance for Communications Infrastructure.” This document outlines best cybersecurity practices for organizations and includes specific recommendations for protecting Cisco products targeted in the attack.

On January 17, 2025, the U.S. Treasury Department’s Office of Foreign Assets Control sanctioned Yin Kecheng and Sichuan Juxinhe Network Technology Co. Ltd. for having direct involvement in Salt Typhoon operations. These sanctions aim to cut off financial and operational resources for the hacking collective.

Regulatory Response

The Federal Communications Commission has proposed new regulations requiring telecommunications carriers to adhere to mandatory cybersecurity requirements and conduct annual vulnerability testing. Senator Ron Wyden released a draft of the Secure American Communications Act, which would formalize these requirements into law.

The FCC is expected to vote on mandatory cybersecurity rules by January 2025, marking a significant shift from the previous voluntary compliance approach. FCC officials have acknowledged that voluntary measures proved inadequate against nation-state threat actors with the resources and sophistication of Salt Typhoon.

The $3 Billion Infrastructure Challenge

The Salt Typhoon breach has accelerated efforts to address a critical vulnerability in U.S. telecommunications infrastructure: the presence of Chinese-manufactured equipment in American networks. The FCC’s “Rip and Replace” program, designed to remove insecure equipment from companies like Huawei and ZTE, faces an estimated cost of $4.98 billion but has a funding shortfall of $3.08 billion.

Bipartisan support is building for a defense bill that would secure $3 billion for the program, with additional funding potentially coming from spectrum auctions. However, the timeline for complete remediation remains uncertain, and some security experts warn that replacing equipment alone won’t address the fundamental security vulnerabilities that Salt Typhoon exploited.

The Continuing Threat

Still Active and Expanding

Despite the public disclosure and government response, Salt Typhoon remains an active threat. Research published in February 2025 revealed that Salt Typhoon conducted a campaign between December 2024 and January 2025 targeting more than 1,000 unpatched Cisco edge devices globally, resulting in the compromise of devices at five additional organizations, including U.S. telecommunications providers.

Security researchers have noted that more than half of the targeted Cisco devices were located in the United States, South America, and India, with researchers identifying over 12,000 Cisco devices with web user interfaces exposed to the internet—potential targets for future attacks.

Persistent Presence Concerns

One of the most troubling aspects of advanced persistent threats like Salt Typhoon is the difficulty of complete eradication. Cybersecurity experts have expressed concerns that Chinese operatives may maintain active access to American systems even as investigations and remediation efforts continue.

In one documented case, Salt Typhoon hackers remained in an affected environment for up to three years before being discovered. Both AT&T and Verizon, while announcing they had “contained” the incident, stopped short of guaranteeing that the hackers couldn’t return.

What This Means for National Security

Counterintelligence Implications

The Salt Typhoon breach represents one of the most significant counterintelligence failures in modern U.S. history. By compromising lawful intercept systems, Chinese intelligence operatives gained visibility into which of their agents and informants were under U.S. surveillance. This knowledge could allow them to protect valuable assets, adjust their operations, or even feed disinformation to U.S. intelligence agencies.

The ability to monitor the communications of high-ranking government officials, military leaders, and political candidates provides China with unprecedented insight into U.S. policy deliberations, strategic planning, and diplomatic negotiations. This intelligence advantage could persist for years, as decisions made based on stolen information continue to shape policy outcomes.

Pre-Positioning for Future Conflict

Cybersecurity analysts believe that Salt Typhoon’s operations go beyond traditional espionage. The comprehensive access to telecommunications infrastructure could enable China to cause massive disruption to American communications networks in the event of a military conflict. This “pre-positioning” strategy has been observed in other Chinese cyber operations and represents a form of strategic deterrence.

By mapping the architecture of U.S. telecommunications networks, identifying critical chokepoints, and maintaining persistent backdoor access, Salt Typhoon has essentially laid the groundwork for potential sabotage operations that could be activated in a crisis scenario.

The Erosion of Trust

Perhaps the most lasting damage from the Salt Typhoon campaign is the erosion of trust in telecommunications security. If the backbone of American communications infrastructure can be comprehensively compromised for years without detection, what other critical systems might be similarly vulnerable?

This breach has forced government agencies, corporations, and individuals to reevaluate their assumptions about communication security and has accelerated the adoption of end-to-end encrypted messaging services as a necessary defense against nation-state surveillance.

Protecting Yourself: What Individuals Can Do

While the Salt Typhoon breach primarily targeted high-value government and political figures, the comprehensive nature of the compromise means that ordinary Americans’ communications may also have been exposed. Cybersecurity experts recommend several measures to enhance personal security:

Use End-to-End Encrypted Communications

CISA has specifically recommended that highly targeted individuals—including senior officials, journalists, and political leaders—use end-to-end encrypted tools like Signal, FaceTime, or Messages. However, this advice is equally applicable to ordinary citizens concerned about privacy.

End-to-end encryption ensures that even if network infrastructure is compromised, attackers cannot access the content of communications—only metadata like timestamps and participant information.

