Salt Typhoon 2024–2025: China's 8-Month Infiltration of US Telecom Wiretap Infrastructure

Salt Typhoon — a Chinese state-sponsored APT group — infiltrated the systems of at least nine major US telecommunications carriers over an eight-month period, gaining access to the lawful intercept infrastructure that US law enforcement uses to conduct court-authorized wiretaps. The attackers didn't steal financial data or encrypt systems for ransom. They accessed the list of individuals under federal surveillance — providing Chinese intelligence with a real-time window into who the US government was watching, and why.

The Salt Typhoon breach is arguably the most consequential intelligence compromise in a decade. It wasn't discovered by any of the carriers. It was discovered by the FBI.

Salt Typhoon began infiltrating US telecom networks as early as August 2024. The campaign targeted the lawful intercept systems — specifically the CALEA (Communications Assistance for Law Enforcement Act) infrastructure — that carriers maintain to comply with federal wiretap orders. These systems, by design, provide access to call content and metadata for court-authorized surveillance targets. By compromising this infrastructure, Salt Typhoon gained access to communications of specific high-value targets the US government was actively surveilling, including individuals connected to the presidential campaigns of both major parties in 2024. The FBI and CISA disclosed the breach in November 2024. By early 2025, the scope had expanded to include AT&T, Verizon, T-Mobile, Lumen, and at least five additional carriers. The Senate was briefed in a classified session. The NSA Director described it as China demonstrating the ability to shut down US communications infrastructure at will. Remediation was described as incomplete as of early 2025.

Salt Typhoon exploited vulnerabilities in the administrative systems of telecom carriers, using a combination of compromised credentials and known vulnerabilities in network edge devices including Cisco routers and network management systems. Once inside, the attackers moved laterally to identify and access the CALEA lawful intercept systems, which are maintained in isolated but connected network segments. The persistence of the intrusion — eight or more months across nine carriers without detection — reflects either sophisticated operational security or a monitoring gap in carrier security operations that allowed legitimate-appearing access patterns to go undetected. The attackers demonstrated patience consistent with long-term intelligence collection rather than rapid exploitation: they observed without disrupting, collected without triggering alerts, and exfiltrated selectively rather than in bulk.

For PE sponsors with telecom, cable, or internet service portfolio companies, Salt Typhoon establishes that lawful intercept infrastructure requires its own security tier — isolated, heavily monitored, and subject to continuous integrity verification. Any carrier-class portfolio company operating CALEA infrastructure should treat it as the highest-priority security investment in their environment. Beyond telecom, Salt Typhoon signals that nation-state actors now routinely target the administrative systems adjacent to sensitive data rather than the data itself — a targeting model that extends to any organization managing regulated access to sensitive communications.