> threat_actor Salt Typhoon —— origin: China (PRC / MSS-linked) —— alias: GhostEmperor / FamousSparrow —— signature: telecom backbone infrastructure compromise<span class="cursor-blink">_</span>_
Salt Typhoon — also tracked as GhostEmperor, FamousSparrow, Earth Estries, and UNC2286 — is a Chinese state-sponsored cyber espionage cluster that has been conducting operations since at least 2020, with a singular and devastating focus: the deep compromise of telecommunications infrastructure worldwide. What sets Salt Typhoon apart from the crowded landscape of Chinese threat groups is not the sophistication of any single malware implant or exploit, but the strategic target — the backbone infrastructure that carries the phone calls, text messages, and internet traffic of entire nations. By embedding themselves inside telecommunications providers at the network infrastructure level — core routers, switches, and the systems that execute lawful intercept orders — Salt Typhoon achieved something no firewall or endpoint agent can detect: persistent, silent access to the communications of millions of people, including senior US government officials, political figures, and individuals subject to court-authorised surveillance.
The scale of Salt Typhoon's compromise, publicly disclosed through FBI and CISA warnings in late 2024, represents what senior US intelligence officials have described as one of the most significant intelligence compromises in American history. At least nine US telecommunications companies — including AT&T, Verizon, T-Mobile, and Lumen Technologies — were confirmed to have been infiltrated. The intrusions were not smash-and-grab operations; they were patient, methodical campaigns that penetrated deep into network infrastructure, persisting for months or years before detection. Salt Typhoon did not merely steal data — they positioned themselves inside the systems that the US government itself relies upon to conduct lawful surveillance, potentially gaining visibility into who the FBI and intelligence agencies are investigating, what communications are being intercepted, and which Foreign Intelligence Surveillance Act (FISA) court orders are active.
The implications are staggering. A foreign intelligence service embedded inside the lawful intercept infrastructure of a target nation can do more than eavesdrop — it can map the counterintelligence landscape, identify covert operatives, understand collection priorities, and neutralise ongoing investigations. Salt Typhoon's access to call detail records (CDRs) — the metadata that records who called whom, when, for how long, and from where — provided a comprehensive map of communication patterns across millions of Americans. For targeted individuals — including senior government officials and political campaign figures during the 2024 US presidential election — Salt Typhoon is assessed to have accessed not just metadata but actual call and message content. This is intelligence collection at industrial scale, executed from inside the infrastructure that the targets trust implicitly.
| Attribute | Detail |
|---|---|
| Tracked Names | Salt Typhoon (Microsoft), GhostEmperor (Kaspersky), FamousSparrow (ESET), Earth Estries (Trend Micro), UNC2286 (Mandiant/Google). The proliferation of names reflects the independent discovery of overlapping activity clusters by multiple threat intelligence vendors, each applying their own naming taxonomy. Microsoft's adoption of the 'Typhoon' designation places Salt Typhoon within their naming convention for Chinese state-sponsored threat groups — alongside Volt Typhoon, Flax Typhoon, and Brass Typhoon (APT41). |
| Country of Origin | People's Republic of China — Salt Typhoon's operations are assessed with high confidence by the FBI, CISA, NSA, and allied intelligence agencies to be conducted on behalf of the Chinese state. The group's targeting profile — telecommunications infrastructure in countries of strategic interest to the PRC, with particular focus on communications of government officials and political figures — aligns precisely with the intelligence collection priorities of the Ministry of State Security (MSS). The operational tradecraft, working hours patterns, infrastructure choices, and tooling overlaps all point to a PRC nexus. |
| Suspected Affiliation | Ministry of State Security (MSS) — China's primary civilian intelligence agency. While the specific MSS bureau or contractor entity behind Salt Typhoon has not been publicly attributed with the same granularity as APT41's link to Chengdu 404, the operational profile is consistent with MSS-directed espionage rather than PLA military intelligence. The focus on civilian telecommunications infrastructure, political intelligence collection, and counterintelligence mapping aligns with MSS collection mandates rather than the PLA's military-technical intelligence focus. |
| First Observed | At least 2020, with some threat intelligence vendors tracing related activity clusters back to 2019. Kaspersky's initial reporting on GhostEmperor in 2021 documented campaigns targeting Southeast Asian telecommunications providers and government entities. The group's presence inside US telecommunications infrastructure is assessed to predate its public discovery by a significant margin — some compromises may have persisted for one to two years before detection in 2024. |
| Primary Motivation | Strategic intelligence collection — specifically, signals intelligence (SIGINT) obtained through the compromise of telecommunications infrastructure. Salt Typhoon's operations serve multiple intelligence objectives: bulk collection of communications metadata (CDRs) for pattern-of-life analysis, targeted interception of communications content for individuals of intelligence interest, counterintelligence mapping through access to lawful intercept systems, and geopolitical intelligence through surveillance of government officials and political figures. There is no evidence of financially motivated activity — Salt Typhoon is assessed to be a pure espionage operation. |
Salt Typhoon's targeting is narrow by design but catastrophic in impact. Unlike broadly targeted threat groups that compromise organisations across dozens of industry verticals, Salt Typhoon concentrates almost exclusively on telecommunications providers and the adjacent infrastructure that supports them. This focus is not a limitation — it is a force multiplier. A single compromised telecommunications provider yields access to the communications of millions of subscribers, the network routing infrastructure of an entire region, and the lawful intercept systems that reveal the surveillance activities of the host nation's intelligence agencies. Salt Typhoon's geographic targeting spans the United States, Southeast Asia, Europe, and other regions of strategic interest to the PRC.
