Salt Typhoon and the Collapse of Trust in the Internet’s Plumbing

A Benign Name for a Historic Infrastructure Compromise

Salt Typhoon is a confusing if not somewhat benign sounding Microsoft codename for a state sponsored Chinese cyber espionage campaign that has become one of the most consequential communicationinfrastructure compromises in recent history. Active since at least 2019 and linked to China’s Ministry of State Security (MSS), Salt Typhoon represents a grouping of MSS-aligned actors specializing in infiltrating the core infrastructure of telecommunications and internet service providers (ISP) to collect communications data and surveil high value targets.

By targeting routers and lawful intercept access points embedded deep inside U.S. telecom networks, evidence shows the campaign has accessed call records, text messages, and in some cases call audio belonging to senior government officials and other persons of interest. U.S. lawmakers have described this as “the largest telecommunications hack in American history,” with reporting indicating impacts across more than 80 countries and over 200 organizations worldwide. The response from US Government agencies has been robust but uneven, spanning congressional hearings, White House statements, coalition intelligence advisories, and oscillating regulatory machinations whose long-term effectiveness remains uncertain.

From Targeted Espionage to Infrastructure Level Collection

At the heart of the matter is a strategic espionage success for the People’s Republic of China, as its premier intelligence service effectively turned global telecom infrastructure into a collection platform by compromising the devices that form the plumbing of modern communications networks. This level of access offers unparalleled observability of online interactions, not just among government officials, but across ordinary citizens and businesses and provides persistence that is both difficult to detect and costly to remove.

ISP routers are engineered for throughput, routing efficiency, traffic shaping, and uptime, not for on-device adversary detection, making them ideal hiding places for advanced actors. Router vendors have also historically struggled to identify and remediate vulnerabilities at speed, and telecom providers have often been slow to deploy patches once available, which incurs the dreaded service downtime, further expanding the exposure of an already poorly defended attack surface. The cost to replace end of life infrastructure and redesign networks with security as a first order requirement runs into the tens of billions of dollars, with little direct revenue incentive for carriers to accelerate replacements ahead of schedule. The result is predictable and troubling. As recently as February, the FBI publicly acknowledged that despite years of government and private sector efforts, Salt Typhoon activity remains “very much ongoing.” In other words, the compromise has survived seven years of eviction attempts and is likely to persist for the foreseeable future. 

Why Small Businesses and Private Citizens Are in Scope

This raises an uncomfortable question: where does that leave America’s small and medium sized businesses and private citizens? Most SMBs are not building weapons systems, carrying on strategic advisory discussions with senior government officials, or competing directly with Chinese industrial champions. Why should they care?

The first answer lies in how Chinese intelligence collection actually works. Espionage by the MSS is frequently conducted on behalf of Chinese industrial and economic priorities, which are explicitly articulated through the Chinese Communist Party’s Five Year Plans. When sectors such as energy, information technology, pharmaceuticals, aerospace, or artificial intelligence are prioritized, foreign organizations operating anywhere near those domains should expect to see Chinese intelligence activity follow. In a deeply interconnected global economy, mapping dependencies and business relationships often provides as much strategic value as stealing blueprints.

This is where SMBs matter. Small businesses may not be the final objective, but they are often the entry vector. Supplier relationships, pricing structures, production timelines, customer lists, regulatory posture, and internal communications all provide business intelligence value. Credentials, routing information, and trust relationships harvested quietly from smaller firms can later be reused against larger or more sensitive targets.

Civil society and non-profits are also squarely within scope. Dissidents living abroad, journalists that present the CCP in an unfavorable light, anti-communist policy advocates, anti-PRC lawmakers, researchers, academics, and members of government or military institutions should assume their personal and professional online activity may be of interest. The Chinese state’s collection model casts a wide net--far beyond traditional military or intelligence targets.

The Trust Problem: Can the Carrier Path Be Assumed Safe?

The second issue is one of trust. Security practitioners have long assumed that the internet beyond an organization’s boundary router is untrusted (Zero Trust principles assume that inside of the network is also suspect, which is a related tangent), but Salt Typhoon forces a deeper question: can users, administrators, and leaders trust the infrastructure and services provided by our ISPs at all?

Somewhere between a home or office router, regional aggregation points, and the backbone networks that connect the United States to the rest of the world, compromised devices may be positioned to passively collect communications data at scale. This collection technique turns the event logging and traffic inspection features to malicious purposes, does not require malware on individual devices, and leaves no alert behind.

Adapting Communications to a Hostile Carrier Environment

The answer is not to destroy the on-premise ISP equipment in a moment of cathartic rage (think Office Space printer scene). The first practical step is a significant change in how we approach daytoday communications. After almost a decade of Salt Typhoon’s rampage through Western telecom infrastructure, communications should be designed, configured, and deployed with the assumption that the carrier path is observable by malign actors.

