When Telecoms Turn into Trojan Horses: Inside Salt Typhoon’s Deep Espionage

An alarming deep dive into China’s MSS-linked APT that has infiltrated the world’s backbone networks

What If Your Provider Was Spying on You?

Imagine picking up your phone to make a simple call—yet behind the scenes, a hidden adversary is silently harvesting every metadata packet, every timestamp, every routing detail. Worse yet, in some cases, even the actual voice recordings are being siphoned away. This is not science fiction. It is Salt Typhoon, a Ministry of State Security (MSS)–linked advanced persistent threat (APT) group that has quietly weaponized global telecommunications infrastructure for espionage and covert operations.

1. A Dual-Front Audience: Why C-Suite and Policy Makers Must Wake Up

You are reading this because you shape decisions—either by securing your enterprise’s networks or by writing policies that govern them. Salt Typhoon’s campaigns have critical implications on two fronts:

1. Enterprise Risk: C-suite executives and CISOs must recognize that telecom providers—long considered trusted lanes for enterprise traffic—can become espionage vectors.

2. Regulatory Gaps: Policy makers must understand that existing frameworks often focus on audit checklists but can miss advanced techniques like living-off-the-land binaries and rootkits buried in network devices.

Whether you allocate budgets for next-gen detection, or you draft the next telecom security mandate, you cannot afford to ignore this threat.

2. Salt Typhoon Unveiled: Who They Are and What Makes Them Dangerous

Affiliation and Aliases

• Salt Typhoon is widely attributed to China’s Ministry of State Security (MSS).

• Researchers have also tracked this actor under names such as UNC2286, GhostEmperor, Earth Estries, and FamousSparrow. These aliases reflect overlapping reporting by different cybersecurity vendors .

Organizational Sophistication

• Highly structured with specialized teams for initial access, lateral movement, persistence, and exfiltration.

• Operations span timezones and sectors, indicating state-level coordination rather than opportunistic cybercrime.

Primary Motives

• Espionage: Theft of wiretap data, call metadata, and strategic communications of government and defense stakeholders.

• Preparation for Disruption: Footprinting critical infrastructure suggests intent to stage disruptive attacks during geopolitical crises.

3. Campaign Highlights: From U.S. Telecom Giants to Army National Guard

3.1 U.S. Telecommunications Breaches

• Targets: Major carriers including Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream.

• Tactics: Exploitation of Cisco IOS routers (notably via CVE-2023-20198) to access lawful intercept systems used for CALEA operations.

• Impact: Metadata exfiltration (timestamps, call source/destination) and, in some cases, actual audio recordings of VIP conversations .

3.2 Breach of the Army National Guard Network

• Scope: In 2024, Salt Typhoon infiltrated a U.S. state’s Army National Guard, stealing configuration files, administrator credentials, and inter-state data exchanges.

• Broader Risk: This breach weakened inter-agency cyber-response capabilities, leaving state networks exposed to follow-on attacks .

3.3 Canadian Telecom Compromise

• Warning Issued: In mid-2025, Canada’s Centre for Cyber Security and the FBI alerted providers that Salt Typhoon was exploiting CVE-2023-20198 in Cisco IOS XE to create persistent GRE tunnels for data theft.

• Tech Detail: By harvesting device configurations, the group established stealthy C2 channels that flew under typical network-monitoring radars.

4. The Shadow Arsenal: Tools, Techniques, and CVEs

Salt Typhoon wields a sophisticated toolkit designed for stealth and long-term access. Below is a deep dive into their most notorious weapons:

5. Why Deep Technical Vigilance Beats Check-the-Box Compliance

Salt Typhoon’s success hinges on living off the land, exploiting zero-days, and burying rootkits—tactics that elude simple checklist audits. Here is why your security posture must evolve:

1. Beyond Patch Management Alone

   • While timely patching of known CVEs (e.g., Cisco IOS XE, Ivanti VPN) is critical, zero-day exploits still give Salt Typhoon an opening.

   • You need proactive threat hunting and anomaly detection across both IT and OT networks.

2. Holistic Visibility

   • Traditional telemetry focuses on firewall logs and signature-based alerts. Rootkits and LOLBIN attacks bypass these controls.

   • Deploy endpoint detection and response (EDR) with kernel-level monitoring to spot Demodex-style persistence.

3. Red-Team Your Own Provider

   • Regularly simulate attacks against your telecom provider interfaces.

   • Validate that lawful intercept channels and network devices are tightly controlled and monitored.

4. Cross-Sector Collaboration

   • Salt Typhoon’s multi-jurisdictional reach demands federated incident response.

   • Share IOCs and TTPs with industry ISACs and law enforcement under NDA to stay ahead of emerging variants.

   
   

6. Policy Imperatives: What Regulators Must Mandate

For policy makers shaping telecom security regulations, here are non-negotiable requirements:

• Mandatory Annual Red-Team Exercises: Providers must demonstrate resilience against APT-style attacks, including phishing and network device exploits.

• Encrypted Intercept Logging: All lawful intercept systems must log to a tamper-proof, third-party audit server to prevent backdoor infiltration.

• Zero-Trust Segmentation: Intercept infrastructure should be isolated in its own trust zone with multi-factor authentication and micro-segmentation controls.

• Threat Intel Sharing Mandates: Enforce fast-track channels for providers to share TTPs of state-linked actors with government CERTs.

• Implementation Flexibility: The required controls can either be implemented by the telecom provider or by the regulator as peripheral national controls.

These reforms will harden the entire ecosystem - ensuring Salt Typhoon and its ilk cannot slip through regulatory cracks. The required controls can either be implemented by telecom or by the regulator as peripheral national controls.

7. The Human Factor: Training, Simulation, and Culture

Technical controls are only as strong as the people who manage them. Next steps for enterprises:

1. Executive Tabletop Exercises

   • Simulate a Salt Typhoon-style breach at the board level.

   • Clarify decision-making flows and resource allocation under crisis.

2. Phishing Resistance Programs

   • Conduct regular spear-phishing drills tailored to telecom use cases.

   • Measure click-rates and reinforce with targeted micro-learning modules.

3. Cross-Functional War-Games

   • Include IT, OT, legal, and PR teams in unified response drills.

   • Practice coordinating with external agencies like the FBI or CISA.

   
   

8. Next Steps

Salt Typhoon’s campaigns have shown that the world’s telecom arteries can be used as conduits for espionage, and potentially worse disruptions. C-suite executives and policy makers alike must act now:

Sources & Further Reading

1. “Salt Typhoon,” Wikipedia, accessed July 2025.

2. Picus Security, “Salt Typhoon Telecommunications Threat,” 2025.

3. Provendata, “Salt Typhoon Cyber-Espionage Campaign,” 2025.

4. Varonis, “Deep Dive: Salt Typhoon,” 2025.

5. Security Affairs, “China-Linked APT Salt Typhoon Targets Canadian Telecoms,” 2025.

6. Security Affairs, “Salt Typhoon Breach in U.S. Army National Guard,” 2024.

7. Eclypsium, “CVE-2023-20198 and Viasat/CANADIAN Telcos,” 2023.

8. SecurityWeek, “China’s Salt Typhoon Hacked U.S. National Guard,” 2024.

9. DarkReading, “Salt Typhoon Hacks U.S. National Guard,” 2024.

10. Armis, “Breaking Down Salt Typhoon,” 2025.