| Sector | Strategic Value | Observed Targeting |
|---|---|---|
| Telecommunications Providers | Direct access to call detail records, SMS content, voice communications, internet traffic flows, and subscriber databases for millions of users. Telecom networks serve as the central nervous system of modern communications — compromising them yields intelligence that would otherwise require thousands of individual device compromises. | Confirmed compromise of at least nine US telecommunications companies including AT&T, Verizon, T-Mobile, and Lumen Technologies. Additional targeting of telecommunications providers in Southeast Asia (particularly the Philippines, Vietnam, Thailand, Malaysia, and Indonesia), Europe, and other regions. Compromises targeted core network infrastructure — routers, switches, and management planes — rather than peripheral IT systems. |
| Lawful Intercept Infrastructure | Access to CALEA (Communications Assistance for Law Enforcement Act) systems reveals which individuals are under court-authorised surveillance, what communications are being intercepted, and which law enforcement or intelligence investigations are active. This is counterintelligence gold — it maps the adversary's intelligence posture. | Salt Typhoon is assessed to have accessed lawful intercept systems at compromised US telecommunications providers, potentially gaining visibility into FISA court orders and law enforcement wiretap requests. This access would reveal the targets, scope, and duration of US government surveillance operations — allowing Chinese intelligence to identify which of their operatives, assets, or operations may be under investigation. |
| Internet Service Providers | ISP infrastructure provides access to internet traffic flows, DNS query data, and routing information that enables broad surveillance of online activity patterns across entire subscriber populations. | Lumen Technologies (formerly CenturyLink), a major US ISP and internet backbone provider, was among the confirmed compromised organisations. Compromise of backbone providers yields visibility into internet traffic routing at a national or international scale, far beyond the reach of individual endpoint compromise. |
| Government & Political Targets | Communications of government officials, political figures, and campaign staff provide diplomatic intelligence, policy insights, negotiating positions, and political intelligence of direct value to foreign policy decision-making. | Through telecom infrastructure access, Salt Typhoon targeted the communications of senior US government officials and individuals associated with the 2024 presidential election campaigns. Targets reportedly included individuals affiliated with both the Trump and Harris campaigns, as well as officials in the State Department and other agencies. The targeting was conducted through the telecommunications infrastructure rather than direct endpoint compromise. |
| Network Equipment Vendors | Understanding the architecture, vulnerabilities, and configuration of networking equipment enables more effective targeting of the telecommunications providers that deploy it. | Salt Typhoon has exploited vulnerabilities in Cisco IOS XE and other network equipment. While direct compromise of equipment vendors has not been publicly confirmed, the group demonstrates deep knowledge of network equipment internals — suggesting either independent research, access to vulnerability databases, or intelligence sharing from other PRC-affiliated groups. |
| Government Agencies (Southeast Asia) | Diplomatic and political intelligence from Southeast Asian nations aligned with PRC interests in the South China Sea and broader Indo-Pacific regional competition. | Kaspersky's GhostEmperor reporting and Trend Micro's Earth Estries analysis documented targeting of government entities in Southeast Asia, including foreign ministries and defence establishments. These campaigns often ran in parallel with telecommunications targeting in the same countries, suggesting a coordinated intelligence collection strategy. |
Salt Typhoon's defining technique is the deep compromise of network infrastructure itself — not the servers, workstations, or endpoints that sit atop the network, but the routers, switches, and management systems that are the network. This distinction is critical. Most threat groups — even sophisticated state-sponsored APTs — operate at the application layer, compromising operating systems, deploying malware on endpoints, and using standard C2 channels over the network. Salt Typhoon operates at the infrastructure layer, embedding themselves in the devices that route, switch, and manage network traffic. From this position, they can intercept communications passively, without generating the endpoint telemetry or anomalous network traffic that defenders rely upon for detection.
