In the summer of 2024, U.S. intelligence analysts noticed something they had never seen before: a pattern of network access that mirrored lawful surveillance requests — but wasn’t coming from law enforcement.
The culprit was Salt Typhoon, a Chinese Ministry of State Security (MSS)-linked advanced persistent threat (APT) group. By late 2024, they’d gained access to systems used by AT&T, Verizon, Lumen, T-Mobile, and at least six other U.S. carriers to comply with CALEA (Communications Assistance for Law Enforcement Act) lawful-intercept obligations. In plain terms: the wiretap infrastructure the U.S. government mandated carriers build became the precise entry point China used to wiretap America.
FBI Director Christopher Wray testified in December 2024 that Salt Typhoon had “the ability to locate within the United States, essentially, millions of individuals — and in some cases, record phone calls at will.” The implications are staggering. CALEA requires U.S. telecom carriers to build real-time intercept capabilities into their networks. Those same systems — designed to be always-on, deeply integrated, and privileged — were now in Chinese hands.
This isn’t just a telecom breach. It’s a structural compromise of the legal architecture governing American communications.
Threat Actor Profile: Salt Typhoon
Attribution
Salt Typhoon is assessed with high confidence to operate under the MSS, specifically linked to the espionage cluster that also includes Earth Estries and GhostEmperor. Overlap with Volt Typhoon — another Chinese state-sponsored group focused on pre-positioning in critical infrastructure — is significant.
While Volt Typhoon’s primary mission is disruption, Salt Typhoon’s mission is intelligence collection: espionage, counterintelligence, and strategic surveillance.
Also tracked as: Earth Estries, GhostEmperor cluster, UFG-5338 (Mandiant), UNC4892.
Strategic Objectives
- Intelligence collection on U.S. government officials, political figures, and their staff
- Counterintelligence — mapping U.S. surveillance capabilities and methods
- Pre-positioning for potential future disruptive operations against telecom infrastructure
- Long-term access via living-off-the-land techniques designed to persist undetected for years
Key TTPs
Initial Access: Exploitation of internet-facing devices (Cisco IOS XE, edge routers, firewalls). CVE-2023-20198 — a Cisco IOS XE auth bypass with patches available since 2023 — was heavily used. Supply chain compromise of network equipment vendors. Credential harvesting via spear-phishing and credential-stuffing.
Persistence and Lateral Movement: Living-off-the-land binaries (LOLBins) to avoid detection. Custom implants: Snake malware (Turla/COZYBEAR lineage), iox proxy tool for command-and-control tunneling. Winnti/Doufl_lo malware family for persistent access. Abuse of TACACS servers and RADIUS infrastructure. Exploitation of CALEA lawful-intercept management interfaces.
Exfiltration: Data compressed and staged in network-accessible directories. HTTPS and DNS tunneling to blend with normal traffic. Targeting of CDRs, call content, and subscriber metadata.
Volt Typhoon Overlap
Salt Typhoon and Volt Typhoon share infrastructure, tools, and operational patterns. Volt Typhoon — documented by CISA, NSA, and FBI in a joint advisory (March 2024) — uses “living off the land” techniques. Both groups use the same TACACS exploitation approach. The distinction is strategic: Volt Typhoon prepares for destructive operations; Salt Typhoon harvests intelligence. They are the same ecosystem, divided by mission.
Kill Chain Breakdown: Four Carrier Case Studies
AT&T
- Initial compromise: Late 2022–2023 (dwell time potentially 2+ years before full detection in 2024)
- Entry vector: CVE-2023-20198 on Cisco IOS XE internet-facing management interfaces; CALEA system exploitation
- What was accessed: CALEA lawful-intercept systems; Call Detail Records; call content for Trump and Harris campaign staff; law enforcement intercept access credentials
- Dwell time: 12–24 months estimated
Verizon
- Initial compromise: Mid-to-late 2023, full campaign awareness by late 2024
- Entry vector: Cisco IOS XE exploitation; management plane credential compromise on core routing infrastructure
- What was accessed: CALEA lawful-intercept access systems; CDR databases; enterprise voice services; network topology data
- Dwell time: 12–18 months estimated
Lumen (CenturyLink/Level 3)
Lumen’s position as one of the largest U.S. backbone providers means compromise at this level extends beyond Lumen’s own customer base to any organization whose traffic transits Lumen’s network — a significant portion of U.S. internet traffic.
