Salt Typhoon: China's Silent Breach of U.S. Telecommunications

In cyber conflict, the most dangerous actor is the one already inside. Salt Typhoon-a cyberespionage campaign attributed to China’s Ministry of State Security (MSS)-is exactly that. Operating since at least 2020, this group has gained sustained access to U.S. telecommunications infrastructure, quietly collecting sensitive data across multiple providers.

This isn’t theory. This is ongoing.

The Breach: Access at the Infrastructure Layer

Salt Typhoon-also tracked under aliases like Earth Estries or GhostEmperor-has targeted U.S. telecom giants including Verizon, AT&T, and Lumen Technologies by exploiting vulnerabilities in network hardware, particularly unpatched Cisco routers (CyberScoop).

Once inside, they extracted call metadata, geolocation data, and in some cases, audio recordings of sensitive communications (WSJ). These intrusions included communications involving political figures and government personnel.

This wasn’t limited to domestic targets-telecom infrastructure in Thailand, Italy, and South Africa also showed signs of compromise (AP News; CyberScoop).

What Was Accessed

Data extracted by Salt Typhoon reportedly included:

• Call and SMS metadata

• Geolocation and movement patterns

• Court-authorized surveillance records

• Possibly live or stored voice content

This level of access doesn’t just threaten individual privacy-it compromises counterintelligence operations, strategic communications, and domestic resilience.

U.S. Government Response

In response, CISA, NSA, and the FBI issued joint cybersecurity guidance specifically for telecom providers, urging them to patch infrastructure and detect lingering backdoors (Perkins Coie).

The U.S. Treasury Department followed with sanctions against individuals and front companies tied to China’s MSS, aiming to disrupt operational continuity of campaigns like Salt Typhoon (Treasury.gov).

Strategic Implications

Salt Typhoon illustrates a paradigm shift: adversaries no longer need to breach systems during a crisis-they’re already embedded, waiting.

Rather than targeting isolated endpoints, MSS-linked actors are achieving persistent access inside critical communications infrastructure, preparing options to activate or manipulate systems during geopolitical escalation.

For the private sector, particularly telecom, defense, and data-rich verticals, this calls for a hardened stance. Traditional perimeter defenses are insufficient against state-sponsored multi-vector campaigns.

Cheshire Recommendations

For organizations facing heightened exposure:

1. Implement Zero Trust Architecture – No internal access should be assumed safe by default.

2. Patch Network Hardware Aggressively – Legacy telecom gear is a prime access vector.

3. Conduct Threat Hunting Exercises – Search proactively for long-term embedded access.

4. Train Executives and Engineers – Focus on advanced adversary tradecraft and indicators.

5. Partner with Intelligence-Driven Advisors – Not every threat is visible to IT security.
   

At Cheshire Institute, we specialize in navigating the gray space between traditional cybersecurity and real-world national security threats. We assist companies and government partners in identifying, mapping, and neutralizing influence and access operations—before they’re activated.

Salt Typhoon isn’t just a Chinese operation. It’s a preview of what modern state-backed intrusion looks like.