The exploitation of Cisco IOS XE vulnerabilities — particularly CVE-2023-20198 and CVE-2023-20273 — exemplifies this approach. These vulnerabilities in Cisco's network operating system allowed Salt Typhoon to gain privileged access to core routing and switching infrastructure. Once inside a Cisco device, the group could modify routing configurations, mirror traffic to collection points, create covert accounts for persistent access, and monitor all data flowing through the compromised device — all without touching a single endpoint. Traditional endpoint detection and response (EDR) tools are blind to this activity because the compromise exists below the layer where they operate. Network monitoring tools may detect anomalies, but only if defenders know what to look for in the management plane of network devices — a capability that many organisations lack.
The compromise of lawful intercept infrastructure represents the most strategically significant aspect of Salt Typhoon's technique. In the United States, the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications providers to build interception capabilities into their networks, enabling law enforcement and intelligence agencies to conduct court-authorised surveillance. These systems are, by design, capable of intercepting any communication that traverses the network. By gaining access to CALEA infrastructure, Salt Typhoon effectively co-opted the surveillance apparatus that the US government built for its own use — turning a lawful intercept capability into an espionage platform. This is not a theoretical risk; FBI and CISA have confirmed that Salt Typhoon accessed these systems and used them to collect communications data.
| Tool | Type | Capabilities |
|---|---|---|
| Demodex Rootkit | Kernel-Level Rootkit (Custom) | The signature implant of the GhostEmperor cluster. Demodex is a sophisticated Windows kernel-mode rootkit that provides deep system-level concealment for Salt Typhoon's operations. It uses a multi-stage loading chain involving legitimate vulnerable drivers (bring-your-own-vulnerable-driver / BYOVD technique) to load unsigned kernel code, bypassing Driver Signature Enforcement. Once loaded, Demodex hides processes, files, registry keys, and network connections from both user-mode tools and many kernel-level security products. The rootkit is designed for long-term persistence and stealth on compromised management servers within telecommunications environments. |
| SparrowDoor | Backdoor (Custom) | ESET's reporting on FamousSparrow documented SparrowDoor, a custom backdoor deployed on internet-facing servers. SparrowDoor provides remote command execution, file management, process manipulation, and interactive shell access. It communicates with C2 infrastructure using encrypted channels and supports proxy configurations. Variants have been observed with modular architectures that allow operators to load additional functionality post-deployment. Used primarily for initial access and persistent command-and-control on compromised server infrastructure within target organisations. |
| GhostRAT / Gh0st RAT Variants | RAT (Modified Open-Source) | Salt Typhoon has been observed using heavily customised variants of Gh0st RAT — an open-source remote access trojan originally developed by Chinese hackers and widely used across PRC-affiliated threat groups. Salt Typhoon's variants include significant modifications to evade detection, custom encryption for C2 communications, and additional capabilities tailored for operations within telecommunications environments. The use of modified Gh0st RAT provides a baseline of remote access capability while complicating attribution due to the tool's widespread use. |
| TrillClient | Data Harvester / Browser Stealer (Custom) | A custom information-stealing tool documented by Trend Micro in Earth Estries campaigns. TrillClient is designed to harvest browser data, credentials, and session tokens from compromised systems. It targets stored passwords, cookies, and browsing history from multiple browser families. In telecommunications environments, harvested credentials provide access to network management consoles, provisioning systems, and internal portals that control network infrastructure configuration. |
| HemiGate | Backdoor (Custom) | A multi-component backdoor observed in Earth Estries campaigns. HemiGate functions as a full-featured remote access platform with capabilities including file transfer, command shell access, keylogging, and screen capture. It employs sideloading techniques — using legitimate signed executables to load malicious DLLs — to evade application whitelisting and endpoint detection. HemiGate's modular design allows operators to selectively deploy capabilities based on the target environment. |
| Cobalt Strike BEACON | Commercial C2 Framework | Salt Typhoon uses Cobalt Strike alongside their custom tooling, particularly during lateral movement and post-exploitation phases. Cobalt Strike provides a flexible and well-documented framework for operating within compromised networks, with capabilities including credential harvesting, lateral movement, and data exfiltration. Salt Typhoon configures BEACON with custom malleable C2 profiles to mimic legitimate network traffic patterns common in telecommunications environments. |
