Salt Typhoon: The Collapse of Trusted Transport and the End of Telecom Security Assumptions

Welcome reader, here is your CybersecurityHQ CISO Deep Dive.

In partnership with:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

About CybersecurityHQ

CybersecurityHQ provides executive-grade intelligence read weekly inside the Fortune 100. Each briefing is designed to support CISO-level decision-making across identity, infrastructure, third-party risk, and strategic security architecture.

CISO Access

CISOs receive full complimentary access to all CybersecurityHQ strategic intelligence.
If you’d like access or have questions, contact me directly here.

One Credential Unlocked 100,000 Routers and America's Adversary Walked Through

CISO Deep Dive | December 6, 2025 | CybersecurityHQ

1. Executive Assessment

The trusted transport layer is dead. Salt Typhoon, a Chinese MSS operation active since 2019, compromised nine major U.S. telecom carriers by exploiting fundamental identity failures. One administrator credential controlled 100,000 routers. Patches available since 2018 remained unapplied for years.

The attackers accessed CALEA lawful intercept systems. They surveilled over one million Americans in real time. They intercepted calls and texts of approximately 100 senior government officials.

This is an Identity Failure Layer collapse. The breach required no sophisticated zero-days. It required one over-privileged account, absent MFA, and years of ignored patches. CISOs are misdiagnosing this as telecom-specific. It is not. Every enterprise routes sensitive traffic through compromised networks. The transport layer your organization trusts is hostile terrain. Assume unencrypted communications are intercepted. Assume metadata is logged. The mandated backdoor built for law enforcement became the adversary's front door.

2. Operational Intelligence: What Actually Happened

Salt Typhoon initiated reconnaissance against U.S. telecom infrastructure in 2019. Significant penetration began in 2021. The campaign remained undetected until federal network monitoring identified anomalous activity in mid-2024. CISA Director Jen Easterly confirmed it was "first seen by us on federal networks."

Attackers exploited CVE-2023-20198 and CVE-2023-20273 in Cisco IOS XE. These vulnerabilities allowed unauthenticated creation of privilege-level-15 accounts via crafted HTTP requests to the webui_wsma_http service. One exploited Cisco vulnerability had patches available since 2018. Credential theft proved the primary vector. Investigators found one compromised admin account controlling over 100,000 routers.

Lateral movement used native tools, living off the land. Attackers modified Access Control Lists to permit C2 traffic from their infrastructure. They established GRE tunnels to bridge segmented networks. On compromised Cisco devices, they injected malicious Lua scripts into Guest Shell containers, virtualized Linux environments invisible to standard IOS CLI inspection. The Demodex rootkit provided kernel-level persistence on Windows jump boxes, hiding files and network connections from EDR tools.

The campaign accessed CALEA lawful intercept infrastructure, systems mandated for court-authorized surveillance turned into foreign espionage instruments. Result: metadata for one million+ users, real-time geolocation, intercepted communications of senior officials. Attackers reportedly targeted phones associated with senior political figures, though the full scope remains under investigation. Logs were erased. Remaining logs proved inadequate for scope determination. Major carriers cannot confirm full eviction.

3. Systemic Failure Analysis

Framework: Identity Failure Layer

Salt Typhoon succeeded because identity governance collapsed at every tier. This framework applies because the breach traces directly to credential and access control breakdowns, not sophisticated exploitation of unknown vulnerabilities.

The core failure was over-privileged access. One administrator account controlling 100,000 routers violates every principle of least privilege. When Salt Typhoon obtained those credentials, they inherited god-mode access to the backbone. No segmentation contained the blast radius. No tiered access limited lateral movement.

Authentication decay compounded the failure. Absent MFA on high-privilege accounts meant credential theft equaled total compromise. Default passwords persisted on critical infrastructure. TACACS+ authentication systems were compromised, enabling impersonation of legitimate administrators.

Machine identity failures extended the collapse. Unpatched Cisco devices could not validate trusted configurations. Firmware running years without updates could not distinguish legitimate management commands from adversary implants. The Guest Shell persistence mechanism exploited the gap between containerized execution and visibility.

The CALEA architecture created structural identity failure. Systems designed to grant third-party access, even for legitimate law enforcement, created trust assumptions the adversary exploited. Any mechanism allowing third-party access to communications expands attack surface.

4. Enterprise Exposure Model

Identity Systems

Enterprises federate identity to carrier-managed services: VPN concentrators, SIP trunks, SD-WAN controllers. Salt Typhoon's CALEA access means authentication handshakes traversing compromised networks could be monitored. Current controls fail because they assume carrier transport is identity-neutral. If your organization uses carrier-managed authentication, assume those credentials require rotation and isolation.

