The typical framing of a cyber espionage campaign involves the theft of data: source code, personnel files, research documents, commercial plans. Sensitive, certainly. But data with defined boundaries — you can, in principle, understand what was taken and attempt to assess the damage.
The Salt Typhoon campaign, disclosed in October 2024 and continuing to generate intelligence and remediation activity into 2026, does not fit this frame. What was targeted was not data in the conventional sense. It was access to the systems that governments use to watch other people — and the implications of that access are considerably more complex to assess than any data breach.
What Lawful Intercept Systems Are
Every telecommunications carrier in a regulated jurisdiction is required by law to maintain the capability to intercept communications on specific accounts when presented with a valid legal order. In the United States, this obligation is established by the Communications Assistance for Law Enforcement Act (CALEA). In the UK, it falls under the Investigatory Powers Act. Equivalent legislation exists in every EU member state.
The implementation of this requirement varies, but typically involves a dedicated technical capability within the carrier’s network that can capture and route the communications of specific subscribers — calls, SMS, and metadata — to law enforcement or intelligence agencies when authorised to do so.
These systems are, by design, highly sensitive. They process information about ongoing law enforcement and intelligence investigations. The identities of individuals under surveillance — who may include foreign intelligence assets, organised crime suspects, political figures, or national security targets — are typically classified.
The systems are also, in many carriers, old, under-resourced, and connected to infrastructure that was never designed with adversarial access as a threat model. CALEA was passed in 1994. The threat environment of 2024 was not the threat environment the architects of most lawful intercept implementations were designing for.
The Compromise
Salt Typhoon — also tracked as GhostEmperor, FamousSparrow, and Earth Estries — is a Chinese state-sponsored group believed to operate under PLA or MSS direction. It has been active since at least 2019 and has previously conducted targeted intrusions against Southeast Asian government entities and global telecommunications companies.
The 2024 US campaign is understood to have gained initial access through vulnerabilities in internet-facing network edge equipment: Cisco and Fortinet devices used at the perimeter of major carrier networks. This is consistent with a pattern seen across Chinese APT groups — exploiting known but unpatched vulnerabilities in network infrastructure at the boundary of target organisations.
From the network edge, the group moved laterally through carrier infrastructure over a period of months, eventually reaching the systems that managed lawful intercept capability. The access was not detected through normal security operations; disclosure came through a combination of threat intelligence, FBI investigation, and — in at least one case — a carrier noticing anomalous traffic patterns associated with the group’s command-and-control infrastructure.
Which Carriers Were Affected
Initial reporting from the Wall Street Journal in October 2024 identified AT&T, Verizon, and Lumen Technologies as affected. Subsequent reporting added T-Mobile, Charter Communications, and Consolidated Communications to the list of US carriers with confirmed or potential intrusions. The FBI and CISA briefed Senate Intelligence Committee members that the scope was broader than initially reported.
Outside the United States, European carriers have been identified as targets in subsequent intelligence assessments, though formal attribution and disclosure processes in individual European jurisdictions have moved more slowly. At least two major European carriers are believed to retain active or recently-closed Volt Typhoon access, as reported in our earlier flash briefing.
The specific subscribers targeted for lawful intercept access have not been fully disclosed publicly, but reporting has indicated that the intelligence community believes the access was used to monitor Chinese nationals in the US, Chinese-American political donors with connections to the Trump and Harris presidential campaigns, and — most significantly — individuals who were themselves targets of US government surveillance operations.
The Intelligence Value of What Was Accessed
The strategic value of compromising a lawful intercept system is qualitatively different from compromising a database of customer records.
Counter-surveillance. If Chinese intelligence knew which of its operatives, assets, or persons of interest were under US government surveillance, it could alter their behaviour, compromise ongoing operations, and protect active intelligence assets. The damage to US human intelligence operations may be difficult to fully assess for years.
Source and method exposure. Understanding which individuals the US government was surveilling, and through which legal mechanisms, reveals significant information about intelligence priorities, operational tradecraft, and the identities of individuals who cooperated with investigations.
US government personnel. Reports have indicated that phone calls involving senior US government officials — including, reportedly, individuals associated with political campaigns — were accessible. The content of those communications is unknown, but the potential intelligence value is substantial.
Negotiating and diplomatic intelligence. Access to communications metadata and potentially content for individuals involved in US-China diplomatic and commercial negotiations would provide significant advantage in any ongoing interactions.
The Structural Vulnerability
The Salt Typhoon compromise illuminates a structural contradiction at the heart of telecommunications security regulation.
Governments have, quite reasonably, required that telecommunications carriers maintain the technical capability for lawful interception. This is an important investigative tool for law enforcement and national security agencies. But the requirement to maintain that capability — and the technical systems that implement it — creates an attack surface that a determined adversary can target.
The alternative — end-to-end encrypted communications that the carrier cannot access — was and is available for much consumer communications. WhatsApp, Signal, iMessage with end-to-end encryption: these products are not accessible through traditional lawful intercept mechanisms. Government agencies have, for years, been pressing for regulation that would require these platforms to maintain backdoor access. The Salt Typhoon compromise illustrates, more clearly than any policy argument could, the problem with that position: a backdoor for law enforcement is a backdoor for adversaries too.
The Response and What Comes Next
CISA and the FBI have published detailed guidance for telecommunications operators, focusing on network edge security, authentication hardening, and the specific indicators of compromise associated with Salt Typhoon activity.
US Senate hearings following the disclosure produced testimony that revealed the extent to which carrier security teams had, in some cases, been aware of anomalous network activity for periods before reporting to government. The hearings raised questions about carrier disclosure obligations and the adequacy of existing notification requirements.
The FCC has since tightened reporting requirements for telecommunications carriers under cyber incident reporting rules. CISA has expanded its engagement programme with major carriers.
What has not been resolved is the underlying strategic question: how should Western governments think about a world in which a determined adversary can reach the most sensitive systems that carriers operate? The answer requires honest confrontation with the trade-offs between intelligence capability, security architecture, and the limits of what technical measures can achieve when the adversary is patient, well-resourced, and operating on a multi-year timeline.
For Communications Sector Leaders
If you lead or are responsible for a telecommunications carrier, the Salt Typhoon campaign is an instruction manual for where your highest-risk systems are and how they’re being targeted.
The immediate priorities identified in CISA guidance and endorsed by NCSC for UK operators include:
- Audit all internet-facing network edge equipment — routers, load balancers, VPN concentrators — for the firmware versions and configurations associated with Salt Typhoon access vectors
- Implement phishing-resistant MFA on all management interfaces — not SMS-based MFA, which is vulnerable to SIM swapping, but hardware token or certificate-based authentication
- Ensure that access to lawful intercept systems is logged at the management layer and that those logs are stored in a separately segmented environment
- Conduct a network segmentation review to understand what a lateral movement path from your perimeter to your most sensitive systems looks like — and close the shortest routes
The carriers that responded most effectively to the 2024 disclosures were those that had already invested in comprehensive network logging and had security teams with sufficient expertise to recognise anomalous patterns in carrier infrastructure. Building that capability, for organisations that don’t yet have it, is the most important long-term investment the sector can make.