| Network Device Implants | Firmware/Configuration Backdoors (Custom) | Purpose-built implants for network infrastructure devices, particularly Cisco IOS XE routers and switches. These implants operate at the network operating system level, modifying device configurations to create covert administrative accounts, establish traffic mirroring rules, and maintain persistent access that survives standard remediation procedures. Unlike endpoint malware, these implants exist within the network device firmware or configuration and are invisible to traditional endpoint security tools. |
| China Chopper / Web Shells | Web Shell | Salt Typhoon deploys web shells — including variants of China Chopper and custom alternatives — on internet-facing web servers and management portals as initial footholds. These lightweight implants provide command execution and file management capabilities on compromised web servers. In telecommunications environments, web shells are deployed on customer portals, network management web interfaces, and provisioning systems to establish initial access before pivoting deeper into network infrastructure. |
| SnappyBee (Deed RAT) | Modular Backdoor (Shared Chinese Tooling) | A modular backdoor assessed to be a successor to the ShadowPad malware family, observed in Salt Typhoon-adjacent operations. SnappyBee supports plugin-based extensibility, encrypted C2 communications, and multiple persistence mechanisms. Its presence in Salt Typhoon campaigns highlights the tooling overlap and sharing that characterises the broader Chinese cyber espionage ecosystem, where successful implants proliferate across multiple threat groups. |
Salt Typhoon's campaign history reflects a methodical expansion from regional telecommunications targeting in Southeast Asia to the audacious compromise of the largest telecommunications providers in the United States. The earliest documented activity — tracked by Kaspersky as GhostEmperor and by Trend Micro as Earth Estries — emerged in 2020 and 2021, targeting telecommunications providers and government entities in Southeast Asia, the Middle East, and South Africa. These early campaigns served as proving grounds, allowing Salt Typhoon to refine their tradecraft for telecommunications infrastructure penetration before applying those techniques against harder, higher-value targets.
Kaspersky's GhostEmperor reporting (2021) provided the first detailed public analysis of the cluster's operations. The research documented sophisticated intrusions targeting telecommunications companies and government organisations in Southeast Asia and the Middle East, deploying the Demodex rootkit — a Windows kernel-mode implant that used a vulnerable legitimate driver (BYOVD technique) to load unsigned kernel code, achieving deep system-level concealment. The GhostEmperor campaigns demonstrated a level of rootkit engineering sophistication that distinguished this cluster from the broader Chinese threat landscape. Kaspersky noted that the group showed significant investment in anti-forensic and anti-analysis techniques, including multi-stage loading chains designed to frustrate incident response.
ESET's parallel reporting on FamousSparrow documented a related cluster targeting hotels, governments, and international organisations with the SparrowDoor backdoor. FamousSparrow campaigns exploited vulnerabilities in internet-facing servers — including Microsoft Exchange ProxyLogon (CVE-2021-26855) — to establish initial footholds. While the hotel targeting initially appeared anomalous, the intelligence value of hotel guest records — travel itineraries, passport data, and communication patterns of government officials and diplomats — aligns with broader MSS collection priorities. The overlap between FamousSparrow and GhostEmperor activity — in infrastructure, tooling, and targeting — led threat intelligence analysts to assess these as sub-clusters of the same overarching operation.
Trend Micro's Earth Estries campaigns (2023) expanded the picture further, documenting intrusions targeting telecommunications providers and government agencies across the United States, Asia-Pacific, the Middle East, and South Africa. Earth Estries operators deployed a toolkit including HemiGate, TrillClient, and customised Cobalt Strike payloads, demonstrating an evolution in capabilities and a broadening of geographic scope. Critically, the Earth Estries reporting documented the group's increasing focus on telecommunications infrastructure — moving beyond traditional server and endpoint compromise to target the network management systems and provisioning platforms that control telecommunications network operations.
The US telecommunications compromise — publicly disclosed in late 2024 through coordinated FBI and CISA advisories — represented the culmination of Salt Typhoon's operational evolution. At least nine US telecommunications companies were confirmed compromised, including AT&T (the largest US carrier by subscribers), Verizon (the second-largest), T-Mobile, and Lumen Technologies (a major internet backbone provider). The compromises were not recent — investigators determined that Salt Typhoon had maintained persistent access to some networks for over a year before detection. The group penetrated deep into network infrastructure, compromising core routers and switches that carry voice and data traffic for hundreds of millions of subscribers.
