BIPI
BIPI

Salt Typhoon: The Telecom Intrusion That Reached the Lawful Intercept System

Threat Intelligence

Salt Typhoon's 2024 access to US telecom carriers was not a routine espionage operation. The targeting of lawful intercept systems and specific high-profile individuals changed the conversation about telco security.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 9, 2024 · 8 min read

#salt-typhoon#china#telecommunications#apt

When the Wall Street Journal reported in October 2024 that a PRC intrusion set had compromised AT&T, Verizon, and Lumen, the detail that pushed it past routine APT news was the lawful intercept angle. The adversary had positioned itself inside the systems that telcos use to comply with US court orders for wiretaps. The implications are still being unpacked.

Actor Profile

Salt Typhoon is Microsoft's name for the cluster. Also tracked as GhostEmperor (Kaspersky), FamousSparrow (ESET), and Earth Estries (Trend Micro). US government attribution is to the People's Republic of China, with reporting tying the operation to Ministry of State Security objectives rather than PLA. Active since at least 2020, with a long history of telco and government targeting in Southeast Asia before the US-focused 2024 campaign.

Attribution caveat: the public reporting on Salt Typhoon is unusually fragmented. Different vendors are tracking different sub-clusters under similar names, and the lawful-intercept story is government-sourced rather than vendor-sourced.

TTPs

The operational tradecraft prioritizes long dwell time, deep network access, and selective collection rather than broad scraping.

  • Exploitation of edge devices and management interfaces at telecom perimeters (specific CVEs not publicly attributed)
  • Persistence via Demodex rootkit on Windows, custom backdoors on network appliances (Cisco IOS, edge routers)
  • Credential theft and Active Directory traversal once inside the corporate side of telco networks
  • Pivot from corporate IT into operational systems including provisioning, billing, and call-routing infrastructure
  • Targeted collection of metadata and content for specific individuals rather than bulk collection (MITRE T1119)

Notable Victims

AT&T, Verizon, Lumen Technologies (formerly CenturyLink), and reportedly T-Mobile in the US. Earlier reporting placed Salt Typhoon inside telecom operators in the Philippines, Thailand, Vietnam, Taiwan, and several African nations. The most politically significant disclosure was that the adversary had access to call records and in some cases content for US political figures, including candidates in the 2024 presidential race.

The lawful intercept system is a high-value attack surface precisely because it is designed to be a copy of everything.

Detection Signals

Detection inside telco networks is hard because telco networks were not designed with modern endpoint visibility in mind. The signals that mattered came from network appliance logs and identity systems, not EDR.

  • Persistent SSH sessions on edge routers from internal jumpboxes outside normal change windows
  • Demodex-style rootkit indicators on Windows servers tied to network management (TTL anomalies, hidden ports)
  • Service principal or admin account creation in AD with privileges into telecom provisioning systems
  • Anomalous queries against subscriber databases for specific high-value identifiers
  • Outbound traffic from management VLANs to overseas residential or hosting ASN ranges

Defensive Controls

Telco defense is structurally harder than enterprise defense because the network gear was the product, not just the infrastructure. The controls available are narrower.

  1. Apply CISA and NSA guidance for hardening Cisco, Juniper, and Nokia routers: disable unused services, restrict management plane access, log everything.
  2. Segregate management networks from corporate IT and require step-up auth (FIDO2) to reach them.
  3. Audit lawful intercept system access quarterly. Every query should map to a documented court order.
  4. Inventory firmware versions on all network appliances. Treat unpatched edge gear as a Sev-1.
  5. Engage with CISA's Joint Cyber Defense Collaborative if you operate at telco scale. Information sharing on Salt Typhoon is active and useful.

Salt Typhoon will be referenced in telecom regulatory conversations for the next decade. The intrusion exposed that the most sensitive systems in the carrier stack were not architected with a determined nation-state adversary in mind, and the cleanup is ongoing. For everyone else, the lesson is simpler: lateral movement from corporate IT into operational systems is the path. Segment accordingly.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.