Salt Typhoon has mounted one of the widest espionage campaigns in recent memory, breaking into the networks of major phone and internet providers and siphoning tens of millions of call records tied to high-value government targets, according to security researchers and Western officials. The China-linked group has quietly exploited the connective tissue of global communications, turning edge routers and lawful-intercept systems into listening posts.
How the campaign penetrates routers and intercept systems
Investigators say Salt Typhoon’s hallmark is compromising Cisco routers and similar gear that sit on the outer rim of corporate networks, where visibility is thin and traditional endpoint tools can’t see. Once in, operators pivot toward carrier surveillance equipment mandated for lawful interception, granting access to call metadata, texts, and even live audio capture. The FBI has urged Americans to favor end-to-end encrypted apps as a precaution against foreign eavesdropping.
Salt Typhoon’s operations fit a larger pattern of Beijing-aligned activity. While Salt Typhoon focuses on telecom espionage, overlapping groups such as Volt Typhoon have been assessed by U.S. and allied agencies as pre-positioning for potentially disruptive attacks, and Flax Typhoon is known for using large botnets of hijacked devices to mask malicious traffic. Together, these clusters reflect a strategy aimed at intelligence collection and contingency access across critical infrastructure.
Who has been hit across telecom, government, and more
In the United States, several top carriers were breached. AT&T and Verizon acknowledged intrusions tied to Salt Typhoon, and internet backbone provider CenturyLink (now Lumen) was also compromised. T-Mobile reported it was targeted but said the attackers did not access customers’ calls, texts, or voicemails. Satellite communications giant Viasat confirmed exposure involving tools used to facilitate law enforcement access, heightening concerns over systemic risk in intercept pathways.
Additional U.S. victims include Charter Communications (Spectrum) and Windstream, with fiber network operator Consolidated Communications reportedly affected. Beyond telecom, the group penetrated a U.S. state’s National Guard network, enabling follow-on access to systems in other states and territories, according to multiple reports—evidence that Salt Typhoon’s reach is not confined to commercial carriers.
The targeting is global. Canada’s government confirmed intrusions at major telecom companies, including compromises of Cisco routers to steal data. Recorded Future has observed activity against university-linked Cisco devices in Argentina and Mexico, and against a telecom operator in Myanmar (Mytel), as well as a South African provider. Trend Micro reported Salt Typhoon activity in Brazil and identified at least 20 compromised organizations across telecoms, consulting, chemical, transportation, government, and non-profits spanning Afghanistan, Eswatini, India, Taiwan, and the Philippines.
Across the Asia-Pacific, authorities in Japan warned of the threat to domestic networks. Australia and New Zealand reported Salt Typhoon operations against telecom and critical infrastructure; New Zealand additionally observed intrusions across government, transportation, lodging, and military-related networks. In Southeast and South Asia, universities in Bangladesh, Indonesia, Malaysia, and Thailand saw router-targeted attacks, based on threat intelligence reporting.
European governments have also raised flags. The U.K. confirmed a cluster of Salt Typhoon activity; subsequent reporting indicated senior officials’ phone records and texts may have been exposed. Norway disclosed compromises against multiple organizations. Dutch authorities said smaller internet providers and hosting firms were targeted via routers, though core internal networks were not breached. Recorded Future has also tracked intrusions at an Italian internet provider, while Czech cybersecurity officials reported related incidents in Finland and Poland. In total, the FBI assesses that Salt Typhoon has targeted or breached at least 200 organizations worldwide.
What data was taken and why it matters for security
Call detail records, SMS content, and captured audio from senior officials carry immense intelligence value. Even without full content, metadata reveals who speaks to whom, how often, and from where—gold for mapping influence networks and sensitive operations. With access to carrier intercept systems, the attackers could move beyond metadata to content acquisition, quietly monitoring high-priority targets while blending into legitimate surveillance workflows.
The campaign’s focus on telecom infrastructure also makes remediation harder. Routers and intercept platforms often lack robust monitoring, and compromises can persist through configuration changes, not just malware binaries. That gives an agile actor time to exfiltrate data, stage further access, and leverage trusted network positions for broader espionage.
Defensive priorities now for carriers and enterprises
Security agencies including the FBI and CISA recommend hardening edge devices: patch and update Cisco IOS/IOS XE, disable unnecessary web interfaces, restrict management to out-of-band networks, enforce MFA for admin access, and baseline router configurations for tamper detection. Carriers and large enterprises should audit lawful-intercept platforms, verify access controls and logging, and isolate those systems from broader IT environments.
Organizations should expand telemetry to network appliances using flow data, configuration integrity checks, and authenticated backups. Given the known targeting of universities and smaller ISPs, defenders in education and regional providers should prioritize router hygiene and segmentation. For individuals—especially public officials—the FBI’s advice stands: move sensitive chats and calls to modern end-to-end encrypted services and minimize exposure of voice and SMS for confidential matters.
The bigger picture of sustained global telecom espionage
Salt Typhoon demonstrates that the shortest path to strategic intelligence runs through the world’s carriers and internet gateways. It also shows how espionage and contingency access can coexist: one cluster harvests data while peers prepare for crisis scenarios. With confirmed activity across North America, Europe, Africa, and the Asia-Pacific—and a victim count topping 200—the campaign is unlikely to be a one-off. The next phase will hinge on whether targets can reclaim visibility at the network edge and close the surveillance backdoors that made this operation so effective.
