A Chinese state-sponsored hacking group designated Salt Typhoon conducted what US officials have called the “worst telecom hack in our nation’s history” throughout 2024, compromising at least nine major US telecommunications carriers and accessing sensitive wiretapping infrastructure used by law enforcement.
Scope of compromise
| Metric | Impact |
|---|
| Carriers breached | 9 confirmed (AT&T, Verizon, T-Mobile, Lumen, and others) |
| Users affected | Metadata accessed for 1+ million users |
| Geographic focus | Washington D.C. area heavily targeted |
| High-value targets | Presidential campaign staff communications accessed |
| Duration | Months of undetected access |
Confirmed victims
| Carrier | Status |
|---|
| AT&T | Confirmed breach, evicted December 2024 |
| Verizon | Confirmed breach, evicted December 2024 |
| T-Mobile | Confirmed breach |
| Lumen Technologies | Confirmed breach |
| Consolidated Communications | Confirmed breach |
| Windstream | Confirmed breach |
| Spectrum (Charter) | Confirmed breach |
| Additional carriers | Under investigation |
What was accessed
CALEA wiretapping systems
The most alarming aspect of the breach was Salt Typhoon’s access to systems implementing the Communications Assistance for Law Enforcement Act (CALEA)—the infrastructure US carriers use to comply with court-ordered wiretaps.
| Access type | Implication |
|---|
| Wiretap target lists | Knowledge of who law enforcement is monitoring |
| Intercept capabilities | Potential to eavesdrop on targets |
| Historical requests | Understanding of investigation priorities |
Call detail records
| Data type | Details |
|---|
| Call metadata | Who called whom, when, duration |
| Location data | Cell tower records enabling geolocation |
| Text message metadata | SMS routing information |
| Volume | Over 1 million users affected |
Political targeting
Salt Typhoon accessed communications of individuals associated with both the Trump and Harris presidential campaigns during the 2024 election:
| Target | Access |
|---|
| Donald Trump | Phone communications |
| JD Vance | Phone communications |
| Harris campaign staff | Multiple individuals |
Attack methodology
Initial access
Salt Typhoon exploited vulnerabilities in internet-facing network equipment to gain initial footholds:
| Vector | Details |
|---|
| Network appliances | Exploited vulnerabilities in routers and switches |
| Zero-days | Some previously unknown vulnerabilities used |
| Credential theft | Compromised administrator accounts |
Custom malware
| Malware | Function |
|---|
| GhostSpider | Backdoor for persistent access |
| Demodex | Rootkit for stealth |
| SnappyBee | Credential harvesting |
| Additional tools | Custom implants for specific environments |
Persistence
| Technique | Description |
|---|
| Deep network access | Compromised core routing infrastructure |
| Multiple footholds | Redundant access paths |
| Legitimate credentials | Used stolen admin accounts |
| Living off the land | Minimized custom malware use |
Attribution
US government assessment
| Agency | Assessment |
|---|
| FBI | High confidence: PRC state-sponsored |
| CISA | Salt Typhoon = Chinese MSS-affiliated |
| NSA | Consistent with PRC cyber operations |
Treasury sanctions
On January 17, 2025, the US Treasury Department sanctioned Sichuan Juxinhe Network Technology Co., Ltd. for providing infrastructure support to Salt Typhoon operations.
FBI bounty
In April 2025, the FBI announced a $10 million reward for information leading to the identification or location of individuals behind Salt Typhoon.
Geopolitical context
Taiwan connection
Intelligence assessments indicate Salt Typhoon’s telecom targeting serves strategic objectives related to potential Taiwan Strait conflict:
| Objective | Purpose |
|---|
| Intelligence collection | Understanding US government communications |
| Pre-positioning | Establishing access for potential future disruption |
| Counter-intelligence | Identifying surveillance targets |
Comparison to Volt Typhoon
| Aspect | Salt Typhoon | Volt Typhoon |
|---|
| Primary targets | Telecommunications | Critical infrastructure |
| Primary mission | Intelligence collection | Pre-positioning for disruption |
| Sectors | Telecom carriers, ISPs | Water, energy, transportation |
| Geographic focus | Communications infrastructure | Operational technology |
Both groups are assessed as Chinese state-sponsored but serve different strategic objectives.
Carrier response
| Carrier | Actions |
|---|
| AT&T | Evicted Salt Typhoon December 2024, enhanced monitoring |
| Verizon | Evicted December 2024, third-party verification |
| T-Mobile | Investigation and remediation ongoing |
Government response
| Action | Details |
|---|
| FBI/CISA joint investigation | Ongoing |
| Congressional briefings | Multiple classified sessions |
| Sanctions | Treasury action against support infrastructure |
| CISA guidance | Enhanced security recommendations for telecoms |
Legislative proposals
| Proposal | Description |
|---|
| Enhanced telecom security requirements | Mandatory security standards |
| CALEA modernization | Updated wiretapping infrastructure requirements |
| Breach notification | Faster disclosure requirements |
| Funding | Increased cybersecurity investment |
Encryption implications
The breach has reignited debate over encryption:
| Perspective | Argument |
|---|
| Security advocates | End-to-end encryption would have protected communications |
| Law enforcement | Encryption complicates lawful access |
| Privacy groups | Centralized wiretap systems create attack surface |
Recommended user actions
| Action | Benefit |
|---|
| Use encrypted messaging (Signal, iMessage) | Content protection |
| VPN usage | Additional traffic encryption |
| Assume SMS is not secure | Avoid sensitive information via text |
Ongoing concerns
Undetected access
US officials have indicated that additional compromises likely remain undiscovered:
| Concern | Status |
|---|
| Other carriers | Investigation ongoing |
| Duration of access | Full timeline unclear |
| Data exfiltration | Full scope unknown |
FBI warning
The FBI has warned 200+ US organizations and 80 countries that they may have been targeted by Salt Typhoon operations.
Context
Salt Typhoon represents an unprecedented breach of US telecommunications infrastructure. The access to CALEA wiretapping systems is particularly significant—it means Chinese intelligence potentially gained visibility into who US law enforcement was monitoring and may have been able to conduct their own surveillance through the same infrastructure.
The breach highlights fundamental tensions in telecommunications security:
| Tension | Challenge |
|---|
| Lawful access vs. security | CALEA infrastructure creates attack surface |
| Speed vs. verification | Real-time communications hard to secure |
| Scale vs. monitoring | Massive networks difficult to defend |
For organizations and individuals, the primary lesson is that telecommunications metadata and unencrypted communications should be assumed vulnerable to sophisticated nation-state adversaries. End-to-end encrypted communications remain the most reliable protection against this class of threat.
The full impact of Salt Typhoon will likely take years to assess as investigations continue and additional compromises are discovered.
