Chinese state-sponsored hackers operating under the name Salt Typhoon have breached the network infrastructure of multiple major U.S. telecommunications and internet service providers, prompting a coordinated federal response that now spans sanctions, public advisories, and an active FBI tip-seeking campaign. The intrusions, which first surfaced publicly in early October 2024, targeted the backbone routers that carry voice and data traffic for millions of Americans, with officials confirming that “a large number of Americans’ metadata was taken.” A joint advisory released by CISA and partner agencies on August 27, 2025, frames the operation as a global espionage system fed by persistent access to telecom networks, extending the threat well beyond U.S. borders.
How Salt Typhoon Exploited Backbone Routers
The campaign’s technical core lies in the exploitation of vulnerabilities in large backbone routers, specifically the provider edge and customer edge equipment that telecommunications companies use to route traffic between networks. According to a joint alert, Salt Typhoon leveraged these weaknesses to gain persistent access, meaning the hackers could maintain a foothold inside carrier networks even after initial discovery efforts. Provider edge routers sit at the boundary where a telecom’s internal network meets the broader internet, making them high-value targets. Compromising these devices gives an attacker visibility into traffic flows, call metadata, and potentially the content of communications passing through the network.
What makes this approach particularly alarming is the suspected targeting of lawful intercept systems. These are the mechanisms that carriers maintain so law enforcement agencies can execute court-ordered wiretaps. If Salt Typhoon gained access to those systems, the group could effectively piggyback on surveillance infrastructure designed for domestic law enforcement, turning it into a tool for foreign intelligence collection. Reporting in October 2024 described the hacks of AT&T, Verizon, and Lumen as a counterspy operation, with suspicion falling on lawful intercept access as a primary objective. Incident response involved both the FBI and the cybersecurity firm Mandiant.
Salt Typhoon’s tactics fit a broader pattern of Chinese cyber operations that focus on quietly embedding in critical infrastructure rather than launching noisy, disruptive attacks. By compromising routers instead of individual servers or user devices, the group can observe and harvest data at scale while remaining difficult to detect. Network operators often have limited visibility into the inner workings of these specialized devices, and patching them can require planned outages that carriers are reluctant to schedule, creating a window for long-term exploitation.
Named Victims and the Expanding Breach List
The confirmed victims now include some of the largest carriers in the United States. AT&T, Verizon, and Lumen were among the first companies publicly identified as compromised. But the breach list kept growing. By late December 2024, a ninth telecom company was added to the roster of firms hacked by the Salt Typhoon group. Officials stated that “a large number of Americans’ metadata was taken” as part of the campaign. Metadata in a telecom context typically includes call records, phone numbers dialed, call durations, and location information, data that intelligence agencies prize because it reveals patterns of communication and movement without requiring access to the content of conversations.
The scale of the operation raises a question that most coverage has glossed over: why did so many carriers fall to the same technique? One likely answer is that provider edge routers across the industry share common hardware and software platforms, meaning a single vulnerability can unlock access across multiple networks. This is not a case of nine separate, unrelated breaches. It is a single campaign that replicated its method across an industry that relies on a narrow set of infrastructure vendors.
Industry reporting has suggested that some carriers struggled to detect the intrusions because Salt Typhoon relied on valid credentials and subtle configuration changes rather than obvious malware signatures. An analysis in a national security-focused article noted that the hackers often used built-in router functions to move traffic or mirror data, blending their activity into normal administrative operations. That approach complicates forensic investigations and makes it harder for defenders to determine exactly what was accessed or exfiltrated.
Federal Response: Sanctions, Advisories, and a Public Appeal
The U.S. government’s response has unfolded across several agencies and months. The FBI established a public timeline of guidance, with statements and alerts issued on October 25, 2024, and a communications hardening guide released on December 3, 2024, according to an FBI cyber alert seeking tips about PRC targeting of U.S. telecommunications. That appeal for public assistance signals that investigators still have gaps in their understanding of the campaign’s full reach and are looking for network operators or individuals who may have additional evidence.
On the financial enforcement side, the Treasury Department’s Office of Foreign Assets Control sanctioned Sichuan Juxinhe Network Technology Co., LTD., a China-based company that OFAC said has direct involvement with the Salt Typhoon cyber group. The sanctions action is significant because it ties a specific corporate entity to the hacking campaign, moving beyond the usual pattern of attributing attacks to a nation-state without naming the commercial infrastructure behind them. Sanctioning a company creates legal consequences for any person or entity worldwide that does business with Sichuan Juxinhe, effectively cutting it off from the U.S. financial system and raising the compliance stakes for banks and technology vendors.
Congressional overseers have also taken notice. A briefing from legislative analysts confirmed that media outlets first reported PRC state-sponsored hackers infiltrating U.S. telecommunications in early October 2024, establishing the public timeline that triggered the broader government response. That report situates Salt Typhoon alongside other Chinese-linked operations, underscoring lawmakers’ concern that telecom networks have become a favored avenue for long-term espionage.
The executive branch has simultaneously been warning that cybersecurity funding constraints could undermine efforts to respond to and prevent such intrusions. The Department of Homeland Security has cautioned that a lapse in appropriations would disrupt some cyber operations, with official guidance on contingency plans outlining potential impacts on agency services. While critical threat response would continue, any slowdown in modernization or threat hunting could leave telecom infrastructure more exposed just as adversaries demonstrate their ability to exploit it.
A Global Operation, Not Just a U.S. Problem
While the named victims are American carriers, the threat extends far beyond U.S. borders. The NSA has emphasized that the joint advisory covers not only telecommunications but also government, transportation, lodging, and military infrastructure, and that the activity of China state-sponsored actors is global in scope. Salt Typhoon’s access to U.S. backbone routers potentially gives it insight into international traffic that transits American networks, including communications involving foreign governments and multinational corporations.
Allies have begun to frame the incident as a shared challenge rather than a purely domestic matter. Intelligence-sharing arrangements mean that indicators of compromise discovered in U.S. networks can help partners hunt for similar activity in their own infrastructure. At the same time, the cross-border nature of telecom traffic raises complex legal and diplomatic questions about how to coordinate defenses and share sensitive data without violating privacy laws or sovereignty concerns.
Policy debates in Washington are reflecting that tension. A December 2024 newsletter from a national security outlet argued that Salt Typhoon should be treated as a wake-up call about the fragility of global network infrastructure, not just another headline-grabbing breach. The piece highlighted worries that many countries still lack clear rules for securing lawful intercept systems or for notifying affected users when foreign intelligence services may have accessed their metadata.
What Comes Next for Telecom Security
For carriers, the immediate priority is hardening backbone infrastructure. That means auditing router configurations, segmenting management networks, and ensuring that lawful intercept systems are isolated and rigorously monitored. The CISA-led advisory urges operators to deploy multi-factor authentication for all administrative access, apply vendor security updates promptly, and log router activity at a level detailed enough to detect subtle configuration changes that could indicate compromise.
Longer term, regulators may push for mandatory security baselines for critical telecom equipment, akin to safety standards in other infrastructure sectors. Such rules could require carriers to demonstrate that they can rapidly patch routers, rotate credentials, and recover from a breach without prolonged outages. They might also demand greater transparency about how lawful intercept capabilities are implemented and audited, given their appeal as a target for foreign intelligence services.
Salt Typhoon’s campaign has exposed how a small number of vulnerabilities in specialized devices can ripple across an entire communications ecosystem. As investigators continue to trace the full scope of the intrusions, the episode is likely to shape how governments and industry think about securing the invisible machinery that keeps global networks running, and how they confront the reality that those same networks have become prime terrain for state-backed espionage.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