- What was accessed: Backbone routing infrastructure; transit traffic metadata; enterprise customer traffic; national fiber management interfaces
- Strategic value: Network topology data enabling further targeting of peering and transit relationships
T-Mobile
T-Mobile disclosed in 2024 that it had been compromised by the same campaign, with detection occurring earlier than at AT&T or Verizon.
- Faster detection: Estimated 6–9 months dwell time — suggests better security monitoring or smaller initial foothold
- What was accessed: Cloud infrastructure and customer data
Viasat — Satellite Extension
Bloomberg reported in 2025 that Viasat was also compromised by Salt Typhoon — extending the campaign’s reach into satellite communications infrastructure. Satellite comms are critical for government and military connectivity; compromise here amplifies the intelligence value of the entire campaign.
Carrier Comparison
| Carrier | Entry Vector | Dwell Time (Est.) | Primary Target |
|---|---|---|---|
| AT&T | Cisco IOS XE CVE-2023-20198 + CALEA system exploitation | 12–24 months | CALEA wiretap data, campaign call content |
| Verizon | Cisco IOS XE exploitation, management plane compromise | 12–18 months | CDR metadata, enterprise voice services |
| Lumen | Backbone infrastructure targeting | ~12 months | Network topology, transit metadata |
| T-Mobile | Cloud infrastructure + credential compromise | ~6–9 months | Customer data, cloud infrastructure |
| Viasat | Satellite comms infrastructure | ~12 months | Government/military satellite connectivity |
The CALEA Architecture Problem
This is the most important section for CISOs to understand — because it reframes the entire attack.
What CALEA Requires
CALEA (Communications Assistance for Law Enforcement Act, 1994) mandates that telecom carriers build and maintain real-time intercept capability into their networks. The architecture involves:
- Lawful Intercept Access Points (LIAPs) — designated network points where authorized surveillance data can be extracted
- Management interfaces — systems carriers use to configure and monitor intercept capabilities, accessible to law enforcement via court order
- Always-on infrastructure — intercept capabilities designed to be operational 24/7, meaning they cannot be easily taken offline
- Deep network integration — LI systems sit at core network points with access to call content, metadata, and network topology
Why This Became a High-Value Target
The irony: the characteristics that make CALEA lawful-intercept infrastructure valuable for law enforcement are exactly what make it valuable for a nation-state adversary.
- Deep network access = rich intelligence source
- Always-on availability = persistent presence without detection risk
- High privilege access = ability to pivot deeper into the network
- Fewer attack surfaces? Actually no — CALEA management interfaces are often internet-facing or reachable from carrier management networks
CISA’s analysis found that some carriers’ CALEA management systems “were protected with a basic numeric password” — a shocking admission for infrastructure handling court-ordered surveillance.
What Other Carriers Should Assume
If you’re a U.S. telecom carrier today, assume the following:
- CALEA management interfaces may have been accessed or will be targeted
- Any unpatched Cisco IOS XE devices in your network were potentially compromised
- If you haven’t audited your lawful-intercept access logs for anomalous access in the past 24 months, assume a breach occurred
- Nation-state actors may have knowledge of your network topology from this campaign that extends beyond direct compromise
Detection: What Carriers Missed and What Finally Tripped It
Why Detection Failed
Living-off-the-land techniques: Salt Typhoon avoided custom malware that would trip AV or EDR signatures. Detection requires behavioral analytics, not signature matching.
Long dwell time: The group operated for 12–24 months. Security teams relying on 30–90 day log retention may have overwritten evidence of initial access.
Trust in management networks: CALEA management interfaces were treated as “internal” and not subjected to the same external threat monitoring.
Lack of supply chain visibility: Cisco IOS XE exploitation was well-documented. Organizations without asset inventory showing device count and patch status missed this entirely.
