The Wiretap They Walked Into: Salt Typhoon and the Compromise of American Telecommunications
The Wiretap They Walked Into: Salt Typhoon and the Compromise of American Telecommunications
The first sign was not an alarm. It was a curiosity in a routing table.
In late 2024, network engineers at one of the largest telecommunications companies in the United States noticed traffic patterns that did not match the configurations they had authorized. Packets were moving through infrastructure segments in ways that made sense only if someone — or something — had persistent, privileged access to the network fabric itself. The investigation that followed would take months. What it uncovered would prompt the sitting FBI Director to call it the most significant telecommunications breach in US history, move Senator Mark Warner of Virginia to say publicly that it made everything he’d seen before “look small,” and force a reckoning with a question American security planners had spent years avoiding: what happens when the adversary finds the door your own government asked you to leave unlocked?
Salt Typhoon had been inside at least eight major US telecommunications carriers simultaneously. They had been there, in some cases, for one to two years.
The Landscape: What American Telecoms Are Required to Build
To understand why Salt Typhoon’s intrusion was uniquely dangerous, you have to understand the Communications Assistance for Law Enforcement Act — CALEA — enacted by Congress in 1994.
CALEA was passed in response to law enforcement’s concern that the rapid digitization of telecommunications would outpace its ability to conduct court-authorized surveillance. The law required every US telecommunications carrier — every provider of telephone service, broadband, and interconnected VoIP — to design and maintain within their networks the technical capability for government lawful intercept. In practical terms: when the FBI or a federal court issues a wiretap order, the carrier must be able to hand over specific communications in real time.
To comply with CALEA, every major US carrier has built and maintained lawful intercept infrastructure — dedicated systems, interfaces, and access pathways that allow authorized government agencies to pull call content and call detail records. These systems are, by design, highly privileged. They have access to traffic across the entire network. They exist specifically to be a centralized collection point.
They are also, necessarily, an attack surface.
This had been acknowledged in security research for more than a decade. The 2004 Athens Affair — in which unknown actors exploited Vodafone Greece’s CALEA-equivalent infrastructure to wiretap the Greek prime minister and dozens of senior officials — had served as an early proof of concept that lawful intercept systems were themselves vulnerable. American policymakers noted it and moved on. The US telecoms’ CALEA infrastructure remained largely unaudited from a security perspective, treated as a compliance obligation rather than a security risk.
Salt Typhoon treated it as a target.
Threat Actor Profile: Salt Typhoon
Designation: Salt Typhoon; also tracked as GhostEmperor (Kaspersky), FamousSparrow (ESET), Earth Estries (Trend Micro), UNC2286 (Mandiant) Attribution: People’s Republic of China Ministry of State Security (MSS); attributed by the US, UK, Canada, Australia, and New Zealand Primary Mission: Strategic intelligence collection against Western government officials, political figures, and sensitive communications infrastructure; assessed as a long-running counterintelligence and geopolitical signals collection operation Known Tradecraft: Exploitation of edge network devices (Cisco routers, Fortinet VPN appliances, Juniper switches); deployment of custom implants including SparrowDoor and GhostSpider; long dwell times with minimal footprint; specific interest in CALEA-adjacent infrastructure; exploitation of vendor access and third-party maintenance pathways
Notorious Operations:
- US Telecom Compromise (2023–2025): Salt Typhoon’s largest known operation — persistent access to at least eight major US carriers including AT&T, Verizon, T-Mobile, Lumen Technologies, Charter, Consolidated Communications, and Windstream, with access to CALEA lawful intercept infrastructure and call detail records for tens of millions of Americans.
- Volt Typhoon (related infrastructure unit): A separate but related PRC threat actor pre-positioning for disruption within power, water, and transportation sectors. Both operations represent complementary arms of Chinese cyber strategy: Volt Typhoon for potential kinetic disruption, Salt Typhoon for continuous intelligence collection.
How They Got In: The Edge of the Network
Salt Typhoon’s entry vectors were a pattern that should, by now, be familiar to anyone who has studied post-2020 nation-state intrusions: the perimeter.
