In the fall of 2024, U.S. investigators discovered that Chinese state-sponsored hackers had burrowed deep into the networks of America's largest telecommunications companies. What followed was a series of revelations that grew worse with every disclosure: nine carriers compromised, lawful intercept wiretap systems breached, the personal communications of the President and Vice President accessed, call metadata for over a million Americans collected, and operations spanning more than 80 countries and 600 organizations. Sixteen months later, the hackers have not been confirmed removed from all affected networks. This is the story of Salt Typhoon — the most consequential cyber espionage campaign ever conducted against the United States.
Timeline: How the Campaign Unfolded
Understanding Salt Typhoon requires understanding its timeline. This was not a single intrusion — it was a multi-year campaign that predates its public discovery by at least five years.
Who Is Salt Typhoon?
Salt Typhoon is the Microsoft-assigned name for an advanced persistent threat group widely assessed to be operated by China's Ministry of State Security (MSS), the country's foreign intelligence and secret police agency. The group is tracked under multiple names across the cybersecurity industry: RedMike (Recorded Future), GhostEmperor (Kaspersky), FamousSparrow (ESET), Operator Panda, Earth Estries (Trend Micro), and UNC5807 (Mandiant/Google). The U.S. Treasury has directly linked the group to Sichuan Juxinhe Network Technology Co., a Sichuan-based cybersecurity company with documented ties to the MSS.
According to Trend Micro, Salt Typhoon operates as a "well-organized group with a clear division of labor," where distinct teams launch attacks targeting different regions and industries. The group's primary focus is counterintelligence — identifying who the U.S. government is surveilling and what intelligence it is collecting. This explains the targeting of CALEA wiretap systems, which represent the single richest source of insight into active U.S. law enforcement and intelligence operations.
Salt Typhoon is one of three publicly disclosed "Typhoon" groups associated with Chinese state sponsorship. Volt Typhoon focuses on pre-positioning for disruptive attacks against U.S. critical infrastructure (power grids, water systems, transportation). Flax Typhoon operates botnets using compromised IoT devices. Salt Typhoon's mission is pure espionage — long-term, quiet access to the communications backbone of its targets.
"Salt Typhoon is a component of China's 100 year strategy." — Terry Dunlap, former NSA analyst
The Technical Playbook
Salt Typhoon's operations are distinguished by their patience, their use of legitimate network features for persistence, and their deep understanding of telecom infrastructure. The August 2025 Joint Cybersecurity Advisory from CISA, NSA, FBI, and allied agencies provided the most comprehensive public accounting of the group's tactics, techniques, and procedures.
Initial Access: Edge Devices
Salt Typhoon gains access primarily through network edge devices — the routers, firewalls, and VPN appliances that sit at the boundary of enterprise networks. Confirmed exploited vulnerabilities include products from Cisco, Ivanti, and Palo Alto Networks. But the advisory explicitly warned that these were not exhaustive and that the group may target Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers, Sierra Wireless devices, and SonicWall firewalls.
# Confirmed Salt Typhoon CVEs (from Joint Advisory, August 2025)
Cisco IOS XE:
CVE-2023-20198 (CVSS 10.0) - Authentication bypass in web UI
CVE-2023-20273 (CVSS 7.2) - Post-auth command injection (chained)
CVE-2018-0171 (CVSS 9.8) - Smart Install RCE (7 years unpatched)
Ivanti Connect Secure:
CVE-2023-46805 (CVSS 8.2) - Authentication bypass
CVE-2024-21887 (CVSS 9.1) - Command injection
Palo Alto PAN-OS:
CVE-2024-3400 (CVSS 10.0) - GlobalProtect command injectionHowever, the most common initial access method was not vulnerability exploitation — it was stolen credentials. Cisco Talos confirmed that in all but one investigated incident, Salt Typhoon gained entry using valid login credentials. How these credentials were initially obtained remains unknown. Once inside, the attackers targeted local accounts with weak passwords and cracked hashed credentials extracted from device configurations. In multiple cases, devices were found using "cisco" as both the username and password.
Persistence: Living Off the Land
Salt Typhoon's persistence techniques are built around modifying the network infrastructure itself rather than deploying traditional malware. This makes detection extremely difficult because the changes look like legitimate network administration.
