A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon

When the news broke that a Chinese hacking group known as Salt Typhoon had penetrated multiple U.S. telecommunications networks, gained access to the phones of a presidential campaign, and collected geolocation data on high-value targets around Washington D.C., one of the first questions on the minds of executives and U.S. officials was how long it would take to kick them out.

The spying campaign shocked the government and telecom industry alike. While cyber-enabled espionage between world powers is broadly considered fair play, Salt Typhoon’s brazenness and the methodical, systematic way of compromising networks and collecting high-value intelligence reflected a deep understanding of how U.S. telecommunications networks operate.

Salt Typhoon’s widespread intrusions for a U.S. adversary endangered the cellular communications of nearly all Americans — including high-level government officials — and posed a severe threat to U.S. national security. Sen. Mark Warner, D-Va., a former telecommunications executive, has called it “the most serious telecom hack in our nation’s history.”

And yet in the months following, the Biden administration, current and former cybersecurity officials, members of Congress and other experts have repeatedly floated the possibility that many U.S. telecommunications firms may never fully expunge the hacking group from their networks.

Laura Galante, who led the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence until January, told CyberScoop that the subdued reaction in some circles reflects the way that digital breaches are often treated less seriously by the public than physical ones.

“We can’t accept this level of espionage on our networks,” Galante said. “If you had 50 Chinese [Ministry of State Security] spies or contractors sitting inside a major [telecom company’s] building, they would be walked out and it would be a full-scale effort. That’s in broad strokes what has happened, but the access was digital.”

But in interviews with multiple U.S. government and industry officials, a full-scale effort to digitally eject Salt Typhoon will be easier said than done.

It isn’t hard to hide 

When U.S. officials warn that telecoms may never be able to fully purge Salt Typhoon from their networks, it’s largely based on three factors: the size and complexity of modern telecommunications networks, the difficulty in managing identity solutions that grant broad access to those networks, and a history of industry consolidation and indifference to cybersecurity that left many telecoms ill-prepared to go toe-to-toe with Chinese government hackers.

Those factors have resulted in a sprawling system of telecommunications networks composed of both legacy and modern technologies that are riddled with software and hardware vulnerabilities and provide multiple pathways to reentry through exploitation.

If one access point is patched or closed or if the actors are evicted, they can often simply exploit another chain of vulnerabilities in order to regain access or leverage previously deployed persistence mechanisms. Put another way: if a homeowner leaves all their windows open, a burglar doesn’t care if they’ve locked the front and back doors.

“I think everybody’s rushing to say, ‘yes, we’ve evicted Salt Typhoon, Salt Typhoon is no longer a problem.’ But that’s not how [cybersecurity] works and it’s also not how intelligence agencies work,” said Silas Cutler, a principal security researcher at cybersecurity firm Censys.

In the wake of Salt Typhoon’s public outing, large telecoms like AT&T, Verizon, Lumen and others have confirmed they were affected and claimed to have either purged the actors from their network or “contained” the incident.

But U.S. officials continue to insist that Salt Typhoon remains active in U.S. networks, and experts who spoke with CyberScoop say that statements from telecoms about their exposure are overflowing with legalese, measuring one point in time, and don’t account for numerous ways that attackers could reenter telecom infrastructure.

“The best you can do is find them early in the kill chain,” said Gentry Lane, CEO and founder of Nemesis Global, a defensive cybersecurity platform for critical infrastructure entities that is only sold in NATO and Five Eyes countries. “You can expel [them] and you need to. You can’t keep them from living off the land or living in your system.”

There’s also a problem of scale. Any serious attempt to expunge Chinese hackers from even a single telecom network would likely need to include the forensic analysis of tens of thousands of company endpoints for signs of compromise, lateral movement or data theft. While Lane has worked to build Nemesis Global’s platform to conduct such automated endpoint memory forensics, she said it is a relatively recent capability that is not widely available.

Cutler said part of the difficulty in tracking Salt Typhoon stems from a lack of confirmed, granular indicators of compromise for threat hunters to track.

“Those types of really targeted threat hunting [IOCs] to look for, I just haven’t seen it with Salt Typhoon,” he said. “I feel like there’s not enough for me to hunt on regularly and reliably to be able to say, ‘yeah, I think we have pretty good removal of this activity.’”

Sources pointed to two types of technologies that the group has repeatedly exploited in its campaign: identity management software and network edge devices.

