Salt Typhoon: How a Chinese APT Wiretapped American Telecom Infrastructure

Threat Intelligence

Salt Typhoon breached at least nine US carriers, exploiting SS7 weaknesses and lawful-intercept backdoors to eavesdrop on senior officials and intelligence targets. A deep technical dive into the TTPs, the infrastructure, and what defenders must do now.

By Arjun Raghavan, Security & Systems Lead, BIPI · August 1, 2025 · 13 min read

Salt Typhoon — tracked by Microsoft as part of the broader Typhoon cluster tied to Chinese state-sponsored operations — spent the better part of 2024 and early 2025 inside the core routing infrastructure of major US telecommunications carriers. The campaign is the most consequential known espionage operation against US communications infrastructure since the NSA-era leaks revealed the scale of domestic collection.

The victims include AT&T, Verizon, T-Mobile, Lumen Technologies, and at least five other carriers, according to US CISA and FBI joint advisories. The attackers accessed lawful-intercept systems — the very wiretapping infrastructure carriers are legally required to maintain under CALEA — and used it to surveil senior US government officials, political campaigns, and intelligence-adjacent targets.

Initial Access and SS7 Exploitation

Salt Typhoon's initial access varied by carrier. In several cases, the group exploited unpatched edge devices — specifically Cisco IOS XE vulnerabilities and Fortinet appliances — to gain footholds on carrier peering routers. Once inside the IP backbone, the group pivoted toward SS7 signalling infrastructure, the 1970s-era protocol that underpins phone call routing, SMS delivery, and location queries globally.

SS7 attacks are not new — researchers have demonstrated them at DEF CON since 2014 — but what makes the Salt Typhoon campaign notable is persistence inside the SS7 gateway nodes themselves, not just the ability to send spoofed SS7 messages from a rogue node. By compromising gateway MSC software, the group could passively collect signalling data without generating the anomalous probe traffic that SS7 monitoring tools detect.

• SendRoutingInfo (SRI_SM) queries used to locate targets by phone number without active probing logs
• ProvideSubscriberInfo (PSI) MAP operations extracted real-time cell tower location
• MobileTerminating SMS intercept achieved by manipulating HLR routing tables to redirect messages through attacker-controlled MSC
• Call forwarding registration via MAP UpdateLocation to silently fork voice calls
• Passive SIGTRAN/M3UA tap on IP-based SS7 links for bulk metadata collection

Exploitation of CALEA Backdoors

The most alarming dimension of the campaign is the use of CALEA infrastructure — systems US carriers are required by law to maintain for law-enforcement intercept orders. These systems, by design, have access to call records, SMS content, and live call audio. Salt Typhoon obtained administrative access to CALEA management interfaces at several carriers and used them to pull call-detail records for thousands of targets without generating lawful process.

Lateral Movement and Persistence

Once inside carrier core networks, Salt Typhoon used several persistence techniques consistent with long-term espionage collection rather than destructive operations. Investigators found modified Cisco IOS images with added backdoor accounts, SNMP community strings changed on core routers, and access via VPN credentials harvested from compromised network management systems. The group demonstrated deep knowledge of carrier-grade routing architectures, suggesting long preparation or prior insider knowledge.

• Modified IOS firmware images with undocumented privileged accounts loaded onto border gateway routers
• Custom implants on Linux-based OSS/BSS systems using rootkits that survived reboots via systemd unit manipulation
• Credential harvesting from RADIUS and TACACS+ authentication logs stored on NMS platforms
• Lateral movement across carrier interconnects using BGP peer session credentials obtained from route reflectors
• Data exfiltration via DNS tunnelling and HTTPS to cloud storage domains to blend with carrier CDN traffic

Detection Engineering for Carrier-Grade Networks

Traditional endpoint security tools have minimal coverage inside carrier core infrastructure. Detection must happen at the protocol layer. Key indicators include anomalous SS7 MAP operation ratios, unexpected HLR routing updates for MSISDN ranges not associated with active porting or roaming events, and SIGTRAN session establishment from unexpected source point codes.

• Deploy SS7 firewalls with category-2 filtering enabled for all inter-carrier links
• Alert on MAP UpdateLocation from non-home PLMN without a corresponding Attach procedure in LTE
• Monitor CALEA system access logs for out-of-hours activity, bulk CDR exports, and access from unexpected management subnets
• Implement TACACS+ command accounting for all IOS/IOS-XE privileged exec commands on core routers
• Run integrity checks on IOS images via Cisco Trust Anchor; verify software hashes against CCO originals weekly

Strategic Implications

Salt Typhoon represents a shift in Chinese APT targeting from intellectual property theft toward persistent surveillance capability against decision-makers. The intelligence value of real-time access to government communications is immense — and the operation likely persisted long enough to collect during sensitive geopolitical windows including the 2024 US election cycle. CISA's December 2024 advisory urged senior government officials to move entirely to end-to-end encrypted messaging platforms as the only reliable mitigation given the depth of carrier compromise.

Salt Typhoon did not break encryption. It went around it — by compromising the infrastructure that carries communications before encryption is applied. The lesson is not to harden SS7; it is to eliminate plaintext from the transport layer entirely.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.