What Finally Tripped Detection
Joint CISA/FBI investigation identified Salt Typhoon’s infrastructure. The breakthrough came when:
- CISA’s Joint Defense team identified anomalous patterns correlating with known Chinese APT infrastructure
- Microsoft’s threat intelligence team identified shared TTPs between Earth Estries/GhostEmperor cluster and the telecom campaign
- FBI counterintelligence operations identified communications metadata anomalies pointing back to CALEA system compromise
MTTD (Mean Time to Detect): 12–24 months for AT&T; ~6–9 months for T-Mobile.
MTTR (Mean Time to Remediate): Once detected, eviction of a nation-state actor from deeply embedded infrastructure is measured in months, not days.
Control Mapping: FCC, CISA, NIST CSF 2.0
FCC CPNI Rules
The FCC’s CPNI rules (47 CFR § 64.2001 et seq.) require carriers to protect customer call detail records from unauthorized disclosure. Unauthorized access to CDR databases is an FCC-reportable event — carriers must notify within 5 business days.
Post-Salt Typhoon FCC action (PS Docket No. 22-329, 2025): proposed new cybersecurity rules for carriers. The FCC issued an Order requiring network security plans, supply chain risk management, and breach notification within 72 hours for cybersecurity incidents affecting communications.
CALEA Compliance Obligations
Carriers must maintain “capable” intercept systems under 47 U.S.C. § 1002. Compromised CALEA systems meant China could conduct warrantless interception — undermining the entire legal framework. Post-breach, carriers face dual pressure: securing CALEA systems AND demonstrating ongoing compliance.
CISA Cross-Sector CPGs
| CPG Goal | Salt Typhoon Gap | Status |
|---|---|---|
| CPG 1.1 — Asset inventory | Cisco IOS XE unpatched; unknown asset count | FAIL |
| CPG 1.4 — MFA on privileged access | Management interfaces with numeric passwords only | FAIL |
| CPG 1.5 — MFA on all accounts | TACACS/RADIUS servers compromised | FAIL |
| CPG 1.10 — Security updates within 30 days | CVE-2023-20198 patches available since 2023 | FAIL |
| CPG 2.3 — Network segmentation | CALEA systems not segmented from broader network | FAIL |
NIST CSF 2.0 Mapping
NIST CSF 2.0 (February 2024) provides six functions. Salt Typhoon maps to every one:
Govern (GV) — New in CSF 2.0: GV.OC-01 (organizational risk management); GV.RM-02 (supply chain risk management for telecom equipment vendors); GV.SE-01 (security and resilience not aligned with nation-state threat model).
Identify (ID): ID.AM-01 (incomplete asset inventory); ID.AM-02 (unknown firmware versions/patch status); ID.RA-02 (Cisco IOS XE vulnerability in supply chain not addressed).
Protect (PR): PR.AA-01 (privileged access to CALEA systems not properly segmented or MFA’d); PR.PS-01 (inadequate firmware patching program); PR.DS-02 (insufficient protection for CDR databases).
Detect (DE): DE.CM-01 (CALEA management interface traffic not monitored); DE.CM-03 (admin access to LI systems not logged); DE.CM-07 (Cisco IOS XE vulnerability undetected for months).
Respond (RS): RS.AN-03 (dwell time of 12–24 months shows insufficient forensic capability).
Recover (RC): RC.RP-01 (nation-state actor eviction requires coordinated federal response).
Case Study Sidebars
Case Study 1: Optus 2022 (Australia)
In September 2022, Optus — Australia’s second-largest carrier — suffered a breach affecting 10 million customers. The attack exposed passport numbers, driver licenses, Medicare IDs. The attacker demanded $1M in XRP cryptocurrency, then listed the data for sale.
Lesson: Telecom networks are high-value targets precisely because they touch everyone. Optus’s consumer data exposure contrasts with Salt Typhoon’s network-level focus — different objectives, same carrier risk.
Case Study 2: T-Mobile 2021 (U.S.)
