PRC MSS-linked threat actors breached 9+ US carriers — AT&T, Verizon, T-Mobile, Lumen, Charter/Spectrum, and more — accessing CALEA wiretap infrastructure and FBI surveillance request logs. Call records for 110M customers exposed. $4.73M average telecom breach cost. Live expert training that closes the human layer before the next nation-state actor does.
Defining incidents in the telecom threat landscape
Telecom carriers face a unique threat profile: nation-state actors actively target their infrastructure for strategic intelligence value, not just financial gain. Salt Typhoon proved how high the stakes are. Here's where your exposure lives.
CALEA-mandated wiretap systems give carriers access to all law enforcement surveillance requests in the US. Salt Typhoon accessed exactly this — FBI surveillance request logs, call records tied to law enforcement investigations, and subscriber metadata. Nation-state actors treat CALEA infrastructure as strategic intelligence assets. Every carrier that has CALEA compliance obligations is a potential target for PRC/Russia/Iran intelligence services.
SS7 (Signaling System 7) and its modern successor Diameter were designed in the 1970s–80s with trust-based assumptions that have no place in a hostile internet. Nation-state actors actively exploit SS7 to track mobile device locations globally, intercept SMS two-factor authentication, and conduct fraud. There is no technical fix for SS7 in legacy networks — only monitoring, alerting, and SBC-based filtering provide defense. CISA AA25-239A covers this specifically.
Salt Typhoon's primary initial access vector was third-party vendor access — contractors and edge device management firms with privileged access to carrier infrastructure. The AT&T Snowflake breach also leveraged contractor machine compromise. Every managed service provider, MES vendor, and contractor with access to your network is a potential pivot point. Vendor risk is your risk under FCC CPNI rules.
Your CPNI databases are unmatched intelligence assets — phone numbers, call patterns, cell-site location history, and subscriber metadata for millions of people. This data enables identity theft, corporate espionage, tracking of law enforcement officers, and foreign intelligence operations. The FCC levies up to $2.16M per CPNI violation. The strategic intelligence value of CPNI is why nation-states specifically target telecom carriers over other sectors.
Telecom carriers face a regulatory stack unmatched by any other sector: FCC CPNI rules (47 CFR §64.2001–2011), 7-day FCC breach notification (47 CFR §64.2009), state AG enforcement across all 50 states, and post-Salt Typhoon Congressional scrutiny. The Snowflake breach triggered an FCC investigation into carrier SaaS security practices. Every incident multiplies regulatory exposure exponentially.
PRC MSS-linked threat actors compromised 9+ US telecommunications carriers by leveraging third-party vendor access and edge device management systems. CALEA wiretap infrastructure was accessed, FBI surveillance request logs were extracted, and call records for millions of Americans were confirmed exfiltrated. FBI Director Wray testified in January 2025 that the intrusion was 'still live.' Trump/Vance communications were reportedly accessed. CISA and FBI jointly attributed the campaign and issued emergency directives (AA25-239A, Aug 2025).
9+ Carriers FBI surveillance metadata extracted · Ongoing since Nov 2024Infostealer malware on contractor machines harvested Snowflake tenant credentials. No MFA on Snowflake accounts. ShinyHunters/UNC5537 exfiltrated 110M customers' call and SMS metadata (call times, durations, cell-site locations) from May–Oct 2022 and Jan 2, 2023. AT&T paid $370K Bitcoin ransom to ShinyHunters. FBI delayed customer notification for national security reasons. $177M class settlement approved. The same credential-reuse pattern hit 160+ Snowflake tenants including Ticketmaster, Santander, and Advance Auto Parts.
110M Customers · $370K ransom · $177M settlementLapsus$ group used stolen credentials to access a misconfigured internal API tool, exfiltrating SSN, driver's license numbers, and DOB for 76.6 million customers. T-Mobile's ninth breach since 2018 — prior incidents included a 2019 prepaid account breach, a 2020 MNO portal breach, and multiple others. The breach repetition drove a $350M class settlement (then second-largest in US history) and a $150M mandatory security investment requirement. Customer payouts began May 2025.
$350M Settlement · 76.6M customers · 9th breach since 2018Optus (Singtel subsidiary) exposed 9.8 million customer records via an unauthenticated API on an internet-facing system. Firewall misconfigurations allowed direct API access without credentials. Exposed data included names, DOB, email addresses, phone numbers, passport numbers, and driver's license numbers. Optus reserved AUD $140M for notification costs. The OAIC filed civil penalty proceedings. Class action litigation followed. US carriers using similar unauthenticated API patterns face identical exposure under FCC CPNI access control requirements.