The group modifies Access Control Lists (ACLs) to whitelist their own IP addresses. They expose services like SSH, RDP, and FTP on both standard and non-standard ports. They add SSH keys to existing services for persistent authenticated access. On Cisco devices, they create GRE (Generic Routing Encapsulation) and IPsec tunnels that connect compromised routers directly to their infrastructure, enabling encrypted data exfiltration that blends with normal network traffic.
One of the most sophisticated techniques involves Cisco's Guest Shell feature. Salt Typhoon runs commands inside the on-box Linux container available on certain Cisco networking devices. This allows them to stage tools, process captured data, and move laterally through the network. Because activity inside the container is not typically monitored by network security tools, it provides an effective blind spot.
Cisco Talos confirmed that Salt Typhoon maintained persistent access to one target environment for more than three years. The group's exclusive use of living-off-the-land techniques — native system tools and legitimate network features rather than custom malware — was key to this extended dwell time. There were no malicious binaries to trigger antivirus alerts, no anomalous processes to flag in endpoint detection, just configuration changes on devices that most organizations do not monitor at all.
Credential Harvesting: Capturing TACACS+ Traffic
Once inside the network, Salt Typhoon used compromised routers to capture authentication traffic. The Joint Advisory documented that the group collected packet captures (PCAPs) using native tools on compromised devices, with the primary objective being TACACS+ traffic on TCP port 49. TACACS+ is the protocol used to authenticate network administrators to infrastructure equipment. If the TACACS+ encryption key is known (and in at least one case, it was stored on the device using Cisco's weak Type 7 reversible encoding), every administrator credential passing through the network could be decrypted offline.
# Salt Typhoon TACACS+ credential harvesting (observed behavior)
# Step 1: Capture TACACS+ authentication traffic on compromised router
monitor capture MYCAP interface GigabitEthernet0/0/0 both
monitor capture MYCAP match ipv4 protocol tcp any any eq 49
monitor capture MYCAP start
# Step 2: Extract TACACS+ shared secret from device config
# (Type 7 encoding is trivially reversible)
show running-config | include tacacs
# Output: tacacs-server key 7 045802150C2E
# Step 3: Decrypt captured TACACS+ traffic offline using recovered key
# Every network admin login/password now compromisedThis is particularly devastating in telecom environments. TACACS+ credentials often provide access to the full range of network infrastructure — core routers, edge devices, management planes, and the systems that handle lawful intercept.
What They Were After: CALEA and the Wiretap Systems
The most consequential aspect of the Salt Typhoon campaign was the compromise of CALEA (Communications Assistance for Law Enforcement Act) systems. Enacted in 1994, CALEA requires U.S. telecommunications companies to build lawful intercept capabilities into their networks, allowing law enforcement and intelligence agencies to conduct court-authorized wiretapping.
Salt Typhoon accessed these systems. The implications are severe and multilayered. By compromising the wiretap infrastructure, the group could determine who the U.S. government was surveilling, what investigations were active, which intelligence targets had been identified, and what evidence was being collected. This is counterintelligence at its most direct: knowing exactly what your adversary knows about you.
Beyond the wiretap systems, Salt Typhoon accessed call metadata — records of who called whom, when, for how long, from which locations — for over a million users, most of them in the Washington, D.C. metropolitan area. Senator Maria Cantwell stated that the operation enabled Chinese intelligence to "track millions of Americans' locations in real time, record phone calls at will, and read our text messages."
The hackers also accessed the personal communications of senior political figures, including then-candidate Donald Trump and JD Vance, along with other high-profile officials tied to the White House. The access to political communications during an election year raises questions that extend well beyond technical cybersecurity.
The wiretap systems that Salt Typhoon compromised exist because the U.S. government mandated them. CALEA requires that telecom providers build surveillance capability into their infrastructure. Security researchers and cryptographers warned for decades that mandated lawful intercept systems create inherent vulnerabilities. As Professor Matt Blaze testified to Congress in April 2025, the concern was proven correct: the infrastructure built to enable government surveillance was turned against the government itself. The encrypted messaging advisory that CISA and the FBI issued in response — telling Americans to use Signal and other end-to-end encrypted apps — was a tacit acknowledgment that the telecom infrastructure cannot be trusted.
