Decipher File · Discovery October 2024, dwell time months to years
Salt Typhoon 2024: Chinese State Actors Inside AT&T, Verizon, Lumen Wiretap Systems
Salt Typhoon is the cybersecurity intrusion that gave Chinese state actors access to lawful-intercept and wiretap systems inside the largest US telecom carriers. Per the joint CISA, FBI, NSA, and ODNI advisory issued November 13, 2024, a People's Republic of China-affiliated APT compromised AT&T, Verizon, Lumen (CenturyLink), and other US telecoms with dwell time of months to years. Targets included communications of senior US government officials and presidential campaign principals. The intrusion exposed the structural risk in the CALEA lawful-intercept architecture.
Incident summary
Salt Typhoon is the public name for an intrusion campaign by a People's Republic of China-affiliated APT against the largest US commercial telecom carriers. The campaign was disclosed publicly by the Wall Street Journal on October 5, 2024, then formally acknowledged in a joint CISA, FBI, NSA, and ODNI statement on October 25, 2024, and detailed in the CISA-FBI joint cybersecurity advisory issued November 13, 2024. Named affected carriers include AT&T, Verizon, and Lumen Technologies (formerly CenturyLink). Per the November advisory, additional carriers in the US and allied countries were also compromised.
The intrusion reached lawful-intercept infrastructure inside the affected carriers. Lawful-intercept systems implement the Communications Assistance for Law Enforcement Act (CALEA) requirement that US carriers maintain technical capability to provide court-ordered wiretap access to law enforcement. Per the WSJ October 5, 2024 reporting and the November 13 CISA advisory, Salt Typhoon actors accessed those lawful-intercept interfaces and could observe which communications were under active US government surveillance. The intelligence value of that access is independent of any actual communications intercepted.
Per the October 25, 2024 joint statement and follow-up briefings, Salt Typhoon also collected actual communications data on a smaller targeted population including senior US government officials, members of presidential campaigns, and senior officials in allied governments. Dwell time inside affected carrier networks ranged from months to years. The full duration is still under assessment as of the May 2026 lastVerified date on this article.
Attack technique
Per the November 13, 2024 CISA-FBI joint cybersecurity advisory, Salt Typhoon's technique chain combined valid-credential access (MITRE T1078), exploitation of public-facing edge infrastructure (T1190), abuse of external remote services (T1133), and modification of authentication processes inside compromised carrier networks (T1556). Initial access in some carriers was via known vulnerabilities in Cisco IOS XE edge devices and other edge-router platforms. In other carriers, initial access was via credential reuse from prior compromises and supply chain footholds at carrier service providers.
The operationally distinctive technique is the post-compromise navigation from general carrier network access to CALEA lawful-intercept system access. Lawful-intercept systems in US carriers are nominally isolated from general carrier IT networks per CALEA and related FCC guidance. In practice, the segmentation is implemented through carrier-internal network policy rather than physical isolation. Salt Typhoon's lateral movement from initial compromise to lawful-intercept system access exploited that policy-level segmentation. Per the CISA advisory, the actors used valid administrative credentials and exploited misconfigurations in carrier-internal identity systems to cross the policy boundary.
Dwell time of months to years matters analytically. The longest-dwell-time public attribution in the recent record was the SolarWinds Sunburst intrusion at approximately 9 months from initial backdoor to detection. Salt Typhoon's dwell time, while not fully disclosed, exceeds that figure for at least some affected carriers. The combination of valid credentials, edge-infrastructure foothold, and policy-level segmentation crossings produced a sustained-access posture that did not trigger conventional EDR or NDR detection until external intelligence collection surfaced indicators.
Microsoft's threat intelligence post-disclosure update tracked Salt Typhoon under that name in its naming convention. Other vendors used Volt Typhoon, Flax Typhoon, and Salt Typhoon as distinct PRC-affiliated APT designations during 2024. The taxonomies are vendor-specific. The CISA advisory uses the joint government taxonomy and treats Salt Typhoon as a specific campaign within the broader PRC-affiliated telecom-targeting activity.
Impact and consequences
The intelligence impact is the dominant consequence. Access to lawful-intercept systems told the PRC which US persons and organizations were under active US government surveillance, the legal authorities under which those wiretaps were authorized, and the communications channels being monitored. That information, independent of any actual content intercepted, has substantial intelligence value to a hostile state actor. The reverse-engineering of US counterintelligence priorities is the strategic outcome.
