Salt Typhoon — the Chinese state-sponsored threat actor responsible for the 2024 compromise of multiple US telecommunications carriers — retains active access inside at least two major European telecoms networks, according to intelligence assessments shared with European regulators in April 2026.
The original US compromise, disclosed in late 2024, was remarkable not only for its scale but for its target: the lawful intercept systems used by US carriers to provide authorised wiretap access to law enforcement agencies. Salt Typhoon did not break into these systems to steal customer billing data. They targeted the apparatus of surveillance itself.
What Access to Lawful Intercept Means
Every major telecommunications carrier in a regulated jurisdiction operates a lawful intercept capability — a technical system that allows law enforcement and intelligence agencies to access call records, SMS content, and metadata on specific targets under legal authorisation.
Salt Typhoon’s access to these systems means that for a period, Chinese intelligence had visibility into which individuals Western agencies were monitoring, potentially including Chinese nationals, Chinese-American community members, political figures, and sensitive intelligence sources.
The implications are serious and long-lasting. Even after the access is closed, intelligence about who was under surveillance — and therefore what Western agencies knew — cannot be un-shared. Sources and methods may have been compromised in ways that will take years to fully assess.
The European Dimension
The two European carriers affected have not been publicly named. Both have been notified through appropriate channels and are working with national intelligence agencies and ENISA on remediation. The access is believed to have been established through the same class of vulnerability exploited in the US campaign — internet-facing network edge equipment with known but unpatched vulnerabilities.
Telecoms operators in Europe should treat this as a strong signal that Salt Typhoon’s operational reach extends beyond the US, and that lawful intercept systems are an active target class.
What Telecoms Boards Should Ask
Senior leadership and boards at telecoms operators should be asking their CISO:
- Have all network edge devices — particularly those adjacent to or involved in lawful intercept infrastructure — been audited for the indicators of compromise associated with Salt Typhoon?
- Is access to lawful intercept systems logged, and are those logs stored in an environment separate from the main carrier network?
- Have you received — and acted on — the confidential briefings available through NCSC and NCA for operators in this sector?
The compromises disclosed so far suggest that the initial intrusion in each case used legitimate but unpatched management interfaces. Patch management at the network edge remains the primary defensive action available.