Multi-Cloud Surface

Cloud traffic transits telecom backbone infrastructure. Salt Typhoon's position on core routers enabled traffic mirroring via SPAN/RSPAN without latency indicators. Multi-cloud architectures routing between providers traverse exactly the infrastructure Salt Typhoon compromised. Current controls fail because encryption often terminates at carrier boundaries. Cloud-to-cloud traffic assumed private may be visible to the adversary.

Vendor Ecosystems

Telecom carriers are vendors to every Fortune 100 enterprise. The attackers accessed Call Detail Records revealing communication patterns: who speaks with whom, when, from where. This enables precise targeting for follow-on supply chain attacks. Current controls fail because third-party risk assessments treat telecommunications as utility-tier infrastructure, not adversary-controlled terrain.

Operational Environments

OT networks depend on cellular connectivity for remote sites, IIoT devices, and backup communications. Recent reporting shows this campaign series extending to satellite communications providers, including Viasat in mid-2025. National Guard networks in at least one state were penetrated. Current controls fail because OT environments assume air-gap when they have cellular backup routing through compromised carriers.

5. CISO Decision Points

1. Discard the assumption that carrier networks are neutral. Evaluate all traffic flows traversing telecom infrastructure. Mandate application-layer encryption for every sensitive communication regardless of network path.

2. Discard the assumption that MPLS or carrier VPNs provide security. Evaluate whether "private" circuits terminate on carrier-managed equipment. Require enterprise-controlled keys with no carrier key escrow.

3. Discard the assumption that unpatched edge devices are low priority. Audit every router, VPN concentrator, and firewall for CVE-2023-20198, CVE-2023-20273, and CVE-2018-0171. Patch within 72 hours or isolate immediately.

4. Discard the assumption that one admin account is acceptable for network management. Implement role-based access ensuring no single credential grants access to more than 50 devices. Require hardware-token MFA for all network infrastructure authentication.

5. Discard the assumption that your telecom provider will notify you of breaches. Demand written attestation of Salt Typhoon remediation status. Document refusals for board reporting and insurance disclosure.

6. Discard the assumption that voice and SMS are secure. Deploy E2EE communications for executive discussions within 30 days. Treat cellular voice as intercepted by default for any sensitive conversation.

7. Discard the assumption that mandated access points remain contained. Evaluate any system with lawful intercept or third-party access capability as having expanded attack surface requiring additional controls.

6. Controls & Countermeasures

Application-Layer Encryption Mandate: Encrypt 100% of sensitive traffic at Layer 7 before carrier handoff. Deploy SD-WAN or SASE with enterprise-generated keys stored in HSMs under your control. Metric: zero sensitive flows with carrier-terminated encryption within 90 days.

Privileged Access Ceiling: No credential may authenticate to more than 50 network devices. Implement tiered administrative domains with separate credentials per device class. Enforce hardware-token MFA for all infrastructure access. Metric: 100% compliance within 60 days.

Cisco Device Integrity Validation: On all IOS XE devices, execute show guestshell details weekly. Inspect /flash/guest-share/ for unauthorized .lua or .sh files. Validate running firmware against Cisco Trust Anchor hashes. Metric: automated weekly integrity reports to SOC.

Log Immutability Architecture: Forward all network device logs to SIEM within 60 seconds of generation. Store in append-only storage with 12-month retention minimum. Metric: zero log gaps exceeding 60 seconds.

GRE Tunnel Monitoring: Alert on any GRE tunnel creation without corresponding change ticket. Unauthorized tunnels indicate active lateral movement. Metric: alerting enabled on 100% of edge devices within 14 days.

7. Immediate Action Window: Next 30 Days

1. By December 13: Complete inventory of all Cisco IOS XE devices. Verify patch status for CVE-2023-20198, CVE-2023-20273, CVE-2018-0171. Isolate any unpatched device within 24 hours of identification.

2. By December 20: Audit all administrative accounts with network-wide access. Eliminate any account controlling more than 50 devices. Implement hardware-token MFA on 100% of privileged network accounts.

3. By December 27: Deploy E2EE communications for executive team. Document policy requiring encrypted channels for board discussions, M&A activity, and legal matters.

4. By January 3: Send formal written inquiry to primary telecom carriers requesting attestation of Salt Typhoon remediation status. Document responses or non-responses.

5. By January 6: Present Salt Typhoon exposure assessment to board with remediation timeline and budget requirements.

8. Forecast: 6 to 18 Months

Salt Typhoon remains active. Recorded Future documented five additional telecom intrusions between December 2024 and January 2025, including two U.S. providers. Recent reporting shows the campaign series extending to satellite communications providers and universities researching telecommunications technology.