The targeted-collection impact on senior US officials and presidential campaigns produced political and operational consequences. Per the October 25 joint statement and follow-up briefings, the campaign collected communications data on officials and campaign principals during the 2024 US presidential election cycle. Both major-party campaigns were reported as targets. The specific officials affected have not been fully disclosed publicly, but congressional briefings in late 2024 and Senate Intelligence Committee testimony in December 2024 confirmed the scope at a high level.
Carrier-side operational impact extended into 2025. Per public reporting through Senate Intelligence Committee testimony, AT&T, Verizon, and Lumen all engaged Mandiant, CrowdStrike, and government incident response teams for remediation work that ran for months. Remediation required full credential rotation across affected carrier administrative tiers, replacement or reset of edge infrastructure firmware, and reconstruction of network policy boundaries that had been compromised. The cost of the remediation work, while not publicly disclosed, was reported in trade press as among the largest single-incident security spends in US telecom history.
The regulatory and legislative consequences are the structural ones. The FCC opened a notice of proposed rulemaking on lawful-intercept system security in December 2024. Senate and House intelligence committees opened investigations in late 2024 with Senate Intelligence Committee public hearings in December 2024. CISA, FBI, NSA, and ODNI guidance through early 2025 expanded baseline requirements for carrier network segmentation, edge-infrastructure patching cadence, and lawful-intercept system isolation. The CALEA architecture itself, originally designed in 1994, came under direct review for the first time at the FCC and Department of Justice as a result of the campaign.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › Persistent access to telecom carrier provisioning and network management systems consistent with the CISA November 13, 2024 advisory pattern
- › Use of valid administrator credentials with sustained sessions across change windows, consistent with T1078
- › Edge-router and remote-access infrastructure exploitation including Cisco IOS XE devices flagged in related CISA bulletins
- › Access to CALEA lawful-intercept system interfaces from non-law-enforcement IP ranges
- › Targeted collection on communications of presidential campaign principals and senior US officials disclosed in the October 25, 2024 FBI-CISA joint statement
- › Lateral movement between provisioning systems and lawful-intercept retrieval interfaces within compromised carrier networks
Lessons for defenders
Policy-level network segmentation is not equivalent to physical isolation. The carrier-internal segmentation between general IT networks and CALEA lawful-intercept systems was implemented through firewall rules, VLANs, and identity controls. Salt Typhoon crossed those boundaries using valid credentials and misconfigurations. For high-sensitivity systems including any wiretap, lawful-intercept, or compliance-monitoring infrastructure, physical isolation, separate identity systems, and out-of-band administrative access are the structural defenses. The Senate Intelligence Committee December 2024 testimony specifically identified this as a finding.
Edge router and remote-access infrastructure patching cadence is a national security issue, not an IT issue. Salt Typhoon initial access in multiple carriers exploited known vulnerabilities in Cisco IOS XE edge devices and similar platforms. The vulnerabilities had patches available at the time of exploitation. The lag between patch availability and patch deployment on edge infrastructure was the operational failure. CISA's January 2025 binding operational directive on edge infrastructure patching cadence traces directly to this finding.
Encryption at rest on legacy telco infrastructure is a structural gap. Lawful-intercept records, provisioning data, and customer call detail records were stored in carrier infrastructure with limited at-rest encryption. Once Salt Typhoon reached those data stores, the data was accessible without further decryption. Modernization of at-rest encryption on telco backbone systems is a multi-year program. The FCC's December 2024 NPRM on lawful-intercept security included specific encryption-at-rest requirements that, if finalized, would materially raise the cost of this class of intrusion.
Dwell-time-aware threat hunting is the practical defensive program. Conventional EDR and NDR detection in carrier networks did not catch Salt Typhoon for months to years. The detection that did fire came from external intelligence collection. Defensive programs that assume conventional detection will catch sophisticated nation-state actors are misaligned with the actual threat. Build threat hunting capability that operates on the assumption that the actor is already inside, has valid credentials, and is moving with normal-looking telemetry. The Mandiant and CrowdStrike post-incident reports on Salt Typhoon are reference material for that posture.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →
Frequently asked questions
What is Salt Typhoon?
Salt Typhoon is the public name for an intrusion campaign by a People's Republic of China-affiliated APT against the largest US commercial telecom carriers including AT&T, Verizon, and Lumen Technologies. Per the joint CISA, FBI, NSA, and ODNI statement on October 25, 2024 and the November 13, 2024 CISA-FBI cybersecurity advisory, the campaign reached lawful-intercept (CALEA) systems inside affected carriers and produced targeted collection on senior US officials and presidential campaign principals during the 2024 election cycle.