The Victim List
The confirmed scope of Salt Typhoon's campaign continues to grow. Nine U.S. telecom companies have been publicly acknowledged as compromised: Verizon, AT&T, T-Mobile, Spectrum (Charter Communications), Lumen Technologies, Consolidated Communications, and Windstream, with two others unnamed. Beyond the U.S., Recorded Future identified compromised organizations on six continents, including a UK telecom affiliate, a South African provider, an Italian ISP, a Thai telecom, and Myanmar's Mytel network.
In June 2025, the victim list expanded beyond traditional terrestrial telecoms when Viasat, a U.S.-based satellite communications provider, was confirmed as a Salt Typhoon target. This escalation into satellite infrastructure signaled that the group's intelligence collection objectives extend to all forms of communications transport, not just ground-based networks.
Salt Typhoon also targeted universities with telecommunications research programs. Between December 2024 and January 2025, Recorded Future identified attempted compromises at UCLA, California State University, Loyola Marymount University, and Utah Tech University, along with institutions in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, and Vietnam. The targeting of academic research suggests interest in future telecom technologies, not just current infrastructure.
By August 2025, the FBI confirmed the full scale: over 200 targeted organizations across 80+ countries, with 600 entities notified of potential compromise. The Chinese campaign also reached into transportation and military infrastructure networks, extending beyond the telecom sector that initially defined it.
The Government Response — and Its Collapse
The U.S. government's initial response to Salt Typhoon included several significant actions. CISA and the FBI issued joint advisories urging Americans to use end-to-end encrypted communications. The Treasury Department sanctioned Sichuan Juxinhe Network Technology Co. in January 2025. The Department of Homeland Security's Cyber Safety Review Board (CSRB) launched a formal investigation. And in August 2025, a comprehensive Joint Cybersecurity Advisory was published by agencies from the U.S., Australia, Canada, New Zealand, and the United Kingdom.
Then the response began to unravel. The Trump administration dismissed the CSRB's members shortly after Inauguration Day, shutting down the board while it was deep into its Salt Typhoon investigation. It remains unclear where that investigation stands. Large rounds of job cuts, buyouts, and resignations followed at CISA, the agency leading the technical response. In November 2025, the FCC voted to roll back cybersecurity rules that had been implemented specifically in response to Salt Typhoon, replacing mandatory requirements with voluntary "collaboration" with the same carriers that failed to detect the intrusions.
At the RSAC Conference in April 2025, Dmitri Alperovitch — chairman of the Silverado Policy Accelerator and former CSRB member — called the Salt Typhoon campaign one of the most damaging cyberattacks ever conducted against the United States. He noted that the investigators themselves were caught off guard by the campaign's scope, which surprised him, given that adversary nations should be expected to target communications infrastructure.
Still Inside: The Unresolved Remediation Problem
As of February 2026, there is no public confirmation that Salt Typhoon has been fully eradicated from all affected networks. This is not speculation — it is the position of congressional leaders who have been briefed on the situation.
In June 2025, Senator Cantwell wrote to the CEOs of AT&T and Verizon requesting documentation proving that their networks had been secured. Both companies confirmed the existence of security assessments conducted by Mandiant but refused to share them with Congress. In February 2026, Cantwell sent a follow-up demanding that both CEOs testify, writing that "both AT&T and Verizon have chosen not to cooperate, which raises serious questions about the extent to which Americans who use these networks remain exposed to unacceptable risk."
Expert testimony has reinforced these concerns. Deb Jordan, former Chief of the FCC's Public Safety and Homeland Security Bureau, testified in December 2025: "I'm not convinced that providers will take sufficient and sustained actions in the wake of Volt and Salt Typhoon without a strong verification regime." The FCC's own November 2025 ruling — which weakened oversight — conceded that vulnerabilities "are still being exploited."
"Senior national security officials said the breach occurred in large part because telecommunications companies failed to implement rudimentary — rudimentary! — cybersecurity measures. Investigators found legacy equipment not updated in years, router vulnerabilities with patches available for seven years that were never applied, and hackers acquiring credentials through weak passwords." — Senator Maria Cantwell, Senate Commerce Committee hearing (December 2025)
The remediation challenge is fundamentally structural. Telecom networks are among the most complex architectures in existence. Core routing infrastructure was not designed to be rapidly rebuilt. The Cisco devices that Salt Typhoon targeted carry traffic for millions of users. Taking them offline for remediation has cascading impacts. And the group's use of legitimate credentials and native network features means there is no simple indicator of compromise to scan for — you have to audit every configuration change on every device and verify that every credential in the environment has been rotated. For networks of this scale, that is a multi-year undertaking.
