When Senator Ben Ray Luján warned that the United States was facing “the largest telecommunications hack in our nation’s history,” it marked a turning point in how we understand national cyber risk.

On December 4, 2024, the White House confirmed a sprawling cyber-espionage campaign targeting 80 global telecom providers across dozens of countries¹. A joint task force—the Operation Enduring Security Framework—was launched by the NSA, Pentagon, and CISA to contain the damage.

The adversary behind it: a sophisticated nation-state threat actor Microsoft calls Salt Typhoon, also tracked as Ghost Emperor, FamousSparrow, Earth Estrie, UNC2286, and earlier as LightBasin / UNC1945 / LIMINAL PANDA²⁻⁴.

And the campaign isn’t over.

A DHS memo released in June 2025 revealed Salt Typhoon had “extensively” breached a U.S. state’s Army National Guard network, gathering administrator credentials and sensitive configuration data—with indications of broader penetration across all 50 states⁵.

This is what happened—and the blueprint for preventing the next one.

A Multiyear, Global Espionage Operation

Telecom networks were long assumed to be secure because of their physical isolation—so-called “Walled Gardens.” But researchers have identified over 749,000 GTP-reachable hosts on the public internet spanning 1,176 service providers in 162 countries, exposing 38 categories of abuse possibilities⁶.

Salt Typhoon leveraged this false sense of security, chaining together known vulnerabilities, unpatched infrastructure, supply-chain weaknesses, and roaming-protocol blind spots.

It was not a zero-day-driven campaign. It was a discipline-driven campaign.

How the Attackers Gained Initial Access

Salt Typhoon combined telecom-specific intrusion methods with widely exploited CVEs.

Credential Capture & SIM-Based Attacks

Attackers used:

  • SIM swapping (often requiring insider cooperation)
  • SIM cloning (via social engineering)
  • Passive user-equipment signal capture
  • Semi-passive attacks (triggering UE signaling via SMS/calls)
  • Active capture via rogue base stations—a technique also used in law-enforcement IMSI-catcher tools⁷⁻⁸

Network Fingerprinting

They used tools such as GTScan, SigPloit, and SCTPscan⁹⁻¹¹ to scan operator and partner networks for vulnerable systems.

Exploiting Known Vulnerabilities

Salt Typhoon relied heavily on publicly disclosed flaws, including:

  • Ivanti (CVE-2024-21887)
  • Palo Alto Networks PAN-OS (CVE-2024-3400)
  • Cisco IOS XE (CVE-2023-20273, CVE-2023-20198, CVE-2018-0171)¹²

Supply Chain Weaknesses

Nearly 60% of breaches originate from third-party vectors, according to Gartner¹³. Telcos depend heavily on vendors, CI/CD pipelines, and operational support systems—making supply-chain compromise a reliable entry point.

Persistence & Lateral Movement

Once inside, Salt Typhoon worked methodically to stay inside.

Obfuscation & Security Modification

They altered:

  • ACLs
  • System configurations
  • Logging paths
  • Service-port exposure (including high, unmonitored ports)

Covert Channels & Tunneling

They built encrypted channels—SSH on high ports, GRE tunnels, and IPsec—to move laterally and hide command traffic.

Abusing SNMP & Containers

Salt Typhoon repurposed SNMP community strings to modify router/switch configurations and used on-device Linux containers in vulnerable Cisco hardware for tooling and stealth movement.

Privilege Escalation & Token Abuse

Compromised authentication systems (e.g., TACACS+), token hijacking, and VM/container breakouts enabled them to reach deeper network layers.

Command & Control via Roaming Protocols

Salt Typhoon used the mobile roaming fabric itself as a C2 backbone.

GTP Abuses

NIST and academic researchers have long warned about GTP’s lack of integrity, authentication, and replay protection¹⁴⁻¹⁵.

Salt Typhoon weaponized these gaps.

GTPDOOR

A custom backdoor—GTPDOOR—served as a persistent command-distribution layer, enabling covert communications and exfiltration through roaming interfaces¹⁶.

Data Collection & Exfiltration

With C2 established, Salt Typhoon harvested high-value communications data.

