Salt Typhoon US telecom espionage campaign (2024)
China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers — Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream — including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.
- Victim
- U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)
- users
- 1.0M
Across 2024, the China-linked APT known as Salt Typhoon carried out one of the most consequential telecommunications-espionage campaigns ever publicly disclosed: nine U.S. telecom providers compromised, including the systems used to service CALEA lawful-intercept requests for U.S. law enforcement.
What happened
Salt Typhoon is a state-aligned cyber-espionage group attributed to the People's Republic of China. U.S. officials confirmed in late 2024 that the group had infiltrated at least nine U.S. telecommunications companies, including Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream.
The most strategically damaging element of the intrusion was access to CALEA infrastructure — the lawful-intercept systems that U.S. telecom providers operate so that law-enforcement and intelligence agencies can serve court-authorised wiretaps. With access to those systems, Salt Typhoon could see who the U.S. government was wiretapping, and when.
In addition to CALEA exposure, Salt Typhoon obtained call and text-message metadata for more than one million users — date and time stamps, source and destination IP addresses, phone numbers — and reportedly accessed the contents of communications belonging to a small number of high-priority targets.
By the end of December 2024, Verizon, AT&T, and Lumen publicly confirmed that they had evicted the attackers. On 17 January 2025, the U.S. Treasury sanctioned Sichuan Juxinhe Network Technology Co., Ltd., naming it as the PRC-linked contractor responsible for Salt Typhoon's operations.
Impact
- At least 9 major U.S. telecom providers compromised.
- CALEA lawful-intercept infrastructure accessed at multiple carriers — a national-counterintelligence event.
- Call/text metadata exposed for over one million users.
- Contents of communications for select high-priority targets reportedly accessed.
- U.S. Treasury sanctions against a named PRC contractor.
Why it matters
Salt Typhoon is the cyber espionage case that crossed a line not just by scale but by target: the wiretap infrastructure built to serve U.S. law enforcement. The campaign re-opened debate in Washington about the trade-offs of mandating "lawful-access" backdoors in commercial systems — every such backdoor is now demonstrably a target of nation-state collection.
Timeline
Salt Typhoon — an APT group linked to the People's Republic of China and later to PRC-contractor Sichuan Juxinhe Network Technology — establishes persistence inside multiple U.S. telecom networks; intrusions are believed to span months and in some cases years prior to disclosure.
Reports surface that Chinese state-linked hackers compromised U.S. broadband providers' systems used to service U.S. law-enforcement wiretap requests under CALEA.
U.S. officials describe the intrusion as potentially 'a counterintelligence failure of the highest order'.
Verizon and AT&T publicly confirm Salt Typhoon access has been contained; Lumen reports no evidence customer data was accessed.
The U.S. Department of the Treasury announces sanctions against Sichuan Juxinhe Network Technology Co., Ltd. for direct involvement with Salt Typhoon.
Sources
- en.wikipedia.orghttps://en.wikipedia.org/wiki/Salt_Typhoon
- theregister.comhttps://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/
- techcrunch.comhttps://techcrunch.com/2024/12/30/verizon-says-it-has-secured-its-network-after-breach-by-china-linked-salt-typhoon-group/
- axios.comhttps://www.axios.com/2024/10/15/salt-typhoon-hack-china-verizon-att