Salt Typhoon

Definition

A Chinese state-sponsored advanced persistent threat (APT) group that conducted widespread intrusions into major US telecommunications providers in 2024-2025, compromising lawful intercept systems and intercepting communications of senior US government officials and political figures.

Technical Details

Salt Typhoon (also tracked as Earth Estries, FamousSparrow, and GhostEmperor by various threat intelligence vendors) is assessed by the US government to be affiliated with China's Ministry of State Security. The group's most significant known campaign involved the compromise of at least nine major US telecommunications carriers including AT&T, Verizon, T-Mobile, and Lumen Technologies between roughly 2022 and 2024. The intrusions gave the group persistent access to network infrastructure that handles CALEA (Communications Assistance for Law Enforcement Act) lawful intercept systems — the same backdoor infrastructure that carriers are legally required to maintain for law enforcement use. The technical methodology involved exploiting vulnerabilities in edge network devices — particularly Cisco IOS XE routers and Fortinet appliances — to establish initial footholds. From there, attackers moved laterally through carrier networks using living-off-the-land techniques, abusing legitimate network management tools to avoid detection. The group deployed custom implants including a backdoor called GhostSpider and a Linux-targeting rootkit called Masol RAT. Critically, the attackers accessed systems used to fulfill court-ordered surveillance requests, potentially revealing which individuals are under US law enforcement surveillance. Beyond lawful intercept systems, Salt Typhoon intercepted the private communications of senior political figures including individuals associated with the 2024 US presidential campaigns. The group demonstrated deep familiarity with telecom network architecture, suggesting either insider knowledge or extended reconnaissance. Their access persisted for months to years before detection, in part because the compromised infrastructure was not subject to the same endpoint detection controls as enterprise IT environments. The campaign prompted emergency action by CISA and the FCC, including new guidance on hardening telecom infrastructure and a joint advisory with international partners. The Senate held classified briefings, and the incident renewed debate about whether CALEA-mandated backdoors create systemic national security risks by creating a single high-value target that foreign adversaries are highly motivated to compromise.

Practical Usage

For security teams at telecommunications companies and critical infrastructure operators, Salt Typhoon illustrates the acute risk posed by internet-facing edge devices running outdated or unpatched firmware. The campaign underscores that threat actors operating at nation-state level will specifically seek out legally mandated access infrastructure because it provides the highest-value intelligence yield. Telecom security teams should treat their CALEA systems as crown-jewel assets requiring the strictest segmentation, logging, and access controls — not as peripheral compliance infrastructure. From a detection standpoint, Salt Typhoon's use of living-off-the-land techniques means traditional signature-based detection is insufficient. Network-level monitoring for anomalous data flows from core routing infrastructure, combined with robust NetFlow analysis and zero-trust network segmentation, provides better detection opportunities. Security teams should implement continuous configuration integrity monitoring on all edge devices and establish baselines for normal administrative access patterns so that lateral movement attempts trigger alerts. For enterprise organizations (not just telecoms), this campaign is a reminder that supply chain and carrier-level compromises can affect private communications even when internal security posture is strong. Organizations handling sensitive communications — law firms, political campaigns, government contractors — should consider encrypted communications channels that remain secure even if carrier infrastructure is compromised, such as end-to-end encrypted messaging apps that do not rely on PSTN infrastructure.

Examples

• Salt Typhoon compromised AT&T and Verizon networks and accessed lawful intercept systems used to fulfill FBI surveillance requests, potentially revealing the identities of individuals under federal investigation.
• The group intercepted communications of senior officials associated with both the Trump and Harris presidential campaigns in 2024, representing one of the most significant intelligence breaches of a US election cycle.
• Salt Typhoon maintained persistent access inside a major US carrier for over a year before detection, using compromised Cisco edge routers as footholds and moving laterally without deploying detectable malware payloads on most systems.

Related Terms