Basic Security Hygiene

Additional protective measures include:

Keep all devices updated: Regularly patch phones, laptops, routers, and connected devices to address known vulnerabilities
Enable multi-factor authentication: Add a second layer of defense for all critical accounts
Avoid default passwords: Change default or easily guessed passwords on all devices, including home routers
Use strong, unique passwords: Employ a password manager to create and store complex passwords for each account

Realistic Expectations

It’s important to note that for most Americans, the threat from Salt Typhoon remains relatively low. Chinese intelligence services are primarily interested in government officials, political figures, military personnel, corporate executives with access to valuable intellectual property, and individuals with access to classified information.

However, the breach serves as a reminder that communications security should not be taken for granted, and that adopting strong security practices benefits everyone in an increasingly connected world.

The Broader Implications: A Wake-Up Call for Critical Infrastructure Security

The Backdoor Dilemma

The Salt Typhoon breach has reignited a longstanding debate in the cybersecurity community about the inherent risks of mandated backdoors for law enforcement access. Security experts have long warned that any secret access to technology products is unlikely to remain undiscovered or used only by “the good guys.”

The breach proves that decades of warnings by the internet security community were correct—efforts to require backdoor access are likely to backfire. When telecommunications companies create lawful intercept capabilities for legitimate law enforcement purposes, they simultaneously create a high-value target for sophisticated adversaries.

Voluntary Compliance Has Failed

The Salt Typhoon campaign demonstrates that voluntary cybersecurity measures are inadequate to protect critical infrastructure against well-resourced nation-state adversaries. Despite years of government guidance and industry best practices, major telecommunications providers failed to adequately secure their networks or even detect the compromise in a timely manner.

Senator Ron Wyden noted that the breach was inevitable once the FCC decided to let phone companies write their own cybersecurity rules. The move toward mandatory security standards with regular audits and penalties for non-compliance represents a necessary evolution in the regulatory approach to critical infrastructure protection.

The Supply Chain Challenge

The Salt Typhoon breach highlights the vulnerability of relying on equipment and software from potentially adversarial nations. While the hackers exploited vulnerabilities in Cisco devices—an American company—the broader challenge of Chinese-manufactured telecommunications equipment in U.S. networks remains a significant concern.

The difficulty and expense of the “Rip and Replace” program demonstrates how deeply embedded foreign technology has become in American critical infrastructure, and the strategic vulnerability this creates.

Looking Forward: The Future of Telecommunications Security

A New Threat Landscape

Salt Typhoon represents a new evolution in state-sponsored cyber operations—not a quick smash-and-grab data theft, but a patient, methodical establishment of persistent access to critical infrastructure with the goal of long-term intelligence collection and potential future disruption.

This shift requires a fundamental change in how we approach cybersecurity for critical infrastructure. Traditional perimeter defenses and reactive security measures are insufficient against adversaries who are willing to invest years in maintaining undetected access.

The Need for Zero Trust Architecture

The telecommunications sector must rapidly adopt zero trust security architectures that assume breach and continuously verify every access request, rather than relying on perimeter defenses. This includes:

Continuous monitoring and behavioral analysis to detect anomalies
Microsegmentation to limit lateral movement within networks
Mandatory multi-factor authentication for all administrative access
Regular security audits by independent third parties
Incident response plans that assume persistent adversary presence

International Cooperation

Given the global nature of telecommunications networks and the international scope of Salt Typhoon’s operations, effective defense requires unprecedented cooperation between allied nations. The joint cybersecurity advisory issued by the United States, Australia, New Zealand, and Canada represents an important step, but sustained cooperation and information sharing will be essential to countering sophisticated nation-state threats.

Conclusion: The Lasting Impact of Salt Typhoon

The Salt Typhoon cyber espionage campaign represents a watershed moment in the ongoing struggle to secure critical infrastructure against nation-state adversaries. The two-year undetected breach of at least nine major U.S. telecommunications providers, the compromise of lawful intercept systems, and the potential exposure of millions of Americans’ communications data marks this as one of the most significant cybersecurity incidents in history.

The breach has exposed fundamental vulnerabilities in how we secure telecommunications infrastructure, the inherent risks of mandated backdoors for law enforcement, and the inadequacy of voluntary compliance measures in the face of sophisticated, patient adversaries.

As investigations continue and the full scope of the compromise becomes clear, one thing is certain: the Salt Typhoon campaign has forever changed how we must think about telecommunications security, national security, and the protection of critical infrastructure in an era of intensifying geopolitical competition and sophisticated cyber warfare.

The response to Salt Typhoon—including mandatory security standards, significant infrastructure investments, and the widespread adoption of end-to-end encryption—will shape the future of telecommunications security for decades to come. The question now is whether these measures will be implemented quickly and comprehensively enough to prevent the next Salt Typhoon before it begins its own multi-year campaign of undetected espionage.

Keywords: Salt Typhoon, Chinese hackers, telecommunications breach, cyber espionage, national security, critical infrastructure, CISA, lawful intercept, advanced persistent threat, APT, Ministry of State Security, telecom security, end-to-end encryption, cybersecurity breach, Verizon hack, AT&T breach, network security

Word Count: 4,247 words