Collection Techniques

They used:

  • Network sniffing of call/SMS traffic via compromised switches
  • Adversary-in-the-middle attacks (ARP, DNS, LLMNR)
  • Compromised SMSCs capturing message content
  • SDN controller manipulation to reroute traffic
  • Memory scraping of tokens, keys, and credentials
  • User-plane redirection via GTP-U/C manipulation
  • Malicious VNFs injected through compromised MANO systems

Exfiltration Channels

They exfiltrated data via:

  • Telecom protocols: GTP, SIGTRAN, eDNS
  • Standard protocols: FTP, SMTP, HTTPS, SMB, DNS
  • Even legitimate web services for stealth extraction
Why the Attack Worked

The most alarming truth:
Nothing Salt Typhoon did was novel.

They succeeded because operators lacked:

  • Zero Trust architectures
  • Roaming-interface firewalling
  • Microsegmentation
  • Continuous vulnerability management
  • End-to-end visibility
  • Supply-chain enforcement
  • Prevention-first security at the perimeter

In Anne Neuberger’s words: *“Commonly accepted cyber security practices would have made it far harder to execute and easier to recover from.”*¹

The Blueprint for Defense
  1. Prevention-First Security

Autonomous threat prevention at the perimeter blocks zero-days, scans for anomalies, and correlates events across the network.

  1. Zero Trust Architecture

No implicit trust. Continuous authentication and authorization at every hop¹⁷.

  1. Microsegmentation

Divide networks into zones to contain breaches and prevent lateral sprawl¹⁸⁻¹⁹.

  1. Vulnerability Management

Continuous scanning and patching close the exact footholds Salt Typhoon exploited²⁰⁻²¹.

  1. GTP-Aware Carrier Firewalling

GSMA recommends applying confidentiality, integrity, and replay protection to roaming interfaces²². Dedicated GTP firewalls can enforce 3GPP and FS.20 standards.

  1. Strengthened Supply Chain Controls

Monitor CI/CD pipelines, enforce vendor access restrictions, and apply Zero Trust to partners.

  1. Unified Observability

Telemetry across all network layers increases the likelihood of detecting covert channels, unauthorized SNMP operations, and privilege escalation attempts.

The Fight Is Not Finished

Salt Typhoon’s campaign is active, unmitigated, and ongoing.
Much is still being discovered about their access, tooling, and long-term intent.

But one thing is certain:

Telecom networks were breached not because attackers invented new techniques— but because operators failed to implement existing, proven security practices.

The path forward is clear: Zero Trust, microsegmentation, strong GTP protections, continuous vulnerability management, and a prevention-first security posture.

The attack may be historic in scale—but it is preventable in principle.

Endnotes

  1. Politico – The White House struggles to contain massive Chinese telco hacks (12/04/2024)
  2. CrowdStrike – Analysis of LightBasin telecommunications attacks (11/19/2024)
  3. Kaspersky Labs – Ghost Emperor threat research
  4. Trend Micro – Earth Estrie threat analysis
  5. Department of Homeland Security – Salt Typhoon memo (06/11/2025)
  6. IEEE Symposium on Security & Privacy – Invade the Walled Garden: Evaluating GTP Security in Cellular Networks (2025)
  7. U.S. Gov’t Publishing Office – IMSI Catcher Threats (2018)
  8. Associated Press – US suspects cellphone spying devices in DC (2018)
  9. GTScan – SigPloiter Repository
  10. SigPloit – Telecom exploitation toolkit
  11. SCTPscan – Kali Linux tool
  12. Joint Security Advisory – Countering Chinese State-Sponsored Actors (2025)
  13. Gartner – 3 ERM Strategies for Effective Third-Party Risk Management
  14. NIST SP 1800-33B – 5G Cybersecurity
  15. IEEE SP Symposium – GTP security research
  16. haxrob – GTPDOOR: A Novel Backdoor for Covert Access over the Roaming Exchange (2024)
  17. NIST SP 800-207 – Zero Trust Architecture
  18. CISA – Microsegmentation in Zero Trust (07/29/2025)
  19. NIST SP 800-207A – Zero Trust for Cloud-Native Applications
  20. CISA AA20-245A – Technical Approaches to Remediating Malicious Activity
  21. CISA – Cybersecurity Incident & Vulnerability Response Playbooks (2021)
  22. GSMA FS.20 – GTP Security Guidance (April 2023)

You may also like