On December 27, 2024, CISA and the FBI jointly confirmed that the People's Republic of China state-sponsored group tracked as Salt Typhoon had compromised at least nine U.S. telecommunications providers, including AT&T, Verizon, Lumen, and T-Mobile. The campaign, first disclosed by the Wall Street Journal in October 2024, gave operators persistent access to lawful intercept (CALEA) systems and metadata for more than one million subscribers, with targeted collection against officials in the 2024 presidential campaigns. By early January 2025, Deputy National Security Advisor Anne Neuberger described the intrusion as "ongoing" and admitted full eviction could take months. For defenders, the incident is a case study in how edge network appliances, aging management planes, and shared multi-tenant infrastructure collapse into a single blast radius.
Who is Salt Typhoon and how did they get in?
Salt Typhoon (also tracked as GhostEmperor, Earth Estries, and UNC2286) is a PRC-aligned cluster active since at least 2020. Microsoft and Mandiant attribute initial access in this campaign to exploitation of unpatched Cisco IOS XE devices via CVE-2023-20198 (the October 2023 Web UI privilege escalation, CVSS 10.0) and CVE-2023-20273 (command injection). Investigators also observed abuse of stolen administrator credentials on Fortinet FortiGate and Ivanti Connect Secure appliances. Once on the edge, the actor pivoted into provider management VLANs and modified router ACLs to tunnel GRE traffic to attacker-controlled IPs.
What did the attackers actually access?
They accessed wiretap provisioning systems, call detail records (CDRs), and raw voice traffic for selected targets. According to the joint CISA/NSA/FBI advisory published December 3, 2024, affected providers detected unauthorized queries against CALEA lawful-intercept gateways, as well as bulk exfiltration of metadata tables. In at least two carriers, the actor enabled packet capture on core routers and siphoned unencrypted SMS between high-value targets. End-to-end encrypted Signal and iMessage content remained out of reach, which is why CISA's December 18 guidance urged officials to switch off SMS-based MFA entirely.
How long were they inside?
Persistence predates the October 2024 disclosure by more than a year. Microsoft Threat Intelligence telemetry shows first-seen indicators for Salt Typhoon tooling on U.S. carrier infrastructure dating to August 2023. Dwell times per carrier ranged from 8 to 20 months. Evidence of "living off the land" is heavy: the actor used legitimate network utilities (tftp, scp, netconf) rather than custom malware, and rotated through compromised SOHO routers — the same botnet infrastructure dismantled by the FBI under court order in January 2024 — as jump hosts.
Why did existing monitoring miss this?
Most carrier SIEMs do not ingest router management-plane logs at sufficient fidelity. A Cisco IOS XE device running with archive log config disabled will not record configuration changes centrally. Combined with ACL modifications that whitelist attacker IP ranges and syslog suppression rules, the attacker can operate without triggering NetFlow anomaly detections. The 2024 Verizon DBIR already flagged edge device exploitation as the fastest-growing vector (up 180% year-over-year); Salt Typhoon confirmed that thesis at scale.
# Minimum IOS XE logging baseline carriers should enforce
archive
log config
logging enable
logging size 1000
notify syslog contenttype plaintext
hidekeys
!
ip access-list extended MGMT-ACL-AUDIT
remark Alert on any modification
What should carriers and regulated enterprises do now?
Six concrete actions. First, force-rotate all credentials on edge network gear and assume every RADIUS/TACACS+ secret used before October 2024 is burned. Second, verify image integrity with Cisco's secure boot attestation and Fortinet's FGFM hash registry. Third, implement out-of-band management with hardware-enforced separation between CALEA systems and commercial traffic. Fourth, enroll lawful intercept mediation devices in a dedicated PKI with short-lived certificates. Fifth, subscribe to the FCC's proposed CALEA cybersecurity rules (NPRM FCC 25-1, filed January 2025) that mandate annual third-party penetration tests. Sixth, build an SBOM for every network appliance so that the next Cisco or Fortinet zero-day does not trigger another 48-hour inventory scramble.
How Safeguard Helps
Safeguard maps network appliance firmware into SBOMs and cross-references them against CISA KEV and vendor advisories, so a CVE-2023-20198-class disclosure surfaces every affected device in minutes rather than days. Griffin AI performs reachability analysis on management-plane exposure, telling you which IOS XE devices have the Web UI reachable from untrusted networks versus segmented ones. TPRM workflows continuously score upstream carriers and managed service providers against the CISA Secure by Design pledge, flagging vendors who miss patching SLAs. Policy gates block deployments that embed network images below a minimum patch baseline, and ingest VEX statements from Cisco, Juniper, and Fortinet to suppress non-exploitable findings — giving incident responders a clean, prioritized view while the Salt Typhoon eviction continues.