Salt Typhoon

Executive Summary

Salt Typhoon is a PRC state-sponsored threat actor focused on telecommunications infrastructure and communications intelligence collection. Active since at least 2022, the group gained public attention in late 2024 when U.S. officials disclosed that Salt Typhoon had compromised the networks of at least nine major U.S. telecommunications providers, including AT&T, Verizon, T-Mobile, and Lumen Technologies.

The group’s intrusions into U.S. telecom infrastructure enabled access to call metadata, text messages, and audio intercepts of targeted individuals, including senior U.S. government officials and presidential campaign staff. Salt Typhoon also accessed lawful intercept (wiretapping) systems used by U.S. law enforcement, raising concerns about the compromise of sensitive surveillance operations. The incident has been described by U.S. officials as one of the most consequential espionage campaigns against the United States.

Notable Campaigns

2024 — U.S. Telecommunications Infrastructure Compromise

Salt Typhoon penetrated the networks of at least nine U.S. telecommunications providers. The group accessed call detail records (metadata) for a broad population of U.S. customers and obtained actual communications content (calls and texts) for a smaller number of targeted individuals associated with government and political activities.

2024 — Lawful Intercept System Access

The group gained access to lawful intercept systems used by U.S. law enforcement agencies to conduct court-authorized wiretaps. This access potentially compromised ongoing investigations and revealed intelligence collection priorities.

Technical Capabilities

Salt Typhoon demonstrates advanced capabilities in compromising telecommunications infrastructure. The group exploits vulnerabilities in network edge devices, routers, and telecom-specific systems. Public reporting and incident writeups have associated the activity with kernel-level rootkit use such as Demodex, but the broader pattern is better supported by the group’s access to telecom backbone systems, lawful-intercept environments, and subscriber-management infrastructure.

The group’s deep access to telecom infrastructure enables interception of communications traffic at scale, access to billing and subscriber data, and monitoring of lawful intercept systems. This level of access requires sophisticated understanding of telecom network architecture and protocols.

Attribution

The FBI and CISA issued a joint statement in November 2024 attributing the telecom intrusions to PRC-affiliated actors associated with Salt Typhoon. CISA published advisory AA24-347A providing technical guidance for telecom network hardening. Public reporting and allied threat assessments subsequently linked the activity to broader Chinese state-sponsored telecom espionage. The campaign triggered bipartisan Congressional hearings and legislative proposals for mandatory telecom cybersecurity standards.

MITRE ATT&CK Profile

Initial Access: Exploitation of public-facing telecommunications equipment (T1190) and zero-day vulnerabilities in network devices.

Persistence: Kernel-level rootkits (T1014) and firmware-level implants on network infrastructure.

Collection: Adversary-in-the-middle interception (T1557), collection of call detail records, and access to lawful intercept systems.

Defense Evasion: Rootkit deployment (T1014), living-off-the-land techniques, and use of legitimate telecom management protocols.

Sources & References

• CISA: Advisory AA24-347A - Telecom Network Hardening — CISA, 2024-12-12
• FBI/CISA: Joint Statement on PRC Telecom Targeting — FBI, 2024-11-13
• Microsoft: Nation-State Attack Guidance — Microsoft Security, 2024-11-22