The most alarming aspect of the US telecommunications compromise was Salt Typhoon's access to lawful intercept (CALEA) infrastructure. CALEA requires US telecommunications providers to maintain the ability to execute court-authorised wiretaps and surveillance orders. Salt Typhoon accessed these systems, potentially gaining visibility into active FISA court orders, law enforcement wiretap requests, and the identities of individuals under government surveillance. For a foreign intelligence service, this represents an extraordinary counterintelligence windfall — the ability to see who the adversary is watching, what they are collecting, and which investigations are active. Senior US officials described the breach as having potentially compromised the integrity of the US intelligence community's surveillance capabilities.
Simultaneously, Salt Typhoon targeted the communications of specific high-profile individuals through the compromised telecom infrastructure. Individuals associated with the 2024 US presidential campaigns — including figures linked to both the Trump and Harris campaigns — were among those whose communications were targeted. Senior government officials in the State Department and national security apparatus were also targeted. The collection reportedly included both metadata (call detail records showing who communicated with whom, when, and for how long) and, for priority targets, actual communications content. This targeting was conducted through the telecommunications infrastructure rather than through endpoint compromise — the targets' phones and devices were never directly hacked, but the networks carrying their communications were owned by the adversary.
Defending against Salt Typhoon is fundamentally different from defending against conventional threat actors because their primary targets — network infrastructure devices — exist in a monitoring blind spot for most organisations. Traditional security architectures focus detection at the endpoint (EDR) and network perimeter (firewall, IDS/IPS), but Salt Typhoon operates at the infrastructure layer between these controls. A compromised core router does not generate EDR telemetry, and traffic interception at the switch level does not trigger IDS signatures. Effective defence against Salt Typhoon requires extending security monitoring to encompass network infrastructure itself — treating routers, switches, and management systems as first-class assets that require the same level of security scrutiny as servers and workstations.
Salt Typhoon operates within a constellation of Chinese state-sponsored threat groups that Microsoft collectively designates with the 'Typhoon' naming convention — each representing a distinct operational cluster with specific targeting mandates and technical approaches. Together, these groups represent a comprehensive Chinese strategy to achieve persistent access to critical infrastructure across the United States and allied nations. Understanding Salt Typhoon's position within this ecosystem reveals the breadth and coordination of PRC cyber operations: Volt Typhoon pre-positions in energy and water infrastructure for potential wartime disruption, Salt Typhoon embeds in telecommunications for intelligence collection, Flax Typhoon builds botnets from IoT devices for operational infrastructure, and Brass Typhoon (APT41) conducts broad espionage with financial crime elements. Each group serves a distinct role in a larger strategic framework.
| Group | Affiliation | Primary Focus | Relationship to Salt Typhoon |
|---|---|---|---|
| Volt Typhoon | PLA (assessed) | Pre-positioning in US critical infrastructure — energy, water, transportation, communications — for potential disruption during a geopolitical conflict, particularly a Taiwan Strait scenario | Complementary mission. While Salt Typhoon collects intelligence from telecommunications infrastructure, Volt Typhoon seeks to pre-position for potential disruption of critical infrastructure. Both target network devices and use living-off-the-land techniques, but their strategic objectives differ: Salt Typhoon is SIGINT collection, Volt Typhoon is operational preparation of the battlefield. Some infrastructure and technique overlaps suggest possible coordination or shared resources. |
| Flax Typhoon | MSS (assessed, via Integrity Technology Group) | Building and operating a botnet of compromised IoT devices, routers, and cameras for use as operational relay infrastructure by other Chinese threat groups | Potential infrastructure relationship. Flax Typhoon's botnet of compromised network devices could serve as operational infrastructure for other Chinese groups — including Salt Typhoon — providing anonymised access and relay capabilities for conducting operations against high-value targets. The FBI disrupted a Flax Typhoon-operated botnet of over 200,000 devices in September 2024. |
| Brass Typhoon (APT41) | MSS (Chengdu 404) | Dual-mandate espionage and financially motivated cybercrime, broad targeting across healthcare, technology, gaming, and government sectors | Both are MSS-linked groups, but with different specialisations. APT41 conducts broad espionage with a financial crime component, while Salt Typhoon is narrowly focused on telecommunications infrastructure intelligence. Both groups have targeted telecommunications providers — APT41 for call detail records and surveillance of specific individuals, Salt Typhoon for comprehensive infrastructure-level access. Possible tooling and intelligence sharing through the MSS ecosystem. |
