How Salt Typhoon Infiltrated US Telecoms: Lessons from the 2024 Nation-State Attack
Executive Summary
In early 2024, multiple major US telecommunications providers were targeted in a sophisticated nation-state attack attributed to Salt Typhoon, a Chinese-affiliated APT group. The attackers exploited unencrypted and east-west traffic flows within provider networks, bypassing conventional perimeter defenses to gain persistent access to sensitive infrastructure and intercept data in transit. Salt Typhoon leveraged advanced lateral movement and covert exfiltration techniques, enabling them to collect confidential communications and network architecture details. The incident led to significant operational risks, regulatory scrutiny, and concern within the telecom and national security sectors.
This breach highlights a surge in highly targeted attacks on critical infrastructure, as nation-state actors exploit unencrypted traffic and insufficient internal segmentation. Current attacks reflect a broader strategic trend, with organizations facing pressure to modernize controls to address evolving threat vectors and international cyber-risk dynamics.
Why This Matters Now
This incident underscores the urgent need for US critical infrastructure providers to prioritize robust crypto, east-west segmentation, and zero trust architectures as nation-state threats escalate. With diplomatic and trade tensions impacting sanctions and enforcement, organizations must move quickly to shore up compliance and close security gaps exposed by advanced persistent threats.
Attack Path Analysis
The Salt Typhoon campaign targeted US telecom infrastructure using attacks that began with exploitation of unencrypted or poorly segmented network endpoints. Attackers escalated privileges, often abusing misconfigured identities or service accounts. Through insufficiently segmented networks, they moved laterally between cloud and on-prem workloads. They established command and control via encrypted channels or covert outbound flows; sensitive data was exfiltrated across unsecured or poorly monitored egress points. The attack concluded with operational impact, including surveillance, data theft, or attempted denial of service.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unencrypted north-south network traffic or misconfigured cloud services, gaining initial foothold via exposed endpoints.
Related CVEs
CVE-2023-0198
CVSS 9.8A vulnerability in Cisco IOS XE Software allows an unauthenticated, remote attacker to execute arbitrary code on affected devices.
Affected Products:
Cisco IOS XE – 16.9.1, 16.9.2, 16.9.3
Exploit Status:
exploited in the wildCVE-2023-20273
CVSS 9.8A vulnerability in Cisco IOS XE Software allows an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code.
Affected Products:
Cisco IOS XE – 16.9.1, 16.9.2, 16.9.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques are mapped for high-level SEO and filtering; full enrichment with detailed MITRE STIX/TAXII mapping may follow.
Exploit Public-Facing Application
Valid Accounts
Phishing
Exploitation of Remote Services
Exfiltration Over C2 Channel
Impair Defenses
Endpoint Denial of Service
Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Zero Trust Access Control
Control ID: PR.AC-1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Primary target of Salt Typhoon nation-state APT attacks requiring enhanced encrypted traffic protection, east-west segmentation, and comprehensive threat detection capabilities.
Government Administration
Critical infrastructure vulnerable to nation-state actors exploiting diplomatic tensions, requiring zero trust segmentation and multicloud visibility for sensitive communications protection.
Financial Services
High-value target for nation-state APTs requiring robust egress security, anomaly detection, and compliance with encrypted traffic standards to prevent data exfiltration.
Defense/Space
Strategic target for Chinese nation-state actors demanding secure hybrid connectivity, inline IPS protection, and cloud-native security fabric for classified operations.
Sources
- Are Trade Concerns Trumping US Cybersecurity?https://www.darkreading.com/cyber-risk/trade-concerns-trumping-cybersecurityVerified
- China’s Salt Typhoon hackers continue to breach telecom firms despite US sanctionshttps://techcrunch.com/2025/02/13/chinas-salt-typhoon-hackers-continue-to-breach-telecom-firms-despite-us-sanctions/Verified
- FCC warns telecoms to bolster defenses against China hackers or be fined after 'Salt Typhoon'https://www.washingtonpost.com/technology/2024/12/05/fcc-salt-typhoon-cybersecurity-china/Verified
- Salt Typhoonhttps://en.wikipedia.org/wiki/Salt_TyphoonVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, encrypted traffic enforcement, and granular egress controls would have substantially limited adversary movement, visibility, and data theft opportunities at every attack stage. Multicloud visibility, inline intrusion prevention, and real-time policy enforcement would detect and disrupt each phase, blocking lateral spread and data exfiltration.
Control: Encrypted Traffic (HPE)
Mitigation: Prevents attacker interception or tampering via unencrypted links.
Control: Zero Trust Segmentation
Mitigation: Prevents privilege misuse by enforcing least-privilege and identity-based network policy.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized workload-to-workload communication paths.
Control: Cloud Firewall (ACF) with Inline IPS (Suricata)
Mitigation: Detects and blocks known C2 traffic using signature-based inspection and cloud-native policy.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized outbound data transfers to unapproved destinations.
Real-time detection and alerting minimize business disruption.
Impact at a Glance
Affected Business Functions
- Telecommunications Services
- Government Communications
- National Security Operations
Estimated downtime: 30 days
Estimated loss: $50,000,000
Unauthorized access to sensitive communications, including metadata and content of calls and messages involving government officials and political figures.
Recommended Actions
Key Takeaways & Next Steps
- • Mandate strong line rate encryption (e.g., MACsec/IPsec) for all network traffic to prevent interception at ingress points.
- • Implement zero trust segmentation to restrict movement based on workload identity and namespace, minimizing lateral attacker spread.
- • Enforce granular egress controls including FQDN filtering and policy-based restrictions to block unauthorized data transfers.
- • Deploy inline IPS and advanced firewalls to detect, alert, and block C2 communication and exploit attempts in real time.
- • Enhance multicloud visibility with centralized policy and continuous anomaly detection to rapidly identify and contain suspicious activity.