But while updating configurations with less trusting assumptions in mind takes time, a few simple changes to interpersonal communication methods are immediately actionable.

To implement these confidentiality enhancing steps means encrypting internet communications at least to the cloud service and ideally end to end between sender and recipient devices. For voice calls, this means avoiding default phone applications in favor of encrypted alternatives such as Signal, WhatsApp, FaceTime Audio, or enterprise collaboration platforms. The same applies to messaging: SMS remains unencrypted, while modern messaging platforms encrypt content to servers or end to end. 

Email: The Weakest Link That Can’t Be Eliminated—Only Demoted

Email presents a particular challenge. It was never designed to be secure, and encryption still requires coordinated configuration between sender and receiver. While providers like Proton Mail simplify this, external email should generally be assumed to exist in a readable state somewhere along its path.

Email’s ubiquity makes it hard to replace, but it can be demoted. Using email as a notification channel and redirecting recipients to authenticated, encrypted portals significantly reduces exposure without breaking workflows.

Traffic Manipulation, Redirection, and the Limits of VPNs

Infrastructure level compromise also enables traffic redirection and interception attacks. Keeping browsers up to date, enforcing HTTPS, and enabling DNS over HTTPS in modern browsers meaningfully reduces risk of malicious re-direction to infected web sites or spoofed login portals for credential harvesting and initial access. VPNs encrypt traffic to the hosting data center, but they do not eliminate exposure beyond the VPN provider’s egress and create friction for browsing to legitimate sites as online vendors have started to label the services as inauthentic at best and malicious at worst, using captchas and other challenges as proof of human authenticity thresholds.

None of this makes online activity invisible. But encryption denies content value, raises the analytic cost of collection, forces reliance on metadata alone, and reduces abuse of lawful intercept mechanisms. It is risk reduction, not a silver bullet. 

A Remarkable Reversal in U.S. Government Guidance

As commentary, it is remarkable that after fighting for years to prevent Americans’ use of encryption for interpersonal communication, the U.S. federal government’s advice would undergo such a foundational transformation. In December 2024—five years into Salt Typhoon’s campaign—the FBI and CISA implicitly acknowledged they failed to contain the compromise and that the best remaining advice was to encrypt Americans’ personal and business communications in transit. The shift underscores the breadth and depth of the US telecom compromise at the hands of the Chinese MSS.

What Defense Looks Like When Eradication Is Unrealistic

More direct targeting of SMB enterprises also remains possible. Salt Typhoon’s position within carrier infrastructure allows for extremely highfidelity reconnaissance of enterprise traffic patterns and edge device make, model, and software update levels, giving them an inside track on detecting and exploiting vulnerabilities as well as blending their activities into in/outbound traffic flows across any boundary sensors.

Defeating a determined Chinese state actor seeking to compromise any enterprise outright is unrealistic—but denying value, slowing operations, and increasing detection cost are achievable goals. Rivers of ink have been committed to analysis and publication of Salt Typhoon offensive tactics, techniques, procedures, and indicators of compromise. This piece adds little to that body of work.

The longer term and less immediately satisfying answer for organizations serious about reducing risk from this class of compromise is an intelligence informed cyber operations strategy, grounded in frameworks such as the Australian Cyber Security Centre’s Essential Eight, which still remains one of the most practical foundations available.

Sources:

Mandiant (FireEye), “APT1: Exposing One of China’s Cyber Espionage Units,” Mandiant Intelligence Center Report, Feb 2013. [services.google.com], [services.google.com]

FBI – Office of the Director of National Intelligence, “China: The Risk to Corporate America (Executive Summary),” [arapackelaw.com], [arapackelaw.com]

FBI News Release, “Five Chinese Military Hackers Charged with Cyber Espionage Against U.S. Corporations,” May 19, 2014. [U.S. Department of Justice indictment of five PLA officers for hacking Westinghouse (nuclear), SolarWorld (solar energy), U.S. Steel and others to steal industrial secrets] [fbi.gov]

Eduard Kovacs, “‘Five Eyes’ Nations Blame China for APT10 Attacks,” SecurityWeek, Dec 21, 2018. [Coverage of U.S. and allies attributing Operation Cloud Hopper (APT10) to China’s MSS, detailing theft of intellectual property from global IT service providers and clients in finance, manufacturing, healthcare, and more] [securityweek.com], [securityweek.com]

Nathan Thornburgh, “The Invasion of the Chinese Cyberspies (TIME magazine),** Aug 29, 2005. [First public report on “Titan Rain” cyber espionage, describing Chinese hackers’ penetration of U.S. defense networks (Lockheed, Sandia, NASA) starting in 2003, to steal military and technical data] [en.wikipedia.org], [The Invasi...Cyberspies]

U.S. Department of Justice – Office of Public Affairs, “Four Chinese Nationals Working with the MSS Charged with Global Computer Intrusion Campaign…,” Press Release #21-667, July 19, 2021. [Federal indictment of MSS officers in APT40 for 2011–18 hacking operations stealing IP in aviation, defense, maritime, biomedical and infectious-disease research sectors] [justice.gov], [justice.gov]

CBS News (60 Minutes), “Global intelligence leaders warn against China’s technology theft,” by Scott Pelley et al., Oct 22, 2023. [Interview with FBI, MI5, and allied intelligence heads describing China’s unprecedented scale of tech-focused espionage, naming targeted fields like AI, biotech, aviation, and robotics] [cbsnews.com], [cbsnews.com]

Andrew Rapacke, “The World’s Largest IP Heist Has a Name: Made in China 2025,” The Rapacke Law Group Blog, March 24, 2026. [Analysis of China’s industrial policies (Made in China 2025, 14th FYP) and their connection to IP theft, noting targeted sectors and examples of espionage cases] [arapackelaw.com], [arapackelaw.com]

Security Bureau of Canada (CSE) – Statement on APT10, quoted in SecurityWeek, Dec 2018. [Canadian Communications Security Establishment assessment supporting attribution of APT10 to China, part of the allied response to Chinese IP theft in tech and other sectors] [securityweek.com]

Wikipedia – “Five-Year Plans of China”; “Cox Report”; “Operation Aurora” (summary articles with citations). [Background on each FYP’s goals and historical context; details on the U.S. Cox Committee findings of Chinese espionage in the 1980s–90s; and information on Operation Aurora’s targets and outcome]

Chris Jaikaran. “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications (IF12798).” Congressional Research Service / Congress.gov, January 23, 2025. https://www.congress.gov/crs-product/IF12798 [congress.gov]

CISA. “AA25-239A: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System.” Cybersecurity and Infrastructure Security Agency, last revised September 3, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a [cisa.gov]

CISA. “CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems.” CISA GovDelivery Bulletin, August 27, 2025. https://content.govdelivery.com/accounts/USDHSCISA/bulletins/3efc249 [content.go...livery.com]

Federal Bureau of Investigation. “FBI Seeking Tips about PRC Targeting of U.S. Telecommunications (Alert Number: I0424252PSA).” FBI / IC3, April 24, 2025. https://www.ic3.gov/PSA/2025/PSA250424-2 [ic3.gov]

Federal Bureau of Investigation. “FBI Seeking Tips about PRC Targeting of U.S. Telecommunications.” FBI Public Service Announcement, April 24, 2025. https://www.fbi.gov/investigate/cyber/alerts/2025/fbi-seeking-tips-about-prc-targeting-of-us-telecommunications [fbi.gov]

Eric Tucker. “Chinese hacking campaign hit a 9th U.S. telecom firm, White House says.” PBS NewsHour (AP), December 27, 2024. https://www.pbs.org/newshour/world/chinese-hacking-campaign-hit-a-9th-u-s-telecom-firm-white-house-says [pbs.org]

Zack Whittaker. “Salt Typhoon is hacking the world’s phone and internet giants — here’s everywhere that’s been hit.” TechCrunch, March 9, 2026. https://techcrunch.com/2026/03/09/salt-typhoon-china-who-has-been-hacked-global-telecom-giants/ [techcrunch.com]

Derek B. Johnson. “FBI: Threats from Salt Typhoon are ‘still very much ongoing’.” CyberScoop, February 19, 2026. https://cyberscoop.com/fbi-salt-typhoon-ongoing-threat-cybertalks-2026/ [cyberscoop.com]

Bill Toulas. “FCC rolls back cybersecurity rules for telcos, despite state-hacking risks.” BleepingComputer, November 21, 2025. https://www.bleepingcomputer.com/news/security/fcc-rolls-back-cybersecurity-rules-for-telcos-despite-state-hacking-risks/ [bleepingcomputer.com]

Zack Whittaker. “Despite Chinese hacks, FCC votes to scrap cybersecurity rules for phone and internet companies.” TechCrunch, November 21, 2025. https://techcrunch.com/2025/11/21/despite-chinese-hacks-trumps-fcc-votes-to-scrap-cybersecurity-rules-for-phone-and-internet-companies/ [techcrunch.com]

Wikipedia contributors. “Crypto Wars.” Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/wiki/Crypto_Wars

Cybersecurity and Infrastructure Security Agency. “Enhanced Visibility and Hardening Guidance for Communications Infrastructure.” CISA Resource Library. https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure

Cybersecurity and Infrastructure Security Agency. “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System” CISA Resource Library. https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a