Still Inside: Why the Senate Says Salt Typhoon Was Never Fully Evicted

The Door Was Built on Purpose

In 1994, Congress passed the Communications Assistance for Law Enforcement Act, known as CALEA. It requires every major US telecommunications company to build surveillance capability directly into its network, so that law enforcement, presented with a court order, can intercept a target's communications. The intent was legitimate: lawful, court-supervised wiretapping. The consequence, three decades later, was a door.

In 2024, a Chinese state-sponsored group that Microsoft tracks as Salt Typhoon walked through it. Rather than defeating the telecoms' security from the outside, the group compromised the lawful-intercept systems themselves, the CALEA infrastructure that exists specifically to allow surveillance. The Electronic Frontier Foundation had warned for years that this was inevitable: there is no backdoor that only lets in the good guys and keeps out the bad guys. Salt Typhoon proved the point at national scale.

The breach gave Chinese intelligence access to call metadata, in some cases the audio of calls, and, most alarmingly, a nearly complete list of the phone numbers US law enforcement was actively wiretapping. Read that again. China obtained the list of the people America was surveilling, which is functionally a list of which Chinese operatives the United States had identified. Reports indicated the targets of the surveillance access included the phones of senior political figures and campaign staff during the 2024 election cycle.

The Scale of It

On December 4, 2024, the White House confirmed a campaign targeting roughly 80 telecom providers across dozens of countries, prompting a joint NSA, Pentagon, and CISA task force. In the United States, the Senate Commerce Committee has stated the group deeply penetrated at least nine US telecom companies, including AT&T, Verizon, and Lumen.

The intrusion was not brief. By independent accounts, some implants were live for more than a year. And the group did not stop at telecom. Between 2023 and 2024 it exfiltrated more than 1,400 network configuration files from roughly 70 US government and critical-infrastructure organizations across 12 sectors, including energy, transportation, and water. Configuration files are not glamorous loot, but they are arguably worse than data: they are the blueprints that tell an attacker exactly how a network is built and where its weak points are.

Then the campaign crossed a line that defense officials consider strategic. According to a DHS memo obtained and reported in 2025, Salt Typhoon compromised a US state's Army National Guard network for nine months, from March to December 2024, exfiltrating administrator credentials, network diagrams, the geographic locations of facilities, and the personal information of service members, with data traffic reaching all 50 states and at least four territories. A telecom espionage campaign had become a military one.

The Reason This Story Matters Now: They May Still Be There

The single most important fact about Salt Typhoon is not in the past tense. As of the most recent congressional findings, the intruders have not been confirmed gone.

In December 2025, the Senate Commerce Committee concluded that the breached telecom companies “have failed to prove the Chinese hackers have been eradicated from their networks.” Note the precise wording. Not “the hackers are still there,” which would be a claim requiring proof, but “the companies have failed to prove they are gone,” which is a statement about the absence of evidence either way, more than a year after the breach was made public. Against an adversary this sophisticated, that uncertainty is itself the finding.

The committee's chair, Senator Maria Cantwell, has been blunt about why the breach succeeded in the first place: the carriers “failed to implement rudimentary, rudimentary! cybersecurity measures”, legacy equipment left unpatched for years, known router vulnerabilities, passwords never changed. And she has alleged the carriers' conduct after the breach was worse than negligent. In a February 2026 letter demanding the CEOs of AT&T and Verizon testify, Cantwell wrote that for months she had sought documentation to corroborate the companies' claims that their networks were now secure, and that both companies had chosen not to cooperate. She has separately alleged the carriers blocked the security firm Mandiant from releasing its forensic reports.

This is the same disclosure reflex documented across the other infrastructure stories of the season. The company at the center of Salt Typhoon, AT&T, is also the defendant in a newly unsealed whistleblower suit alleging it concealed years of foreign intrusions into a federal network and was told to dodge the NSA. The pattern is not coincidence. That case is examined in full here, and it should be read alongside this one, because the two describe the same instinct in the same company: when a foreign intrusion is found, make it sound smaller and more contained than the evidence supports, and resist the outside scrutiny that would test the claim.

The Investigation That Was Killed

There is one more fact that belongs in any honest account, and it is the kind of detail that should trouble people across the political spectrum. The Cyber Safety Review Board, the body modeled on the National Transportation Safety Board and tasked with producing the authoritative post-mortem of major cyber incidents, had opened an investigation into Salt Typhoon. In March 2025, the second Trump administration removed all of its members before the investigation could be completed.

This analysis takes no position on the politics of that decision. The operational consequence is simply stated: the most authoritative public account of how the worst telecom breach in American history happened, and whether it has truly ended, was never finished. The country is operating without the after-action report on its own most serious infrastructure intrusion. When the Senate says the telecoms cannot prove the hackers are gone, that uncertainty is compounded by the fact that the dedicated investigative body was disbanded mid-inquiry.

What This Means for Boards and Acquirers

Salt Typhoon looks, at first, like a story about telecom giants and national intelligence, a world away from a mid-market boardroom. The operative lessons are closer to home than that.

The first is about the nature of mandated access points. CALEA created a required door, and a required door is a permanent, high-value target, because attackers know it exists and know it cannot be removed. Most organizations have their own versions: the remote-access system a vendor requires, the privileged account a software platform needs, the integration that cannot be turned off without breaking operations. Every one of those is a standing door. The Salt Typhoon lesson is that the access you are required to maintain deserves more monitoring than the access you choose, not less, because the adversary already knows it is there.

The second is about what remediation claims are worth. The Senate's central finding is not that the telecoms were breached. It is that, more than a year later, they cannot prove they are clean, and have resisted the scrutiny that would establish it. For an acquirer, this is the entire game. A target's assurance that a past incident was “fully remediated” is a claim, not a fact, and the difference between the two is independent verification. If a US senator with subpoena power cannot get AT&T to prove its network is clean, a private-equity diligence team should be deeply skeptical of a far smaller company's unverified assurance that its own past incident is behind it.

The third is the simplest and the hardest. “We removed them” is not the same as “they are gone.” Eviction from the intrusions you found tells you nothing about the intrusions you did not. The only way to narrow that gap is active, independent threat hunting by someone whose incentive is to find the adversary rather than to declare victory, applied specifically to the privileged-access systems an attacker would most want. Most organizations have never done this even once. The ones that have are usually the ones that found something.

Read This With the Rest

This is one of five connected stories from a single sixty-day window in 2026. The cover analysis, Five Warnings in Sixty Days: The Keys to America's Infrastructure Are Not Being Held, connects all five and links to each of the detailed investigations.

Related Reading

• AT&T Holds the Keys to Federal Surveillance. A Whistleblower Says It Hid the Break-Ins.
• Seven Years Inside: What Volt Typhoon Is Actually Doing in the US Power Grid
• What is Incident Response?