Lessons and Defensive Takeaways
Salt Typhoon is not a novel zero-day attack chain requiring cutting-edge defenses. It is, overwhelmingly, a failure of fundamentals. The technical lessons are well-established; what Salt Typhoon reveals is the gap between knowing what to do and actually doing it at scale.
- Patch network infrastructure with the same urgency as endpoints. The most devastating CVE in the campaign, CVE-2023-20198, had a CVSS score of 10.0 and a patch available since October 2023. Two years later, Salt Typhoon was still finding unpatched devices. CVE-2018-0171 had a patch for seven years. Network devices live in a blind spot where they are neither managed by endpoint teams nor prioritized by vulnerability management programs. That blind spot is what Salt Typhoon exploited.
- Treat network device credentials as Tier 0 assets. TACACS+ shared secrets stored in reversible Type 7 encoding are equivalent to plaintext passwords. Every network authentication protocol should use strong, non-reversible secrets. Local accounts on network devices should use unique, complex passwords and be regularly rotated. The fact that devices were found with "cisco/cisco" credentials in a critical infrastructure environment is an organizational failure that no technology can compensate for.
- Monitor the management plane. Salt Typhoon's persistence relied entirely on configuration changes to network devices: ACL modifications, new user accounts, SSH key additions, GRE tunnel creation. These changes are logged if you are looking for them. Configuration management databases (CMDBs), network configuration monitoring tools, and change detection on running configurations should be treated as security-critical telemetry, not just operational convenience.
- Audit Guest Shell and container capabilities on network devices. Cisco's Guest Shell provides a full Linux container environment on the router itself. If you are not using it, disable it. If you are, monitor it. Salt Typhoon used this feature to stage tools and process data in a space that most network monitoring solutions do not inspect.
- Assume lawful intercept infrastructure is a target. Any system designed to provide access to communications content is inherently a high-value espionage target. Organizations required to implement CALEA capabilities should treat those systems with the highest level of security scrutiny, including dedicated monitoring, network segmentation, and access logging at every layer.
- Encrypt everything end-to-end. The CISA and FBI advisory telling Americans to use encrypted messaging was extraordinary — the U.S. government effectively admitted that the telecom transport layer cannot be trusted. For organizations, this means end-to-end encryption for all sensitive communications, including voice. Do not rely on the security of the network carrying your traffic, because Salt Typhoon demonstrated that the network itself can be compromised at the infrastructure level.
# Network device security audit - quick checks
# 1. Check for weak Cisco password types in configs
show running-config | include password|secret
# Look for "password 7" or "key 7" entries (Type 7 = trivially reversible)
# All secrets should be Type 8 (PBKDF2) or Type 9 (scrypt) minimum
# 2. Audit local user accounts
show running-config | include username
# Flag any account not on your authorized list
# Check for default/weak credentials
# 3. Review ACLs for unauthorized entries
show access-lists
# Compare against documented baseline - any unfamiliar IPs?
# 4. Check for unauthorized GRE/IPsec tunnels
show interfaces tunnel
show crypto session
# Any tunnels not in your network documentation?
# 5. Check Guest Shell status
show iox host list detail
guestshell run bash -c 'ps aux'
# If Guest Shell is enabled but unused, disable it
# 6. Look for unauthorized SSH keys
show running-config | section ip ssh pubkey-chain
# Verify every key against authorized personnel listSalt Typhoon will be studied for decades. It is the case study for what happens when a patient, well-resourced adversary targets infrastructure that was never designed to withstand sustained espionage operations. The routers that carry America's communications traffic were built to be reliable, not secure. The lawful intercept systems were built because Congress mandated them, with less consideration for whether they could be defended. The credentials were weak because nobody expected a nation-state actor to be logging into telecom routers with "cisco/cisco."
Every one of those assumptions has been proven wrong. The question now is whether the organizations responsible for this infrastructure — and the government responsible for overseeing them — will treat this as the inflection point it demands. Sixteen months after the initial public disclosure, the answer is not yet clear.