Decipher Files: Salt Typhoon and the Telecom Backbone Compromise the US Government Said Was the Worst in History

The Wall Street Journal first reported on October 5, 2024 that Salt Typhoon had compromised major US telecommunications carriers and accessed systems used to comply with court-ordered wiretap requests. CISA, FBI, and the National Security Agency confirmed the compromise in joint statements through October-November 2024 (CISA-FBI joint statement, October 25, 2024; subsequent NSA confirmations). The disclosed scope expanded across the next 60 days: by December 2024, at least nine carriers were confirmed affected and the actor was assessed to retain access to multiple environments despite mitigation efforts.

CISA-FBI-NSA-CSE published joint advisory AA24-352A on December 17, 2024 ("Enhanced Visibility and Hardening Guidance for Communications Infrastructure") providing technical hardening prescriptions for telecom carriers. The advisory's framing was unusual for a CISA output: rather than incident-response guidance for affected operators, it was a structural hardening posture for the entire US telecom sector, treating the Salt Typhoon compromise as a baseline threat the sector must defend against persistently.

The technical anatomy is incompletely public. Public reporting (WSJ, Reuters, NYT, Microsoft Threat Intelligence "Salt Typhoon" advisory November 2024) and the December 2024 CISA advisory establish:

1. Initial access through enterprise edge devices: vulnerable Cisco IOS XE devices (CVE-2023-20198 + CVE-2023-20273, the October 2023 chain), Fortinet FortiGate appliances with unpatched FortiOS vulnerabilities, and similar internet-facing enterprise infrastructure.

2. Living-off-the-land tradecraft inside the telecom environments: similar to Volt Typhoon, the actor avoided custom malware in favor of built-in administrative tools. Detection signatures from the Volt Typhoon advisory series proved partially applicable.

3. Lateral movement to lawful-intercept systems: the highest-impact disclosed access was to systems used by US carriers to comply with court-authorized wiretap orders under the Communications Assistance for Law Enforcement Act (CALEA). Access to these systems gave the actor visibility into which US persons were under FBI or other law-enforcement surveillance, plus, in some confirmed cases, real-time access to call audio and text content.

4. Targeted exfiltration: the actor's operational priority was metadata about high-value individuals (senior US officials, federal-employee call records, court-order subjects) rather than bulk extraction. The discriminating tradecraft is consistent with espionage objectives.

5. Persistence through credential rotation: when carriers attempted to evict the actor through password rotation, Salt Typhoon retained access via persistence mechanisms (scheduled tasks, modified service configurations, alternate authentication paths) established before mitigation.

US Senate Intelligence Committee Chairman Mark Warner stated publicly on November 21, 2024 (Washington Post) that the Salt Typhoon compromise was "the worst telecom hack in our nation's history" and that "many" of the affected carriers had not been able to fully evict the actor as of that date. The bipartisan Senate Cybersecurity Caucus subsequent November 2024 letter to FCC Chairman Jessica Rosenworcel called for emergency rulemaking on telecom-sector cybersecurity baselines.

Six lessons that compound for cybersecurity practitioners:

First, lawful-intercept systems are now confirmed high-value adversary targets. CALEA-required systems, by design, give carrier-internal access to information about US persons under surveillance. The cybersecurity-policy implication is that the FCC's CALEA implementation rules, drafted in the 1990s, did not contemplate the threat model under which a hostile state actor reads US-intelligence-community surveillance lists. Reform of CALEA implementation rules is now a live policy conversation.

Second, edge-device security at the enterprise perimeter remains the dominant initial-access vector for state actors against critical infrastructure. The same Cisco IOS XE and FortiGate vulnerabilities that enabled Salt Typhoon also enabled Volt Typhoon, multiple ransomware campaigns, and miscellaneous opportunistic exploitation. CISA's December 2024 hardening advisory and the FCC's parallel rulemaking work both point at the same conclusion: edge-device patching cadence and configuration baselines are now national-security-relevant controls, not vendor-specific operational concerns.

Third, persistent access against well-resourced telecom operators demonstrated that mitigation is not eviction. Multiple US carriers spent November-December 2024 attempting to evict Salt Typhoon and reportedly remained partially compromised through early 2025. The cybersecurity-program implication for incident-response leaders is that traditional containment-and-eradication runbooks underestimate the persistence sophistication of state-actor adversaries; eviction may require infrastructure-level rebuild rather than credential rotation.

Fourth, the SEC cybersecurity-rule materiality framework is being tested in real time on a sector-wide cross-issuer basis. AT&T (8-K November 12, 2024), Verizon (subsequent disclosure), T-Mobile (subsequent disclosure), and Lumen each made cybersecurity-incident disclosures referencing Salt Typhoon. The disclosure-language coordination across competitors, the timing-of-materiality-determination question, and the FBI's request for delayed disclosure under the SEC rule's national-security carve-out all surfaced in the same compressed window. The cybersecurity-disclosure-practitioner lesson is that cross-issuer coordination on materiality determinations is now operationally common; the SEC's interpretive guidance has not caught up.

Fifth, the federal government's response to a private-sector compromise of national-security significance now includes direct executive-branch engagement. President Biden's December 18, 2024 EO 14117 amendment specifically addressed Salt Typhoon, and the subsequent Trump administration's January 2025 cybersecurity priorities (per the Department of Homeland Security's January 22, 2025 announcement) explicitly preserved the Salt Typhoon response posture. The cybersecurity-policy lesson is that major-incident response is increasingly bipartisan and executive-driven rather than agency-led.

Sixth, telecom-sector cybersecurity is now a fundamental national-security concern, not a regulatory-compliance concern. The FCC's CALEA-implementation rules, the proposed Federal Acquisition Regulation telecom-procurement clauses, and CISA's binding-operational-directive authority over federal-civilian-executive-branch agencies all converge on the same conclusion: the cybersecurity baseline for telecom carriers is now a national-security floor, not a competitive differentiator.

For careers: threat hunters specializing in long-dwell adversary tradecraft against telecom environments, incident responders working on multi-organization coordinated response, threat-intelligence analysts focused on China-aligned APT groups, OT-IT security engineers at critical-infrastructure operators, cybersecurity consultants advising on telecom-sector regulatory posture, and any cybersecurity practitioner working at or with US telecommunications carriers all reference Salt Typhoon as the canonical 2024-2025 case.