Salt Typhoon Telecom Supply Chain Campaign 2024

What is Salt Typhoon and why did 2024 put the group on every CIO's radar?

Salt Typhoon is a People's Republic of China-nexus intrusion set that Microsoft, Mandiant, and the U.S. government began publicly discussing in late 2024 after a series of intrusions into major U.S. telecommunications providers. The group is also tracked by different vendors under overlapping names including GhostEmperor and FamousSparrow, though attribution overlaps are imperfect. By the time CISA, the FBI, NSA, and partners released Joint Cybersecurity Advisory AA24-352A in December 2024, the scope had grown from "some telcos" to "broad and significant compromise" across U.S. and allied provider networks, affecting call records and, in some cases, the systems used to service court-ordered lawful intercept requests.

The reason this matters for supply chain defenders is that the telecom backbone is itself a supply chain. The routing, DNS, voicemail, SMS, and metadata services that customers assume to be neutral are increasingly a target because of who they talk to, not because of what they contain.

What did the campaign actually compromise?

Answer first: edge network infrastructure at multiple U.S. carriers, pivoting to customer metadata and lawful-intercept management systems.

Publicly, the U.S. government has said the following, consistent across the joint CISA/FBI statement of October 2024, the December 2024 AA24-352A advisory, and Senate briefings summarized by reporters:

• Salt Typhoon gained access to networks at several large U.S. telecom carriers, including providers publicly named in press reporting such as AT&T, Verizon, Lumen, and T-Mobile.
• The access included routers, including Cisco edge devices, and in some cases equipment operated on behalf of carriers by third parties.
• The attackers accessed call detail records (CDRs) for targeted individuals, including people in U.S. government and political positions.
• In certain environments, the attackers accessed systems supporting CALEA lawful-intercept functions, which is the legal wiretap plumbing in U.S. carriers.

The CISA advisory explicitly recommends hardening edge network devices, reducing management plane exposure, enforcing out-of-band management, and logging configuration changes. It reads as guidance written from direct incident response experience.

How did Salt Typhoon get in?

Public detail is partial but consistent. Microsoft Threat Intelligence, Mandiant reporting through late 2024, and CISA guidance point to three overlapping initial access patterns:

1. Exploitation of unpatched edge devices. Edge routers, firewalls, and VPN appliances that run vendor firmware and sit at the perimeter with management interfaces exposed. Specific CVEs have been referenced in press reporting, though attribution of any specific exploit to Salt Typhoon versus another group is not always clean.
2. Living-off-the-land on network infrastructure. Once on a router, the operators used vendor-supplied tooling and legitimate management protocols (SSH, NETCONF, SNMP) to expand laterally. No novel malware was required because the devices themselves are general-purpose compute with powerful network tap capabilities.
3. Credential reuse across operational support systems. Telecom carriers run dense BSS/OSS stacks and provisioning portals with long-lived service accounts. Salt Typhoon appears to have harvested and reused these to reach lawful-intercept and CDR systems.

No single zero-day explains the campaign. It is a patient exploitation of the management plane of the telecom edge.

Why is this a supply chain story, not just a telecom story?

Because the product of a telecom is its role in everyone else's supply chain. When a telco's lawful-intercept system is accessible to a foreign service, the compromise follows every call, SMS, and metadata event that transits that carrier. Enterprises and governments that did not contract with Salt Typhoon's victim list are nevertheless exposed, because their traffic rides the same rails. Mandiant and Microsoft have both framed the campaign as intelligence collection, not disruption, but the supply chain implications are structural: we outsource routing, metadata, and some authentication to carriers, and when those carriers are compromised, every downstream customer inherits the exposure.

The same logic applies to enterprise supply chain defenders thinking about their own telco vendors. An MSP that operates your SD-WAN, an MVNO that terminates your corporate voice, a CPaaS that sends your MFA codes - each is in scope for a Salt Typhoon-adjacent threat model.

What does CISA advise after AA24-352A?