Organizations have invested enormously in hardening their interior networks — endpoint detection, SIEM platforms, behavioral analytics, zero-trust segmentation. The attackers adapted. The exterior of the network — the Cisco network edge routers, the Fortinet VPN appliances, the Juniper switches that handle traffic before it enters the monitored interior — is often less scrutinized, less consistently patched, and runs software that network teams treat as infrastructure rather than computing systems to be secured.
Salt Typhoon exploited vulnerabilities in Cisco IOS XE and Fortinet FortiGate devices to gain initial footholds in carrier networks. Once established on an edge device, the operators conducted a patient expansion — mapping the internal network, identifying segments handling CALEA compliance infrastructure, and ultimately obtaining privileged credentials sufficient to access the lawful intercept systems directly.
In some carriers, Salt Typhoon operators also exploited legitimate third-party vendor access — maintenance pathways maintained for hardware support and software updates that ran with elevated privileges into the carrier’s management network. The trusted third-party is a recurring vulnerability: the same fundamental dynamic as the SolarWinds SUNBURST compromise, reproduced in telecommunications infrastructure.
What Salt Typhoon Accessed
The intelligence haul was dual-layered, and each layer was damaging in different ways.
Layer one — Call Detail Records: Salt Typhoon obtained call detail records (CDRs) for a very large number of Americans — not the content of calls, but the metadata: who called whom, when, from where, for how long. CDR metadata is extraordinarily powerful intelligence. Analyzing calling patterns can reveal the structure of organizations, identify the circles of trust around specific individuals, map relationships between political figures, attorneys, journalists, and their sources, and reconstruct the operational rhythms of targets of interest. The US intelligence community has known this for decades — its own programs, exposed by Snowden, relied on CDR bulk collection for precisely this reason.
Layer two — Real-time call and text content: For a much smaller but far more sensitive set of individuals, Salt Typhoon achieved something more alarming: access to the actual content of calls and text messages as they traversed carrier networks in real time. This access ran through the CALEA infrastructure — the legally mandated wiretap portal — providing a mechanism that carriers had built specifically to allow high-fidelity communications intercept.
Among the individuals whose communications were reportedly accessed: staff and advisors to both the Trump and Harris presidential campaigns, as well as a small number of senior US government officials. The communications of individuals already under authorized government surveillance — people whose communications the carriers were already routing to law enforcement via CALEA — were simultaneously accessible to Chinese intelligence.
The FBI and CISA issued guidance to Americans in the aftermath of the disclosure: stop using standard voice calls and unencrypted text messages for sensitive communications. Use end-to-end encrypted applications — Signal, WhatsApp, iMessage — because these encrypt communications on the user’s device before they traverse carrier networks, making CALEA collection of content technically unfeasible.
A federal law enforcement agency telling the American public that the communications infrastructure the government had required carriers to build for surveillance was being used against Americans by a foreign adversary is not a sentence that appears often in policy guidance documents. It appeared in December 2024.
The Congressional Response
The closed briefings for Senate and House members in late November and early December 2024 produced a rare bipartisan convergence. Senator Warner, ranking member of the Senate Intelligence Committee, described the breach in terms that other senators echoed: the scale of access, the duration, and the specific targeting of CALEA infrastructure represented a qualitatively different threat than previous Chinese operations.
The FCC opened an inquiry into carriers’ CALEA security practices — the first time the Commission had examined whether the security of the lawful intercept infrastructure itself met any standard. The question of whether CALEA compliance requirements created a security obligation — not just a capability obligation — had never been formally addressed by the agency since 1994.
The FCC’s preliminary inquiry revealed that carriers had treated CALEA systems as compliance infrastructure, not cybersecurity infrastructure. Security controls, patching cadences, and access logging for CALEA systems had not been subject to the same rigor applied to, say, customer-facing platforms.
The Encryption Moment
The most remarkable legacy of Salt Typhoon may be that it converted the FBI — the agency that has spent more than a decade fighting end-to-end encryption in court, before Congress, and in public advocacy — into a reluctant public advocate for encrypted communications.
