Overview
Salt Typhoon is the Microsoft-assigned tracking name for a Chinese state-sponsored threat actor that has been publicly tied by the U.S. FBI, CISA, and the National Security Agency to a multi-year campaign against U.S. telecommunications providers. The same organization is tracked as Earth Estries, GhostEmperor, and FamousSparrow by different vendors, and some elements of the operation overlap with other tracked Chinese state-actor clusters. Salt Typhoon's 2024-2025 operation against U.S. telecom providers and, in particular, against lawful-intercept and wiretap systems, is one of the most consequential U.S. critical-infrastructure compromises publicly disclosed in the last decade.
The Salt Typhoon operation differs from most publicly documented Chinese state-actor campaigns in two ways. First, the target was not the data of end users in the traditional sense but the lawful-intercept and wiretap systems that U.S. law enforcement uses under court order. Second, the operational tempo was long and quiet, with the group maintaining access to some provider environments for the better part of a year before public disclosure in late 2024. The result was access to metadata and, in some cases, content of U.S. government and political communications, which is a national-level compromise regardless of how the public reporting describes the technical operation.
TTPs
Salt Typhoon tradecraft emphasizes long-dwell access to provider-network management infrastructure, abuse of lawful-intercept and wiretap systems once access is established, and credential abuse to maintain persistence across provider environments. Initial access has been described in public advisories as coming from the exploitation of internet-facing network devices, the abuse of trusted relationships between providers, and the exploitation of known vulnerabilities in network management and monitoring equipment. The group's post-exploitation tradecraft emphasizes credential abuse, the abuse of management interfaces, and the careful use of legitimate administrative tooling to avoid detection.
A defining feature of the operation is the specific targeting of lawful-intercept and wiretap systems within provider environments. These systems are the operational interface between providers and law enforcement, and access to them yields not only provider-network telemetry but also the ability to identify which subscribers are subject to lawful intercept and to monitor those communications. The targeting is operationally specific and consistent with a state-aligned intelligence operation rather than a financially motivated or criminal actor. Public reporting indicates that the operators maintained access to some provider environments for months before detection, and the operational cleanup is ongoing as of public disclosure in late 2024.
On the tooling side, the operators have been described using a mix of custom and publicly available tools, including living-off-the-land binaries, custom credential-theft utilities, and a long list of commodity remote-access tools. The tradecraft is operator-grade by Chinese state-actor standards, and the operational discipline is consistent with a long-running, well-resourced operation. The group has not been associated with destructive or financially motivated activity in public reporting; the operation appears to have been intelligence collection only.
Known incidents
The 2024-2025 Salt Typhoon operation against U.S. telecommunications providers is the defining incident. The U.S. government, in coordination with the affected providers and the Communications Sector Coordinating Council, disclosed in late 2024 that Salt Typhoon had compromised the network environments of multiple major U.S. providers, with the lawful-intercept and wiretap systems being the operational target. The list of confirmed-affected providers, as of the most recent public reporting, includes AT&T, Verizon, T-Mobile, and Lumen (formerly CenturyLink), with the operational impact varying by provider. The exposure included the metadata and, in some cases, the content of U.S. government and political communications, and the incident triggered a major U.S. government response including the formation of a joint coordination cell and the issuance of binding operational directives to the affected providers.
Earlier Salt Typhoon operations, public under the older Earth Estries, GhostEmperor, and FamousSparrow attributions, include a long-running campaign against government and telecommunications targets in Southeast Asia, the Middle East, and Africa. The tradecraft profile in those operations is consistent with the 2024-2025 U.S. operation, and the vendor attributions have gradually converged as the public reporting has accumulated. The group's operations appear to be ongoing, with public attribution continuing in 2024 and 2025.
The U.S. government response to the Salt Typhoon operation has been substantial, including the formation of a joint coordination cell, the issuance of binding operational directives to U.S. telecommunications providers, the convening of a Cyber Safety Review Board-style review, and the public attribution to the Chinese state-sponsored operation. The operational cleanup, including the removal of Salt Typhoon access from compromised provider environments, has been described as ongoing and difficult, with the group demonstrating an ability to maintain persistence across multiple provider environments even after initial detection.
Detection
Salt Typhoon detection is a high-fidelity problem in provider environments because the operators blend with normal administrative activity and use legitimate management interfaces for command and control. Useful detection signals include: anomalous administrative activity on lawful-intercept and wiretap systems, particularly from accounts that do not normally interact with those systems; the presence of unusual credential-theft or credential-replay activity against provider management interfaces; outbound traffic from management interfaces to infrastructure that does not match normal provider operations; and the presence of unusual scheduled tasks, registry changes, or service installations on lawful-intercept and management hosts.
For non-provider organizations, the operational implication of Salt Typhoon is that communications metadata and, in some cases, content may have been exposed through the provider compromise, regardless of the organization's own security posture. The right response is to assume that communications that traversed affected providers during the exposure window are compromised at the metadata level, and to apply appropriate handling to those communications, including the rotation of any credentials that were transmitted in the clear, the re-issuance of any cryptographic material that was transmitted in the clear, and the review of any operational decisions that were communicated through affected providers during the exposure window.
Recommendations
Defenses against Salt Typhoon cluster into provider-side, network-side, and metadata-handling layers. At the provider-side layer (for U.S. telecommunications providers), the binding operational directives from CISA and the FBI provide the operational floor: lawful-intercept and management systems should be on a separate authentication domain with phishing-resistant multi-factor authentication, network segmentation should isolate lawful-intercept and management infrastructure from the rest of the provider environment, and monitoring should specifically target activity on those systems. At the network-side layer (for non-provider organizations), assume that provider-side compromises are possible, route sensitive communications through channels that provide end-to-end encryption and forward secrecy, and treat metadata as exposed when a provider compromise is confirmed. At the metadata-handling layer, rotate any credentials or cryptographic material that may have been transmitted in the clear during an exposure window, and review operational decisions that were communicated through affected channels.
For policymakers, Salt Typhoon is the case study that argues for a national-level approach to lawful-intercept system security. The lawful-intercept and wiretap systems that U.S. law enforcement relies on are part of the critical infrastructure of the U.S. intelligence and law-enforcement apparatus, and they should be defended at the level of critical infrastructure. The implication for defenders is that some mitigations are not within their control. Build the detections you can build, and pressure your providers and your government to build the rest.