threatintel
actor tracker
All briefs

Salt Typhoon — a two-year reconstruction (Sep 2024 – Apr 2026)

Author: Thomas Malinowski Published: 2026-05-16 Status: OSINT synthesis, primary sources cited inline Tags: China, MSS, telecom, espionage, lawful-intercept, edge-devices, Cisco IOS XE

Bottom line up front

A People's Republic of China Ministry of State Security cluster that Microsoft tracks as Salt Typhoon (and that other vendors track as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor, and FamousSparrow) spent at least three years inside the operational networks of the largest U.S. and allied telecommunications providers — including AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. The intrusions reached the lawful-intercept (CALEA) systems carriers maintain for U.S. court-ordered surveillance, exposing not only the contents and metadata of consumer communications but the list of phone numbers the U.S. intelligence community had under surveillance. The Senate Intelligence Committee chair called it "the worst telecom hack in our nation's history" and the U.S. Treasury sanctioned an MSS contractor and a named operator in January 2025; a 13-nation joint advisory followed in August 2025.

The defender takeaway is unflattering and important: the operation relied almost entirely on known-CVE exploitation of unpatched internet-facing network appliances, not novel zero-days. The controls that would have stopped Salt Typhoon are the same controls every CISO already lists as a top priority. The campaign succeeded because patch latency on the network-equipment edge — and on the service-provider edge specifically — is measured in years, not weeks.

Timeline

DateEvent
At least 2021Earliest dwell time reconstructed by U.S. carriers and CISA-led incident response. (CISA, AA25-239A.)
Sep – early Oct 2024Wall Street Journal reports the first public confirmation of compromises at AT&T, Verizon, and Lumen. (WSJ, 5 Oct 2024.)
Late Oct 2024U.S. officials confirm the breach reached CALEA wiretap systems at multiple carriers, exposing the list of phone numbers under U.S. court-ordered surveillance. Reporting estimates over one million users had call metadata accessed, heavily concentrated in the Washington D.C. area — consistent with U.S.-policy-target collection. (Reuters, NYT.)
3 Dec 2024First defender guidance: CISA, NSA, FBI, and Five Eyes partners publish enhanced-visibility and hardening guidance to communications-infrastructure operators. (CISA news release, AA24-338A precursor.)
30 Dec 2024AT&T and Verizon issue public statements confirming the intrusions and asserting their networks are "secure." T-Mobile, Spectrum, and Lumen follow within days.
17 Jan 2025U.S. Treasury OFAC sanctions Sichuan Juxinhe Network Technology Co., LTD. — a Chengdu-based "cybersecurity company" Treasury identifies as an MSS computer-network-exploitation contractor — and the individual Yin Kecheng, naming both as directly responsible for Salt Typhoon. The same action sanctions Yin Kecheng separately for the December 2024 compromise of the U.S. Treasury's Departmental Offices. (Treasury press release JY2792.)
Dec 2024 – Jan 2025Recorded Future Insikt Group identifies a wave of fresh exploit attempts against more than 1,000 internet-exposed Cisco IOS XE devices — chaining CVE-2023-20198 (Web UI privilege-escalation, CVSS 10.0) and CVE-2023-20273 (post-auth privilege escalation to root) — and attributes the activity to the same cluster, internally tagged RedMike. Victims include telecommunications providers in the United States, Canada, and South Africa. (Recorded Future, Feb 2025.)
27 Aug 2025CISA, FBI, NSA, and 12 partner-nation cyber agencies release joint advisory AA25-239A, "Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System." The advisory expands targeting beyond telecom to include government, transportation, lodging, and military networks, and assesses ≥200 victim organizations across 80+ countries since at least 2021. The headline TTP finding: no novel zero-days. The cluster has relied on widely-known, long-patched vulnerabilities in unpatched, internet-facing network infrastructure. (CISA, AA25-239A.)

A full and current timeline is at /actors/salt-typhoon in the tracker.

Tradecraft

Initial access — known CVEs on the service-provider edge

Salt Typhoon's initial-access pattern is consistent across the disclosed victims and across the geographically-distinct waves: internet-exposed carrier-grade network appliances with known, years-old CVEs. The two CVEs most consistently named are both Cisco IOS XE bugs from October 2023:

  • CVE-2023-20198 (CVSS 10.0) — unauthenticated remote attacker can create a privilege-level-15 (root-equivalent) local account on the Web UI of any internet-exposed IOS XE device. The Cisco PSIRT advisory was published 16 October 2023; patches followed within days. Recorded Future observed Salt Typhoon attempting exploitation against more than 1,000 still-unpatched devices in December 2024 — fourteen months after the patch was available.
  • CVE-2023-20273 (CVSS 7.2) — post-auth privilege escalation used in combination with -20198 to reach full root, write configuration, and persist a new privileged account on the device itself.

The operators do not appear to need novel exploits. They are operating in the gap between the patch-release calendar of network-equipment vendors and the patch-application calendar of large carriers and ISPs — a gap that, on backbone routers, frequently exceeds 18 months.