AUD $140M Notification reserves · 9.8M customers · OAIC penaltyTelecom carriers face a uniquely layered regulatory environment: FCC CPNI rules, CALEA obligations, CISA sector advisories, and state breach notification laws all apply simultaneously. Here's what matters and what's at stake.
FCC Customer Proprietary Network Information rules require carriers to protect CPNI with strict access controls, employee training programs, and explicit justification for any CPNI disclosure. Violations carry up to $2.16M per incident in FCC fines. Post-Salt Typhoon, carriers with CALEA systems face heightened scrutiny on access controls and breach notification. Note: while the January 2025 FCC CALEA declaratory ruling (mandatory backdoor) was reversed by Chair Carr in late 2025, the underlying CPNI obligations and access control requirements remain in full force.
Up to $2.16M per violation · 7-day FCC breach notification requiredThe Communications Assistance for Law Enforcement Act requires carriers to build mandatory surveillance capability into their networks. The January 2025 FCC declaratory ruling interpreting CALEA to require mandatory backdoor access was reversed by FCC Chair Carr in late 2025 — but CALEA's underlying mandatory surveillance capability requirements remain. The strategic intelligence value of CALEA-accessible data is why Salt Typhoon specifically targeted carriers with these systems.
Mandatory surveillance capability · Nation-state targetCISA, the FBI, the NSA, and 22 other agencies co-sealed advisory AA25-239A in August 2025, detailing Salt Typhoon TTPs (tactics, techniques, and procedures) and providing the CISA Shield framework for telecom sector defense. CISA also issued specific guidance on SS7/Diameter signaling threats and SS7 monitoring requirements. AA25-239A provides a concrete framework for carrier security programs that CISA expects carriers to implement.
25-agency co-sealed advisory · CISA Shield framework requiredNIST CSF 2.0 provides GV/PR/DE mappings specifically applicable to telecom: asset management (GV.AN), platform security (PR.PS), and data security (PR.DS) map directly to CPNI protection. The FCC's 7-day breach notification rule (47 CFR §64.2009) is the most aggressive federal notification timeline for any sector. State AG notification obligations layer on top — California, New York, Texas, and 47 other states have independent breach notification requirements with separate timelines.
NIST CSF 2.0 mapping · 7-day FCC clock · 50-state notificationGeneric security awareness training doesn't address the nation-state threat actors, SS7 vulnerabilities, and regulatory obligations unique to telecom. These three drills cover the specific attack patterns and compliance requirements your teams actually face.
Walk your NOC and network engineering teams through a live SS7/Diameter signaling attack — nation-state location tracking via SS7 probes, SMS two-factor interception, and fraud exploitation via signaling network exploitation. Covers SbD (Signaling-based Detection) monitoring tools, SS7 firewall/SBC configuration, and the CISA AA25-239A SS7 monitoring guidance. Scenario: a foreign intelligence service is tracking a senior executive's device via SS7 probes — how does your NOC detect and respond?
Salt Typhoon's primary initial access vector was third-party vendor access — managed service providers, MES vendors, and edge device management firms with privileged access to carrier infrastructure. This drill walks your vendor management and security teams through the exact Salt Typhoon TTP chain: initial compromise via vendor credential theft, lateral movement through carrier networks, and CALEA system access. Covers out-of-band verification for vendor access requests, least-privilege vendor accounts, and third-party access monitoring.
When a CPNI breach occurs, the FCC 7-business-day notification clock starts immediately. This drill walks your legal, compliance, and executive teams through the full breach notification workflow: what must be reported to the FCC within 7 days, what must be communicated to affected customers 'as soon as practicable,' what documentation must be preserved for the inevitable regulatory investigation, and how state AG notifications layer on top. Scenario: your CPNI database has been accessed — the FCC notification is due in 6 days, Congress is asking questions, and the state AGs are already watching.
These free resources cover the specific attack patterns and regulatory requirements telecom carriers face. Download them and put them to work today.
No per-seat licensing. No annual contracts. Book a session, train your NOC and compliance teams, satisfy your FCC CPNI training requirements.