The joint advisory AA24-352A, released by CISA, FBI, NSA, CSE, ASD, NCSC-NZ, and NCSC-UK, contains concrete actions. The ones that matter most for supply chain defenders:

• Harden management plane. No internet-exposed SSH, NETCONF, SNMP, or REST admin on edge devices. Use out-of-band networks where feasible.
• Strict device firmware inventory. Know exactly which firmware is running on every router, switch, and appliance. Detect tampered images through cryptographic verification, not just version strings.
• Configuration integrity monitoring. Track ACLs, route-maps, SPAN/RSPAN, ERSPAN, and any mirroring configuration. Salt Typhoon is known to manipulate mirroring to extract traffic.
• Identity hygiene on network gear. No shared accounts, no static SNMP community strings, TACACS+ or RADIUS with MFA where supported.
• Centralized, tamper-resistant logging. Device logs exfiltrated to a platform the attackers cannot reach from the compromised device.

The advisory also nudges carriers and critical infrastructure owners toward adoption of memory-safe languages and post-quantum key exchange over the coming years, reflecting a longer view on the telecom attack surface.

How does Salt Typhoon's tradecraft compare to Volt Typhoon?

They are sibling concerns but not interchangeable. Microsoft and Mandiant describe Volt Typhoon as a PRC-aligned group focused on pre-positioning in U.S. critical infrastructure for potential disruptive use in a contingency, heavily documented in CISA's AA23-144A advisory and the February 2024 update AA24-038A. Volt Typhoon's tradecraft is dominated by living-off-the-land binaries on Windows hosts in energy, water, and transportation networks.

Salt Typhoon in 2024 looks more like classical signals intelligence: collect on routing infrastructure, focus on CDR and lawful-intercept access, be specific about which mailboxes and phone numbers are of interest. Both operate at the edge, both are patient, and both exploit the same structural problem: edge devices and OT-adjacent systems have historically been under-instrumented compared with endpoint and cloud.

Defenders should not assume that preparing for one prepares for the other. A Volt Typhoon-ready program that ignores network device integrity and OAuth-like trust chains across SBC/IMS systems is not a Salt Typhoon-ready program.

What should enterprise supply chain defenders change now?

• Inventory your carriers as vendors. Each voice, SMS, SD-WAN, and CPaaS provider should be on your TPRM list with specific questions about edge device firmware posture, CALEA exposure, and out-of-band management practices.
• Demand attestation on network device integrity. Your telecom and MSP vendors should be able to articulate how they detect image tampering and configuration drift.
• Reduce what crosses untrusted telcos in cleartext. MFA codes over SMS, voice channels for sensitive calls, and unencrypted SIP trunks are all places where a carrier-layer compromise leaks into your environment.
• Plan for metadata compromise. Even if content is end-to-end encrypted, call and message metadata rides on carrier infrastructure. Assume metadata leakage as part of your threat model for executive and political exposure.
• Rehearse the "our carrier was breached" incident. Who do you call? What do you rotate? Which customers do you notify? Salt Typhoon-class events are now part of the tabletop canon.

What is the 2026 outlook for Salt Typhoon and adjacent groups?

Public reporting through 2025 indicates the group remained active, with Microsoft and Mandiant noting continued interest in telecom networks outside the U.S. and in adjacent service providers. The broader picture is that PRC-nexus actors have invested in the telecom edge as a durable collection platform and are unlikely to retreat from it. Expect continued pressure on edge firmware, continued exploitation of management plane exposure, and continued focus on vendors that sit inside the lawful-intercept perimeter.

The defensive read: supply chain risk in telecom is infrastructure risk, and infrastructure risk needs the same SBOM-grade rigor we apply to application dependencies.

How Safeguard.sh Helps

Safeguard.sh treats your telecom, MSP, and CPaaS relationships as part of your software supply chain, not a separate silo. Our Eagle detection surface correlates firmware intelligence, vendor posture signals, and edge-device exposure indicators against campaign markers tied to Salt Typhoon-class tradecraft. Our zero-day pipeline flags exploited edge-appliance CVEs that show up in your TPRM inventory before the CISA advisory lands, SBOM lineage tracks which vendor firmware versions are running where, and Griffin AI remediation produces prioritized, carrier-specific hardening playbooks so security engineers can close management-plane and mirroring gaps without drowning in telco-specific tribal knowledge.