Observable patterns driving the forecast:

The MSS operates through contractors like Sichuan Juxinhe Network Technology, sanctioned by Treasury in January 2025. This blended force structure enables capability expansion without direct state attribution. Former NSA analyst Terry Dunlap characterized Salt Typhoon as a "component of China's 100-year strategy," suggesting long-horizon infrastructure pre-positioning rather than short-term intelligence collection.

Salt Typhoon operates alongside Volt Typhoon (critical infrastructure pre-positioning) and Flax Typhoon (industrial IP theft). Multiple intelligence teams assess these as part of a broader PRC-linked operational ecosystem with overlapping infrastructure, tooling, and objectives, suggesting systematic mapping of U.S. critical infrastructure for potential future leverage during geopolitical tensions.

Expect three adaptation vectors. First, exploitation of the regulatory vacuum: the FCC's late November 2025 rollback eliminated enforceable standards. Second, targeting of regional carriers and rural providers lacking defensive resources. Third, pivot to enterprise edge devices running identical vulnerable firmware.

Regulatory momentum will build toward mandatory reporting and infrastructure hardening. Enterprises unable to demonstrate transport-independent encryption and privileged-access discipline will face insurance penalties and partnership scrutiny.

9. Red Flags

• SSH connections on TCP/57722 or TCP/2222 from network device management interfaces indicate Salt Typhoon C2 communication patterns.

• Unexpected GRE tunnels on edge routers without change tickets signal lateral movement infrastructure establishment.

• New privilege-level-15 accounts on Cisco devices (cisco_tac_admin, cisco_support, random 8-character usernames) indicate active compromise.

• Files in /flash/guest-share/ with .lua or .sh extensions on Cisco IOS XE devices indicate Guest Shell implant persistence.

• Modified authorized_keys in /mnt/flash/ enable password-less persistent access.

• Configuration changes logged during 0800-1800 China Standard Time without corresponding administrator activity warrant immediate investigation.

• cisco_service.conf present in flash filesystem indicates malicious configuration injection.

• Unusual outbound connections from router management interfaces to residential IP ranges indicate ORB network C2 relay communication.

10. Board-Ready Narrative

A foreign intelligence service has compromised the networks we use to communicate.

Chinese government hackers infiltrated nine major U.S. telecom carriers, including our primary providers, for up to four years before detection. They accessed systems designed for law enforcement wiretaps and turned them into espionage tools. They tracked locations of over one million Americans. They intercepted calls and texts of senior government officials.

This happened because telecom companies failed basic security. Passwords went unchanged. Critical patches went unapplied for years. One administrator account controlled 100,000 routers. When regulators tried to mandate improvements, the rules were reversed after industry lobbying.

We cannot rely on our telecom providers to protect our communications. We are implementing three responses: encrypting all sensitive communications with keys we control, auditing our network infrastructure for the same vulnerabilities the attackers exploited, and documenting our security posture to demonstrate we do not share the telecom industry's failures.

This positions us ahead of competitors still assuming the phone network is safe.

11. Strategic Questions

1. If Salt Typhoon accessed your carrier's network for four years, what sensitive communications traversed that infrastructure, and what would adversary access enable?

2. Can you confirm no single administrator credential in your environment controls more than 50 network devices?

3. What is your current patch latency for edge network infrastructure, and how does it compare to the multi-year gaps that enabled this breach?

4. If your carrier cannot provide written attestation of Salt Typhoon remediation, what is your contingency plan?

5. Which parts of your communication stack still rely on carrier confidentiality rather than enterprise-controlled encryption?

12. Developing Situations

Active Intrusion Status: Salt Typhoon remains active. December 2025 Senate testimony acknowledged full eviction cannot be verified across all carriers. FCC ruling warned vulnerabilities "are still being exploited." AT&T and Verizon declined to provide remediation documentation to Senate Commerce Committee.

Regulatory Vacuum: FCC rolled back the only enforceable federal response in late November 2025. Commissioner Gomez warned this "will leave Americans less protected than they were the day the Salt Typhoon breach was discovered." Congressional action uncertain.

Typhoon Convergence: Salt Typhoon (telecom espionage), Volt Typhoon (infrastructure pre-positioning), and Flax Typhoon (supply chain IP theft) are assessed by multiple intelligence teams as part of a broader PRC-linked operational ecosystem. Enterprise exposure to one indicates probable targeting by others.

Expanding Target Set: Recent reporting shows this campaign series extending to universities researching telecommunications technology. Campaign moving up value chain toward enterprises with 5G deployments and critical communications dependencies.

Next week: Enterprise response options as regulatory vacuum persists and carrier attestation gaps widen.

CybersecurityHQ CISO Deep Dive | Fortune 100 Intelligence