Telecom carriers are nation-state targets for two reasons: their CALEA wiretap infrastructure gives access to all law enforcement surveillance requests in the US (making them strategically invaluable to adversaries like the PRC's MSS), and their CPNI databases — containing call detail records, cell-site location data, and subscriber metadata — are unmatched intelligence assets for espionage, influence operations, and targeting. Salt Typhoon demonstrated this: PRC-linked actors accessed AT&T, Verizon, T-Mobile, Lumen, Charter/Spectrum, and 4+ other carriers' CALEA systems, extracting call records and surveillance metadata tied to US law enforcement investigations. No other sector offers that combination of strategic intelligence value and access.
CPNI — Customer Proprietary Network Information — is the carrier's record of who you called, when, for how long, and from where (cell-site location). Under FCC rules (47 CFR §64.2001–2011), carriers must protect CPNI with strict access controls, employee training, and explicit justification for disclosure. The FCC can levy up to $2.16M per violation, and unauthorized CPNI access triggers mandatory 7-day breach notification to the FCC and affected customers. The enforcement logic: CPNI enables identity theft, stalking, corporate espionage, and foreign intelligence collection — one rogue employee or one vendor breach can expose millions of Americans' communication patterns.
The AT&T Snowflake breach (April–July 2024) exposed call and SMS metadata for approximately 110 million customers — phone numbers, call times, call duration, and some cell-site locations — from a period spanning May 1 to October 31, 2022 plus January 2, 2023. AT&T paid a $370K Bitcoin ransom to the ShinyHunters group (attributed to UNC5537), which had also hit Ticketmaster, Santander, and 160+ other Snowflake tenants. The root cause: no MFA on Snowflake tenant admin accounts, combined with infostealer-harvested credentials from contractor machines. This is absolutely reproducible — any carrier with a SaaS vendor that lacks enforced MFA is exposed to the same attack pattern. The fix is operator-controlled: enforce MFA on every SaaS tenant, restrict vendor credential access, and monitor for anomalous data exfiltration.
T-Mobile's January 2021 breach (Lapsus$ group, credential stuffing via an API) exposed SSN, driver's license numbers, and DOB for 76.6 million customers. T-Mobile settled for $350M (the second-largest data breach settlement in US history at the time) plus $150M in mandatory security investment. The breach was T-Mobile's ninth since 2018 — the carrier had been repeatedly compromised through 2019 (prepaid accounts), 2020 (MNO portal), and 2021, each time triggering new regulatory scrutiny and customer litigation. The pattern: credential-based attacks against insufficiently protected web applications and API endpoints. T-Mobile's repeated exposure increases regulatory scrutiny and class action exposure substantially with each incident.
In September 2022, Australian carrier Optus (Singtel subsidiary) suffered a breach exposing 9.8 million customer records — names, dates of birth, email addresses, phone numbers, passport and driver's license numbers — via an unauthenticated API on an internet-facing system. The attacker exploited a firewall misconfiguration that allowed direct access to an API that should have required authentication. Optus reserved AUD $140M for notification costs alone, faced the Office of the Australian Information Commissioner civil penalty proceedings, and was hit with class action litigation. The lesson for US carriers: unauthenticated APIs are an existential risk. FCC CPNI rules require access controls — but an unauthenticated API is a compliance violation and a breach trigger simultaneously. Every API handling subscriber data needs authentication, rate limiting, and regular security review.
Under 47 CFR §64.2009, carriers must notify the FCC within 7 business days of discovering a CPNI breach — and notify affected customers 'as soon as practicable.' The notification must describe the nature of the breach, the types of CPNI affected, and the steps the carrier is taking to protect customers. Beyond the FCC 7-day clock, state breach notification laws (all 50 states) add separate notification obligations with their own timelines (typically 30–72 hours for medical/financial data, 30–45 days for general personal information). Post-Salt Typhoon, the FCC under Chair Carr (2025) reversed the January 2025 CALEA mandatory backdoor ruling, but the underlying CPNI obligations and breach notification requirements remain fully in force. Carriers that experienced Salt Typhoon-related notification obligations in 2024–2025 learned this the hard way.
Book a live session today. Sessions are 60–120 minutes, held over Zoom, and built around your carrier's specific infrastructure — CALEA systems, SS7/Diameter signaling, Snowflake and SaaS vendor stacks, and FCC CPNI compliance. Walk away with regulatory evidence, a CPNI breach response plan, and a team that knows what nation-state TTP chains look like in the wild.