FBI Reveals Salt Typhoon’s Multi-Year Campaign That Breached Telecom Carriers and Lawful Intercept Systems

Published:

/

Updated:

Lena Kovacs

FBI Reveals Salt Typhoon's Multi-Year Campaign That Breached Telecom Carriers and Lawful Intercept Systems

Photo by Tony Webster

U.S. investigators say a long-running Chinese cyber campaign hit more than 80 countries and reached far beyond phone companies. Security teams traced the operation across telecommunications backbones and into government, transportation, lodging and military infrastructure.

Agencies briefed on the campaign describe quiet, patient access that enabled broad collection of metadata and other sensitive records across multiple regions. The attackers did not limit themselves to one sector or one geography, which complicates clean-up work for every operator touched by the activity.

Officials connect the intrusions to a group tracked as Salt Typhoon. The operation surfaced publicly last year, but activity stretches back at least to 2019.

Investigators now assess the reach as global and persistent, with footholds maintained inside core networks that deliver services directly to customers as well as internal enterprise systems. Several allied cyber agencies backed a joint technical advisory that maps the tradecraft used.

New details released in recent days shows the campaign touched roughly 200 U.S. organizations and many more abroad. They include operators responsible for mobile voice, messaging and transit links between carriers.

FBI notifications and joint advisory with allied agencies

The FBI notified at least 600 entities about observed interest or compromise tied to Salt Typhoon. Those notifications came alongside a fresh hunt guide with indicators, queries and defensive steps for network teams. Partners in Europe and the Asia-Pacific signed onto the same advisory, emphasizing how the campaign crossed borders and legal jurisdictions.

Defense officials confirm the notice traffic prioritized owners of high-capacity interconnects and lawful access systems, since exposure there tends to cascade.

The advisory followed a coordinated public move by a broad coalition that called out three Chinese firms for supporting cyber operations. One of those firms now faces U.S. sanctions for ties to Salt Typhoon. 

Officials framed the step as a signal to vendors and integrators that provide services to carriers and data center operators. Procurement teams have already asked for assurances about code provenance and remote-management pathways, people familiar with recent bid requests say.

According to industry sources, network owners that run international cable landing stations and long-haul transport links received additional outreach. Those sites aggregate traffic from many countries. A foothold there grants visibility that extends far beyond a single carrier’s customers. Several operators quietly rotated credentials, isolated management planes, and audited lawful intercept equipment in response to the briefings.

Exploited 2018 router flaws and lawful intercept systems under CALEA

Investigators tie initial access in multiple cases to old but still present device flaws. One known entry point involves CVE-2018-0171, a Cisco Smart Install issue that remains common on edge and aggregation hardware.

The group also used valid credentials harvested from separate compromises. Once inside, they moved laterally into systems that orchestrate signaling, provisioning and traffic capture. Operators report difficulty evicting implants from devices with limited logging and patch windows.

Several intrusions reached systems that support court-authorized surveillance. In the United States, carriers must engineer networks to enable such access under the Communications Assistance for Law Enforcement Act of 1994.

Compromise of those “lawful intercept” functions risks exposure of requests and metadata linked to criminal and counterintelligence cases. Recent assessments indicate that Salt Typhoon obtained insight into parts of these workflows at multiple providers, which elevates the sensitivity of the breach.

Defense officials confirm the campaign harvested large volumes of call records and network configuration files.

National Guard breach ongoing risk and what operators should undertake now

A declassified memorandum described extensive compromise of a U.S. state’s Army National Guard network during 2024. The breach persisted for months and exposed administrative credentials and network diagrams, according to summaries of that document. Follow-on reviews linked parts of the access to the same Salt Typhoon cluster active inside telecom environments.

U.S. and allied agencies issued a joint advisory setting out actions for owners of telecom and infrastructure networks. It urges rapid containment of high-value management paths.

Based on the advisory and recent field reports, operators should prioritize the following:

  • Remove or disable Smart Install and similar autoconfiguration services on exposed devices. Where removal is not possible, restrict access to dedicated out-of-band networks.
  • Reimage network appliances from trusted gold images, then rotate all credentials tied to orchestration, lawful intercept, and mediation devices.

Officials advise reviews of peering and transit contracts that grant third-party remote access. Many carriers permit vendor tunnels for maintenance. Those tunnels often bypass enterprise security stacks and can linger long after a project ends. 

Contract riders that require logging, credential rotation and incident-response duties for vendors have shifted from “nice to have” to standard on large projects – several procurement teams told us.

Network owners continue to find gaps where patches existed for years. Old flaws reside on boxes that handle live customer traffic and cannot be rebooted during business hours.

According to industry sources, operators are mapping windows for rolling replacement of hardware most exposed to internet-facing probes. In parallel, they are shifting lawful intercept platforms onto segmented management domains with separate authentication and audit trails to reduce spillover risk from IT compromises.

The investigation now stretches from at least 2019, through discovery last year, into today. Analysts tracking Chinese state-backed activity say the tradecraft matches a broader push for access and persistence inside essential service providers. The same operators already fight criminal DDoS and fraud rings, so staffing and tooling demands keep climbing. Our analysis shows teams that rebuild from clean firmware images and enforce strict separation of duties recover faster than those relying on piecemeal fixes.

Leadership teams should plan for multi-quarter work to evict entrenched access. Teams that succeed appoint a single executive owner for backbone security, provide procurement authority to replace aged hardware, and lock vendor access into monitored time-bound sessions.

Defense officials confirm that carriers that adopted those practices close more findings on subsequent re-scans and report fewer repeat incidents tied to the same actor set.

REFERENCE SOURCES

  1. https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html
  2. https://www.reuters.com/business/media-telecom/international-coalition-calls-out-three-chinese-companies-over-hacking-campaign-2025-08-27/
  3. https://www.washingtonpost.com/technology/2025/08/27/fbi-advisory-china-hacking-expansion/
  4. https://www.wsj.com/politics/national-security/chinese-spies-hit-more-than-80-countries-in-salt-typhoon-breach-fbi-reveals-59b2108f
  5. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a
  6. https://www.reuters.com/world/us/us-national-guard-unit-was-extensively-hacked-by-salt-typhoon-2024-memo-says-2025-07-15/
  7. https://industrialcyber.co/critical-infrastructure/dhs-salt-typhoon-hackers-breached-army-national-guard-exposing-admin-credentials-and-network-diagrams/

Related Posts

error: Content is protected !!