The Going Dark problem is what the FBI calls the challenge of encrypted communications: when suspects use Signal or iMessage, the FBI cannot intercept those communications even with a valid court order. The bureau has repeatedly called for legislation or technical mandates that would provide law enforcement access to encrypted communications.
Salt Typhoon made that argument dramatically harder to make. If the communications infrastructure built to provide law enforcement access had been compromised by Chinese intelligence for years, the argument that surveillance infrastructure is safe from adversaries became extraordinarily difficult to sustain publicly. CISA’s guidance explicitly recommending end-to-end encryption — issued jointly with FBI — was a document of considerable internal irony for the bureau.
Legacy: Thirty Years of CALEA, Exposed
The carriers began the remediation process — rotating credentials, replacing compromised edge devices, auditing CALEA-adjacent systems — but the scale of the intrusion meant remediation was measured in months, not days. The FBI confirmed in January 2025 that it could not guarantee Salt Typhoon’s complete removal from all affected carrier networks.
T-Mobile disclosed in November 2024 that it had detected and blocked an intrusion “in recent weeks” and that customer data had not been accessed. The company’s statement, which was notably more confident than those of AT&T and Verizon, reflected either genuinely faster remediation or a different depth of intrusion.
The CALEA debate the Salt Typhoon intrusion catalyzed is structural. Every argument for mandated communications access backdoors — whether for law enforcement or national security — must now address the demonstrated reality that the Athens Affair was not an anomaly. In 2024, China walked through the door American law had required carriers to keep open. The question of whether that door should have been built in the first place — and what the answer means for encryption policy — is no longer theoretical.
Salt Typhoon continued operating after the public disclosures. New intrusions in non-US telecoms were confirmed through early 2025. The operators have not been charged. The CALEA infrastructure has not been redesigned. The conversation about what mandatory surveillance access costs in terms of security continues.
Attack Chain: Salt Typhoon US Telecommunications Compromise
graph TD
A["Initial Reconnaissance\nIdentify carrier edge devices:\nCisco IOS XE, Fortinet FortiGate,\nJuniper switches exposed to internet"] --> B["Initial Access\nExploit known CVEs in edge routers\nand VPN appliances — or compromise\nthird-party vendor access pathways"]
B --> C["Persistent Implant\nDeploy SparrowDoor / GhostSpider\ncustom implants on network infrastructure\nMaintain covert C2 channel"]
C --> D["Internal Mapping\nEnumerate carrier network topology\nIdentify management segments\nLocate CALEA infrastructure systems"]
D --> E["Credential Escalation\nHarvest privileged network admin\ncredentials via internal pivoting\nTarget CALEA system access"]
E --> F["CALEA System Access\nGain access to lawful intercept\ninfrastructure — the court-ordered\nwiretap portal maintained for FBI/DOJ"]
F --> G["CDR Bulk Collection\nExfiltrate call detail records\nfor tens of millions of Americans:\nwho called whom, when, from where"]
G --> H["Targeted Content Intercept\nReal-time interception of calls\nand texts for high-value targets:\npresidential campaign staff,\nsenior US government officials"]
H --> I["1–2 Year Dwell Period\nContinuous intelligence collection\nacross 8+ major US carriers\nMinimal detection footprint"]
I --> J["Detection & Disclosure\nNetwork anomaly detected — late 2024\nFBI/CISA notified Congress\nCarriers begin remediation"]
J --> K["CISA/FBI Guidance\nDec 2024: Agencies recommend\nAmericans use end-to-end\nencrypted messaging apps"]
K --> L["Legacy\nFCC CALEA security inquiry\nEncryption policy debate reopened\nSenator Warner: 'worst telecom\nhack in US history'"]
style A fill:#1a1a2e,color:#e0e0e0
style B fill:#0d3b6e,color:#7ec8e3
style F fill:#c0392b,color:#fff
style H fill:#c0392b,color:#fff
style I fill:#8e44ad,color:#fff
style L fill:#2c3e50,color:#e0e0e0