What is CALEA and why does it matter for Salt Typhoon?
The Communications Assistance for Law Enforcement Act (CALEA) is the 1994 US law that requires telecom carriers to maintain technical capability to provide court-ordered wiretap access to law enforcement. CALEA produces a category of carrier-internal infrastructure called lawful-intercept systems. Salt Typhoon's access to those systems told the PRC which US persons were under active US government surveillance and under what legal authority, which has substantial counterintelligence value independent of any content actually intercepted.
Which US telecom carriers were affected by Salt Typhoon?
Per public reporting and the November 13, 2024 CISA-FBI joint advisory, named affected carriers include AT&T, Verizon, and Lumen Technologies (formerly CenturyLink). Additional carriers in the US and allied countries were also compromised but have not been individually named in public statements. Senate Intelligence Committee testimony in December 2024 confirmed the scope at a high level but did not provide a complete victim list.
How long were Salt Typhoon actors inside US carrier networks?
Per the joint CISA-FBI advisory and Senate Intelligence Committee public testimony, dwell time inside affected carrier networks ranged from months to years. Full duration assessment was still in progress at the time of the public disclosures and remained under active review through early 2025. The dwell-time figure exceeds the approximately 9-month dwell time on SolarWinds Sunburst, which had previously been the longest-dwell-time public attribution in recent record.
How did Salt Typhoon get inside US telecom carriers?
Per the November 13, 2024 CISA-FBI joint cybersecurity advisory, Salt Typhoon's technique chain combined valid-credential access (MITRE T1078), exploitation of public-facing edge infrastructure including Cisco IOS XE devices (T1190), abuse of external remote services (T1133), and modification of authentication processes inside compromised carrier networks (T1556). Initial access in some carriers used known vulnerabilities in edge routers. In other carriers, initial access was via credential reuse from prior compromises.
What can other organizations learn from Salt Typhoon?
The structural lessons apply beyond telecoms. Policy-level network segmentation is not equivalent to physical isolation, and high-sensitivity systems should be physically isolated with separate identity systems. Edge router and remote-access infrastructure patching cadence is a primary control, not a secondary one. Encryption at rest on legacy infrastructure is a structural gap that takes multi-year programs to close. Dwell-time-aware threat hunting that assumes the actor is already inside with valid credentials is the realistic defensive posture against sophisticated nation-state campaigns.
What regulatory changes followed Salt Typhoon?
The FCC opened a notice of proposed rulemaking on lawful-intercept system security in December 2024. CISA issued a binding operational directive on edge infrastructure patching cadence in January 2025. The Senate and House intelligence committees opened investigations in late 2024 with public hearings in December 2024. The CALEA architecture itself, originally designed in 1994, came under direct review at the FCC and Department of Justice as a result of the campaign, the first such review since the law's enactment.
Sources
- CISA, FBI, NSA, ODNI Joint Statement on Salt Typhoon (October 25, 2024) · Initial public attribution of the campaign to PRC-affiliated actors
- CISA-FBI Joint Cybersecurity Advisory: People's Republic of China-Linked Actors Compromise Commercial Telecommunications (November 13, 2024) · Joint advisory with technique chain, mitigation guidance, and named carrier impact
- Wall Street Journal: U.S. Wiretap Systems Targeted in China-Linked Hack · WSJ October 5, 2024 reporting that broke the carrier-level scope and the wiretap-system access
- National Security Council: Press Briefing on PRC Telecom Intrusion (November 6, 2024) · NSC public briefing on the intelligence assessment of the intrusion
- Microsoft Threat Intelligence: Tracking Salt Typhoon · Microsoft's technique analysis and post-disclosure threat tracking
- Senate Intelligence Committee Public Hearing on Telecom Intrusions (December 11, 2024) · Public testimony from FBI, CISA, and NSA on Salt Typhoon impact and remediation status
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
This role lives inside a packaged path
Want the curriculum, comp delta, and recommended courses for this role?
DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:
Where to go next
Three next steps depending on where you are. The first two are free.
Free · 2 minutes
Start with the AI Risk Score
Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.
Start the AI Risk Score →Paid program · $147-$597
Aligned course: SOC Analyst Fundamentals
Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.
View the course →Free account
Save your results and track progress
A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.
Create your account →Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.