| APT40 (Leviathan) | MSS (Hainan Bureau) | Maritime, defence, and engineering intelligence aligned with South China Sea interests and naval modernisation objectives | Different target focus but shared MSS affiliation. APT40's maritime and defence intelligence serves PLA Navy requirements, while Salt Typhoon's telecommunications focus serves broader intelligence collection mandates. Both groups have been observed targeting organisations in Southeast Asia, suggesting some geographic overlap in operations. |
| APT31 (Zirconium) | MSS (Hubei Bureau) | Political intelligence and surveillance — targeting government officials, political organisations, journalists, and dissidents globally | Complementary intelligence collection. APT31 conducts targeted surveillance of individuals through endpoint compromise, while Salt Typhoon achieves similar objectives through telecommunications infrastructure access. Both groups were active in targeting individuals associated with the 2024 US presidential election, though using different technical approaches. APT31's endpoint-focused approach and Salt Typhoon's infrastructure-level access may represent parallel collection strategies targeting the same intelligence requirements. |
| Charcoal Typhoon (Chromium) | MSS (assessed) | Targeting government, higher education, and technology sectors across Asia and Europe, with focus on intellectual property and political intelligence | Part of the broader Typhoon ecosystem but with limited direct operational overlap. Charcoal Typhoon focuses on traditional endpoint and server compromise for data theft, while Salt Typhoon targets infrastructure-level access. Both contribute to the PRC's comprehensive intelligence collection apparatus. |
Salt Typhoon's position within this ecosystem highlights a critical evolution in Chinese cyber strategy: the shift from targeting endpoints and data stores to targeting infrastructure itself. Where earlier Chinese APT campaigns (APT1, APT10, APT41) focused on stealing data from servers and workstations, Salt Typhoon and Volt Typhoon represent a new generation of operations that target the infrastructure layer — the routers, switches, and control systems that underpin entire sectors of the economy. This shift makes detection dramatically harder and raises the strategic stakes: compromise at the infrastructure level potentially affects every entity that depends on that infrastructure, multiplying the impact of a single intrusion by orders of magnitude.
Salt Typhoon represents a paradigm shift in state-sponsored cyber espionage — the move from stealing data off endpoints to embedding directly inside the infrastructure that carries all communications. By compromising at least nine US telecommunications providers at the network infrastructure level, accessing lawful intercept (CALEA) systems, collecting call detail records for millions of Americans, and targeting the communications of senior government officials and political figures, Salt Typhoon achieved one of the most significant intelligence compromises in US history. This was not a data breach in the conventional sense — it was the co-option of the communications backbone itself, transforming the infrastructure that Americans trust to carry their calls and messages into a collection platform for a foreign intelligence service.
The strategic implications extend far beyond the data collected. Salt Typhoon's access to lawful intercept infrastructure potentially compromised the integrity of US intelligence and law enforcement surveillance capabilities — revealing which individuals are under investigation, which FISA court orders are active, and what communications are being collected. This counterintelligence damage is difficult to quantify and may take years to fully assess. Chinese intelligence services can use this information to identify compromised operatives, neutralise ongoing investigations, and understand the priorities and capabilities of their primary intelligence adversary. The FBI and CISA's unprecedented public warnings in late 2024 — including the extraordinary recommendation that Americans use end-to-end encrypted communications — reflected the severity of the compromise.
For defenders — particularly those responsible for telecommunications and critical infrastructure security — Salt Typhoon demands a fundamental reassessment of what constitutes the security perimeter. Network infrastructure devices cannot remain in a monitoring blind spot. Routers, switches, and management systems must be treated as first-class assets subject to continuous integrity monitoring, aggressive patching, strict access controls, and active threat hunting. The CALEA infrastructure that enables lawful intercept must be secured with dedicated controls that reflect its extraordinary sensitivity. And the broader lesson of Salt Typhoon is clear: in an era where adversaries target infrastructure rather than endpoints, security that stops at the operating system boundary is no longer sufficient. The network itself must be defended.
Our penetration testing and threat intelligence services can evaluate your network infrastructure security posture against Salt Typhoon's specific tactics — network device exploitation, management plane compromise, configuration integrity, and lateral movement through infrastructure — to identify gaps before a state-sponsored adversary exploits them.