Zero-Day Exploitscritical

Salt Typhoon: China Hacks US Telecom Wiretap Infrastructure

Chinese state hackers accessed the lawful intercept infrastructure of AT&T, Verizon, T-Mobile, and other US telecoms — the same systems used by the FBI and courts to conduct authorised wiretaps — for over a year.

AT&T / Verizon / T-Mobile·2024·2 min read

Attack Chain

  1. 1
    Nation-state gains ISP access
  2. 2
    BGP/routing infrastructure compromised
  3. 3
    Wiretap systems infiltrated
  4. 4
    Call metadata and recordings accessed
  5. 5
    Attribution to Salt Typhoon

Background

US telecommunications carriers are required by the Communications Assistance for Law Enforcement Act (CALEA) to build lawful intercept capabilities — backdoors accessible to law enforcement with a court order. These systems are among the most sensitive in the entire telecom infrastructure.

The Attack

The Chinese state hacking group Salt Typhoon (also known as Earth Estries) penetrated the networks of at least eight major US telecommunications companies, including AT&T, Verizon, and T-Mobile. Critically, they accessed the CALEA lawful intercept infrastructure — obtaining access to the same systems used for court-ordered wiretapping. They reportedly collected call records for millions of Americans and accessed the actual call content of a smaller set of senior government officials and political figures. The intrusion lasted for over 12 months.

Response

The US government publicly attributed the attack to China in October 2024. CISA and the FBI issued joint guidance urging the use of encrypted messaging apps. Several senior US officials were identified as having had their communications compromised. The Biden administration imposed sanctions on a Chinese company connected to the attacks.

Outcome

The attack was called "historically significant and concerning" by CISA. It exposed a fundamental irony: the backdoors built into telecom infrastructure for legitimate law enforcement use had become the entry point for foreign intelligence collection. Security experts who had long warned that CALEA-style backdoors were inherently insecure were widely cited.

Key Takeaways

  1. Backdoors built for law enforcement use create exploitable vulnerabilities — there is no secure backdoor
  2. Use end-to-end encrypted communications for sensitive conversations — SMS and phone calls are not private
  3. Nation-state actors are patient — they can maintain access for over a year before being detected
  4. Critical government and political communications require dedicated, hardened communication channels
nation-stateChinaCALEAwiretaptelecom

More in Zero-Day Exploits

2017critical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

2 min readZero-Day Exploits
2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits