Strictly Confidential — Material Disclosure Under Executed Mutual NDA Only
SECTOR / 20 · TELECOMMUNICATIONS

Telecommunications. The medium through which every other sector's cybersecurity depends.

Salt Typhoon — affiliated with the People's Republic of China Ministry of State Security — compromised at least nine US telecommunications providers in 2024 including AT&T, Verizon, T-Mobile, Lumen, and Spectrum. The campaign accessed metadata of over one million users, recorded calls of US presidential-campaign staff, and crucially compromised the CALEA wiretapping systems used by US law enforcement. Senator Mark Warner called it "the worst telecom hack in our nation's history." PULSE engineers infrastructure in which the wiretap-system compromise that defines Salt Typhoon does not produce a usable intelligence corpus.

Telecommunications — 2024 Threat Profile

Salt Typhoon — affiliated with the People's Republic of China Ministry of State Security — compromised at least nine US telecommunications providers in 2024, including AT&T, Verizon, T-Mobile, Lumen, and Spectrum.

9
US telecommunications providers compromised by Salt Typhoon (PRC MSS-affiliated) in 2024 — AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, plus two unnamed. Senator Mark Warner: "the worst telecom hack in our nation's history."
US Senate / Wikipedia / Treasury sanctions
1M+
Users whose call and text metadata was accessed by Salt Typhoon — concentrated in the Washington D.C. metro area. Phones of the Trump campaign, Vance campaign, and Harris-Walz campaign staff were specifically targeted, with audio recordings of some calls obtained.
Wikipedia / WSJ / Anne Neuberger NSC briefings
109M
AT&T customer call and text records exposed in the 2024 Snowflake-platform breach — one of the largest telecom data breaches in history. Separate from the Salt Typhoon intrusion.
AT&T SEC filings 2024
200+
Companies compromised by Salt Typhoon globally across 80 countries by August 2025 (FBI confirmation). The campaign continued past US-government-confirmed containment by AT&T and Verizon in December 2024.
FBI / Recorded Future / State of Surveillance
Threat Landscape

Telecommunications cybersecurity is the cybersecurity of the medium through which every other sector's cybersecurity depends.

The telecommunications threat landscape occupies a structurally unique position. Telcos do not just hold their own customer data; they hold the connective tissue through which every other sector's data, communications, and operational coordination flows. A breach of a major US telco is, in important senses, a breach of every customer of every other sector that uses that telco — financial services routing transactions across the network, healthcare facilities transmitting electronic medical records, government agencies sending classified-adjacent communications, defence contractors coordinating with the Department of Defense, individual citizens making personal phone calls and text messages.

The 2024 Salt Typhoon campaign — attributed to the People's Republic of China Ministry of State Security and ultimately sanctioned by the US Treasury Department in January 2025 — represents the most consequential single cybersecurity event to affect the global telecommunications industry in its history. Senator Mark Warner, chairman of the US Senate Select Committee on Intelligence, called the intrusion "the worst telecom hack in our nation's history" and described it as making prior cyberattacks by Russian actors look like "child's play" by comparison. The attack accessed metadata of calls and text messages of over a million users; specifically targeted communications of US presidential-campaign staff and political figures including Donald Trump and JD Vance; and crucially compromised the systems used by US law enforcement to fulfill court-authorised wiretapping requests under the Communications Assistance for Law Enforcement Act (CALEA). [01]

Salt Typhoon obtained an almost-complete list of phone numbers being wiretapped by US law enforcement. This gave the People's Republic of China a roadmap of which of their spies the US had identified. The defensive surveillance system became the offensive intelligence collection system.

The 2024 telecom-sector incident calendar extends well beyond Salt Typhoon. The 2024 Snowflake-platform breach exposed call and text records of approximately 109 million AT&T customers — one of the largest telecom data breaches in history, achieved through a credential-based attack against a SaaS data warehouse rather than the telco's own infrastructure. The 2023 T-Mobile breach (April 2024 disclosure) affected 37 million customer accounts. The 2022 Optus breach in Australia exposed personal data of approximately 9.8 million customers and produced direct catalysing legislation in the form of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.

The structural vulnerability that Salt Typhoon exploited is, in important respects, the regulatory mandate of the telecommunications sector itself. CALEA, passed in 1994, requires all US telecommunications companies to build wiretapping capabilities into their networks. The same wiretapping infrastructure mandated to enable lawful interception by US law enforcement was the infrastructure Salt Typhoon compromised to extract the list of US wiretapping targets. The defensive system became the offensive vector. [02]

Common Attack Vectors

Telecommunications attack vectors are concentrated, attributed, and expensive to defend.

Unlike financially motivated criminal activity, the dominant threats to telecommunications are state-aligned intelligence operations operating over multi-year time horizons. The same threat-actor identifiers recur across decades.

VECTOR / 01

CALEA Wiretap-System Compromise

Salt Typhoon's 2024 compromise of US telcos' CALEA-mandated wiretapping infrastructure is the canonical illustration. The defensive system became the offensive vector. Cisco confirmed Salt Typhoon maintained access for up to three years before detection in at least one telco. The attack architecture — exploiting government-mandated lawful-intercept infrastructure — has no obvious defence in the existing regulatory framework.

3 years undetected access — Cisco confirmation 2024
VECTOR / 02

Edge-Router and Core-Network Vulnerability Exploitation

Salt Typhoon exploited known vulnerabilities in firewalls, routers, and VPN products including CVE-2023-46805 and CVE-2024-21887 in Ivanti Connect Secure VPN. One of the nine compromised telcos involved an administrator account with access to over 100,000 routers. Edge-device and core-network defence assumes patching cadence keeps pace with disclosure cadence.

100,000+ routers via single admin account
VECTOR / 03

SaaS Data Warehouse Credential Attacks

The 2024 AT&T Snowflake-platform breach exemplifies a different vector class: stolen credentials harvested from infostealer malware (some dating back to 2020) used against a SaaS data warehouse holding telco customer records. The attack required no compromise of the telco's own infrastructure; it required only credentials and the absence of MFA enforcement on the SaaS account.

109M AT&T customer records — Snowflake 2024
VECTOR / 04

Long-Term Persistence and Anti-Forensics

Salt Typhoon employs Windows kernel-mode rootkits including Demodex (named by Kaspersky) and the GhostSpider backdoor for persistent access. Anti-forensic and anti-analysis techniques deliberately evade detection. The campaign's focus on long-term intelligence collection rather than immediate data exfiltration places defensive demands beyond conventional incident-response capability.

GhostSpider, Demodex — kernel-mode persistence
Operational and Regulatory Impact

The FCC. CISA. The Treasury. The regulatory response to Salt Typhoon is reshaping the telecommunications cybersecurity perimeter in real time.

The US Federal Communications Commission proposed a public rule in December 2024 requiring basic cybersecurity practices for telecom carriers, with commissioners voting on the rule in early 2025. US Senator Ron Wyden's draft Secure American Communications Act would order the FCC to require telcos to adhere to a list of security requirements and perform annual vulnerability tests. The US Treasury Department's Office of Foreign Assets Control sanctioned Sichuan Juxinhe Network Technology Co. and Yin Kecheng on 17 January 2025 for direct involvement in Salt Typhoon. The FBI announced a USD 10 million bounty for information on individuals associated with the campaign in April 2025. [03]

The international regulatory response has been correspondingly substantial. The EU NIS2 Directive (effective 18 October 2024) brings telecommunications within "essential entity" cybersecurity-governance and incident-reporting obligations. The European Electronic Communications Code imposes parallel security obligations under EU telecoms-specific framework. The UK Telecommunications (Security) Act 2021 imposes prescriptive security obligations on UK telecoms providers, with Ofcom enforcement.

For Australia, the Telecommunications Act 1997 (as amended) imposes substantial cybersecurity obligations on carriers and carriage service providers, alongside the SOCI Act 2018 which designates telecommunications as critical infrastructure. The 2022 Optus breach catalysed substantial regulatory tightening, including the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 with maximum penalties of AUD 50 million per breach.

Reframing

Telecommunications cybersecurity is the only domain where the institution's breach is the breach of every other institution that uses the institution's services.

The PULSE Position

In a PULSE-substrate telecommunications environment, the wiretap-system compromise that defines Salt Typhoon does not produce a usable intelligence corpus.

The structural exposure that Salt Typhoon exploited is the structural exposure of every contemporary telco: customer call and text metadata, lawful-intercept infrastructure, and core network traffic exist in forms that, if compromised, produce immediately exploitable adversary intelligence value. The CALEA wiretap-systems compromise gave PRC intelligence services a near-complete list of US wiretapping targets. The metadata accessed allowed geolocation of over a million users. The audio recordings obtained from compromised systems exposed campaign-staff and political-figure communications.

A telco running PULSE substrate does not hold its customer-communications metadata, lawful-intercept records, or core-network traffic in a form that constitutes an immediately exploitable intelligence corpus when compromised. The wiretap-system infrastructure mandated by CALEA can be operated under PULSE substrate such that authorised law-enforcement access produces correctly executed lawful interception, while adversary access to the same infrastructure produces no usable adversary intelligence. The architectural commitment is to separate the operational capability of the system (lawful interception) from the bulk-disclosure consequence of the system's compromise.

For commercial customer data — call records, text records, location records — the same architectural commitment applies. A Salt Typhoon-class campaign that compromises a PULSE-substrate telco's perimeter does not produce the bulk-customer-metadata corpus that drove the consequence of the 2024 campaign. The means is the trade secret. We disclose it under executed Mutual Non-Disclosure Agreement only.

Request a Briefing See all sectors
Strategic Briefing — Available Under NDA

Telecommunications PULSE deployment, FCC / NIS2 / UK TSA / Australia SOCI alignment, and lawful-intercept-system reference architecture.

Architectural-fit assessment for tier-1 fixed-line carrier, mobile network operator, broadband ISP, content-delivery and edge-cloud, and lawful-intercept-mandate scenarios. Quantified residual-disclosure model under PULSE substrate covering CALEA-equivalent wiretapping systems, customer metadata, and core-network traffic. Cross-jurisdictional regulatory alignment matrix (FCC / FBI CALEA / EU NIS2 / EU EECC / UK TSA 2021 / Australia Telecommunications Act 1997 / Singapore CSA Telecoms Code of Practice).

Available under executed NDA →
Sources

All statistics on this page are drawn from publicly available reports issued by recognised industry bodies, regulators, and security research organisations. References are listed below for verification.

  1. [01]US Senate, House Committee on Homeland Security, and Wikipedia — documented Salt Typhoon (PRC Ministry of State Security-affiliated) compromise of nine US telecommunications providers in 2024 (AT&T, Verizon, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, plus two unnamed) and breach of CALEA wiretap systems.
  2. [02]US Department of the Treasury Office of Foreign Assets Control — 17 January 2025 sanctions against Sichuan Juxinhe Network Technology Co. and Yin Kecheng for direct involvement in Salt Typhoon.
  3. [03]US Federal Communications Commission — proposed cybersecurity rule for telecom carriers following Salt Typhoon (December 2024).
  4. [04]AT&T — Form 8-K filings disclosing 2024 breach of customer call and text records (109 million customers) via Snowflake credential compromise.
  5. [05]US Congressional Research Service — Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications.
  6. [06]US House Committee on Homeland Security — Cyber Threat Snapshot (November 2024).
  7. [07]UK Telecommunications (Security) Act 2021.
  8. [08]European Union — Network and Information Systems Directive 2 (NIS2), Directive (EU) 2022/2555.
  9. [09]Australian Government — Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.

PULSE Digital Security cites these sources for context only. Citation does not imply endorsement of, or affiliation with, any cited organisation. All trademarks remain the property of their respective owners.

Related

Continue.

CONTINUE READING

Government & Public Sector

Salt Typhoon's primary objective was government-figure intelligence collection.
CONTINUE READING

Defence & National Security

Defence and intelligence-community communications run on the same telecom backbone.
CONTINUE READING

Cloud & Data Centre Operators

The infrastructure providers carry adjacent exposure.
CONTINUE READING

Nation-State Actors

Salt Typhoon. Volt Typhoon. The PRC threat-actor portfolio.