T-Mobile disclosed in August 2021 that a threat actor accessed data on approximately 76.6 million U.S. customers — SSNs, driver’s license numbers, dates of birth. The breach was traced to the LAPSUS$ ransomware group using stolen credentials and SIM-swapping.
Lesson: T-Mobile’s 2021 breach and 2024 Salt Typhoon compromise show a pattern: T-Mobile’s security is improving (faster detection in 2024) but the carrier remains an ongoing target of both criminal and nation-state actors.
Case Study 3: SolarWinds Telecom Impact (2020)
The SolarWinds supply chain compromise (December 2020) — attributed to Russian SVR — affected approximately 18,000 SolarWinds Orion customers, including multiple U.S. telecom carriers.
Lesson: Supply chain compromise of network management software gives attackers the same privileged access as direct CALEA system compromise. Salt Typhoon’s use of Cisco IOS XE exploitation mirrors the SolarWinds playbook.
Case Study 4: Lazarus Group Crypto-Telecom Intersections
North Korea’s Lazarus Group (HIDDEN COBRA) has systematically targeted telecom operators for cryptocurrency exchange heists. The group uses telecom infrastructure as a pivot point to reach crypto exchange networks.
Lesson: Telecom infrastructure is not only an intelligence target — it’s a conduit for financial crime. The telecommunications sector’s unique position makes it a priority for both espionage and criminal actors.
Case Study 5: AT&T 2023 Consumer Data Exposure
In March 2023, AT&T disclosed that data from approximately 73 million customers was found on a hacking forum — SSNs, account details, passcodes. The breach traced to an AT&T vendor.
Lesson: The 2023 consumer breach and the 2024 Salt Typhoon campaign targeted different AT&T assets but exploited the same underlying weakness: inadequate segmentation between operational systems and sensitive data stores.
Case Study 6: Japanese Telecom Targeting (2019–2021)
Chinese state-sponsored actors targeted Japanese telecom operators (NTT Docomo, KDDI, SoftBank) across multiple campaigns from 2019–2021, using similar TACACS exploitation techniques to those later seen in Salt Typhoon. Japan is a Five Eyes partner.
Lesson: Salt Typhoon’s U.S. campaign mirrors Japanese targeting — same techniques, same MSS ecosystem. The Japan campaigns were earlier warning shots that went underreported in U.S. media.
Case Study 7: WhatsApp/NSO Group (2019)
In May 2019, WhatsApp was exploited using CVE-2019-3568 to install Pegasus spyware from NSO Group, targeting lawyers, journalists, and activists.
Lesson: Salt Typhoon’s scale — compromising nine U.S. carriers simultaneously — is the nation-state equivalent of Pegasus at carrier scale.
Case Study 8: Syniverse 2021 Breach
Syniverse — a telecom infrastructure company providing text message routing for carriers worldwide — disclosed in 2021 that an intruder had been inside its systems since 2016, accessing telecom records for hundreds of millions of messages.
Lesson: Syniverse’s five-year undetected compromise mirrors Salt Typhoon’s dwell time. Critical infrastructure providers that sit between carriers are high-value, low-visibility targets — and once compromised, they provide persistent access to the entire ecosystem.