Persistence — GRE tunnels and configuration-level changes

Once an IOS XE device is compromised, the cluster's documented persistence pattern is unusually clean: instead of dropping implants on disk, the operators modify the device's own configuration to create privileged user accounts and establish GRE (Generic Routing Encapsulation) tunnels to attacker-controlled infrastructure. Traffic of intelligence interest can then be mirrored out of the carrier network into the tunnel and read by the operator on the far side, without any payload sitting on the router for an EDR to find. The router is the implant.

This is the same operational philosophy as Volt Typhoon's living-off-the-land approach on Windows hosts (see the VersaMem technical profile elsewhere in this repository), and it represents what is in this analyst's view the most important PRC tradecraft shift of the post-2020 era: configuration-level persistence on network equipment, in lieu of implants on endpoints.

Collection — CALEA wiretap systems

The single most consequential disclosure of the operation is the October 2024 reporting that the cluster accessed carrier implementations of CALEA (Communications Assistance for Law Enforcement Act) wiretap systems — the on-network intercept infrastructure that U.S. carriers are legally required to maintain for court-ordered surveillance. Reaching CALEA does not just give the operator access to the contents of communications it pivots to; it gives the operator the list of phone numbers and identifiers the U.S. government has placed under intercept.

The strategic implication for the U.S. intelligence community is direct: every Chinese national working in the United States who had been the subject of a U.S. counter-intelligence wiretap was, at some plausible point, identifiable to the MSS from the CALEA target list. Press reporting describes this as the part of the Salt Typhoon disclosure that most alarmed senior U.S. officials.

Operator attribution

Microsoft's public position (and the position formally adopted by the U.S. Treasury in January 2025) is that the cluster is an MSS contractor operation, run by Sichuan Juxinhe Network Technology Co., LTD. — a Chengdu-based ostensible "cybersecurity company." The Treasury action also named Yin Kecheng, described as a "PRC MSS cyber actor" of more than ten years' standing. The contractor model mirrors what Treasury and DOJ have established for APT10 (Huaying Haitai, Tianjin), APT31 (Wuhan Xiaoruizhi), and Flax Typhoon (Integrity Technology Group, Beijing) — the same playbook of MSS operations run through ostensibly-civilian Chinese firms.

Defender takeaways

The hard part of writing actionable guidance for Salt Typhoon is that almost nothing about the operation is novel — and yet the operation succeeded against the most-resourced telecommunications operators on the planet. The recommendations below are therefore unsurprising; the question worth dwelling on is why they did not prevent the campaign.

  1. Inventory and patch internet-exposed network appliances on the same calendar as your endpoint fleet. Carriers' patch-latency on backbone routers is the operation's foothold. CISA's August 2025 advisory contains specific guidance for tracking IOS XE patch state.
  2. Treat any configuration change on a routing device as a high-severity event by default. Salt Typhoon's persistence pattern lives in router config, not in router filesystems. A detection that watches IOS XE configuration deltas (the archive feature, or NetConf-based diffing) catches the persistence step even when the exploit step was missed.
  3. Hunt for unauthorized GRE tunnels on edge routing equipment. GRE is a legitimate protocol but the inventory of expected GRE endpoints in a carrier network is finite and known. Any new tunnel termination on an unfamiliar IP is investigable as a matter of routine.
  4. Audit CALEA-system access on a defender-priority basis. The on-prem intercept infrastructure required by 47 U.S.C. § 1002 is the highest-value collection target on a carrier network. It should receive the same access-control rigour as a domain controller, with privileged-session recording and out-of-band approval workflows.
  5. Stop treating "no novel zero-days" as good news. PRC operators have demonstrated, repeatedly, that they do not need them. Patching faster is the answer that does not get easier with time.

Detection logic for several of the above lives in the project's Sigma pack — in particular t1190_appliance_exploit_user_agents.yml catches the Cisco-IOS-XE / appliance-edge exploitation pattern, and the YARA pack ships a generic Cobalt Strike beacon rule (mal_cobalt_strike_beacon_generic.yar) useful for the post-exploitation tradecraft.

Outlook

Three forward-looking judgments, each at the level of confidence the available reporting will support:

  • High confidence that Salt Typhoon's operational tempo has not meaningfully slowed since the August 2025 advisory. The cluster was active across at least three Cisco-CVE waves in the year after the first public disclosure of its existence, and the contractor-model persistence (Sichuan Juxinhe is a stable organizational entity, not an ad-hoc operator) makes brand-burn closures unlikely.
  • Moderate confidence that the next disclosed victim category will be cloud-edge appliances rather than carrier backbone — load balancers, SD-WAN management planes (Versa Director was the Volt Typhoon precedent), API gateways, and identity-provider appliances. The "internet-facing network device with a known CVE" pattern generalises trivially out of telecom into enterprise IT.
  • Moderate confidence that the CALEA disclosure will drive policy movement on lawful-intercept-system isolation requirements in the U.S. and EU within 18 months, regardless of the administration. The political pressure from the named-victim list (which now includes a sitting senator's office) is too high for the status quo to survive a second incident.

References

Primary sources only. Vendor and journalist reporting omitted unless it is the first-disclosure record.