Hardening Checklist for Telecom CISOs
Immediate Actions (90 days)
Network Infrastructure:
- Audit all Cisco IOS XE deployments for CVE-2023-20198 and CVE-2024-20353 patches; apply immediately
- Enforce MFA on all management interfaces — no exceptions for CALEA management systems (coordinate with legal counsel)
- Segment CALEA lawful-intercept systems from general network infrastructure; treat as Tier 0 assets
- Review all internet-facing management interfaces — disable if not needed, implement jump servers for required access
- Audit TACACS and RADIUS server configurations — Salt Typhoon specifically targeted these for credential harvesting
Asset Inventory:
- Complete inventory of all network devices with firmware/software version tracking
- Implement automated patch management for all network infrastructure
- Conduct penetration testing focused on network management plane
Monitoring:
- Enable logging on all CALEA management interfaces; retain logs minimum 12 months
- Implement behavioral analytics on lawful-intercept system access — flag access outside known law enforcement court order patterns
- Deploy network traffic analysis to detect C2 beaconing
- Implement EDR on all servers with access to CDR databases and call content
Supply Chain:
- Audit all network equipment vendor relationships; require SBOM from Cisco, Juniper, Ciena, and other vendors
- Implement Zero Trust for all network management access
- Conduct supply chain risk assessment on all third-party telecom interconnection partners
CISO Hardening Checklist — Quick Reference
| Action | Owner | Deadline | Priority |
|---|---|---|---|
| Patch Cisco IOS XE CVE-2023-20198 / CVE-2024-20353 | Network Engineering | 72 hours | CRITICAL |
| MFA on all management interfaces (CALEA included) | IAM / Legal | 1 week | CRITICAL |
| Segment CALEA/LI systems from general network | Network Architecture | 2 weeks | HIGH |
| Disable unused internet-facing management interfaces | Network Engineering | 1 week | HIGH |
| Audit TACACS/RADIUS for weak configs | Security Engineering | 2 weeks | HIGH |
| Deploy behavioral analytics on LI system access | SOC / Security Engineering | 1 month | HIGH |
| Complete asset inventory with firmware tracking | IT Operations | 30 days | HIGH |
| EDR on CDR/call content servers | SOC | 30 days | HIGH |
| BGP security (RPKI + MANRS) | Network Engineering | 90 days | MEDIUM |
| NIST CSF 2.0 self-assessment | CISO | 6 months | MEDIUM |
MITRE ATT&CK Framework Mapping
| Technique ID | Technique | Observed Use |
|---|---|---|
| T1190 | Exploit Public-Facing Application | Cisco IOS XE CVE-2023-20198 |
| T1078 | Valid Accounts | Compromised admin credentials for LI system access |
| T1548 | Abuse Elevation Control Mechanism | Privilege escalation via CALEA management interfaces |
| T1005 | Data from Local System | CDR database harvesting |
| T1048 | Exfiltration Over Alternative Protocol | HTTPS and DNS tunneling for data exfil |
| T1027 | Obfuscated Files or Information | Custom malware obfuscation via LOLBins |
| T1071 | Application Layer Protocol | C2 via legitimate HTTPS traffic |
| T1219 | Remote Access Software | iox proxy tool for persistent C2 |
| T1556 | Modify Authentication Process | TACACS/RADIUS credential harvesting |
| T1021 | Remote Services | Lateral movement via management interfaces |
Conclusion
Salt Typhoon represents a structural compromise of U.S. telecommunications infrastructure, not just a breach. China didn’t just steal data — they compromised the legal architecture that governs authorized surveillance in the U.S. The implications for privacy, law enforcement operations, and national security are still unfolding.
Key facts:
- 9+ U.S. carriers compromised: AT&T, Verizon, Lumen, T-Mobile, Viasat, and others
- CALEA lawful-intercept systems targeted — infrastructure built for legal surveillance became China’s espionage platform
- Dwell time: 12–24 months at major carriers before detection
- Attack vector: primarily unpatched Cisco IOS XE and weak/no MFA on management interfaces
- Global scope: 80+ countries targeted, per FBI testimony (August 2025)
Every U.S. telecom carrier should assume they have been or will be targeted by Salt Typhoon or a similar Chinese state-sponsored actor. The playbook is documented. The vulnerabilities are known. The question is whether your organization will address them before the next campaign begins.
Need a Trusted Partner to Navigate the New Telecom Threat Landscape?
SecurEveryone offers specialized telecom-focused cybersecurity coaching for CISOs and security teams. We cover:
- CALEA system security architecture redesign
- NIST CSF 2.0 and CISA CPG alignment
- Nation-state threat hunting and incident response planning
- Vendor risk management for telecom equipment supply chains
Book a Telecom Cybersecurity Coaching Session →
Also see our related content:
All figures current as of June 13, 2026. FBI Director Wray testimony, December 2024; CISA/FBI Joint Advisory AA25-239A; FCC PS Docket No. 22-329.
Get your free pocket guide
Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.
Check your inbox!
Your pocket guide is on its way.
No spam. Unsubscribe anytime. Unsubscribe