“When you get down to the nuts and bolts, the question is whether can you manage who has access to different parts of your network,” Galante said. “Can you confidently hunt and detect malicious activity on your network at a speed that’s relevant? That’s going to help answer whether Chinese Intelligence is still in our telcos” in the coming years.

Meanwhile, a six-month trend analysis from Censys released in April found over 200,000 public exposures of four popular networking and edge devices with vulnerabilities that are known or thought to have been exploited by Salt Typhoon, most located in the United States.

Not all of the exposed devices are necessarily vulnerable, and many researchers remain frustrated by the lack of direct telemetry on Salt Typhoon. Nevertheless, the report reached an unsettling conclusion.

“Despite growing public awareness of Salt Typhoon’s activity, there has been little meaningful reduction in exposed, reportedly targeted devices on the public internet — just 25% since October 2024,” the report stated.

Network edge devices have become a critical tool for Chinese hackers to hide their presence from both telecoms and U.S. authorities. Targeting and compromising VPNs, small office/home office (SOHO) routers and WiFi-only routers allows groups like Salt Typhoon to pose as domestic U.S. users and blend in with normal network traffic. It also allows them to operate within trusted U.S. networks and evade detection by threat hunters.

“What China does is they use those sets of localized U.S. IP address edge devices to obfuscate the last couple miles of network traffic that is coming out of China,” Galante said. “They very much understand that our authorities are much harder to use once you’ve jumped to U.S. IP space.”

Consolidated markets, consolidated vulnerabilities

The technology stacks managed by telecommunications companies are massive, complex, and reflective of the industry’s decades-long history of consolidation.

As the internet and digitization transformed media at the turn of the millennium, telecoms expanded beyond basic telephone and connectivity services to include banking, mobile financial services and advertising.

In many cases, executives viewed acquisitions as the quickest and most efficient path to accomplish that goal, buying up other companies and absorbing their technology infrastructure along the way. A 2023 analysis by Victor Font at FTIDelta found that telecom consolidation was largely driven by telecoms’ desire for synergy and cost savings across their network and IT segments, as companies sought to meet exploding consumer demand and grow their market presence.

This strategy has had profound consequences in the digital security space, leaving many of the market’s largest players as a Frankenstein’s monster of different equipment, technologies and architecture.

“When a company acquires another one, they are very much acquiring the security vulnerabilities of that company, too,” Galante said.

Telecom companies have purchased regional carriers, a wide variety of technology types, and networks upon networks “that are layered with everything from copper wires to the most advanced 5G and 6G technologies.”

“Securing that is particularly hard, and you’ve got to absorb essentially the security posture and build in all the different emergency response and CERT-like functions for every one of those acquisitions you do,” Galante said.

Another former U.S. cybersecurity official co-signed that sentiment, telling CyberScoop that new acquisitions invariably introduce new complexities and risks into security management. But overall, the concern is less about the acquisitions themselves and more about whether they were carried out responsibly with regard to cybersecurity.

“Did they do the right level of due diligence? Did they do the right level of integration to make sure that they were bringing the new acquisitions up to the same level of security standards internally?” asked the official, who requested anonymity to discuss Salt Typhoon.

A potential fix runs into a familiar problem 

Further research has shown how the industry has had varied responses to vulnerability disclosure and remediation, especially when presented with evidence that flaws exist in systems that are using state-of-the-art technology. 

Kevin Butler, a professor of computer and information science and engineering at the University of Florida and director of the Florida Institute for Cybersecurity Research, is one of the authors of Ransacked, a massive research project examining vulnerabilities in telecom core networks.

In an interview, Butler said to think of the cellular network at three levels: user equipment (i.e. cell phones and equipment with cellular interfaces); the over-the-air communications that equipment makes to base stations that connect into larger Radio Access Networks; and the communications between those networks and the Public Switched Telephone Network, the cellular core that links to the rest of global telephony infrastructure.

Butler’s team focused their research on that last part, investigating the variety of ways that malicious actors could exploit existing vulnerabilities to compromise and access the core cellular network.

One of the first things they discovered is that many existing cybersecurity tools and protocols were ill-suited for the task.

The cellular network is “made up of a large number of components that interact in very complicated ways” and “the types of protocols that are used look a little different” from regular computer network protocols.

“What this means is that the types of security assessment tools that we generally use for assessing network protocols don’t work that well for cellular networks,” Butler said.

Using a cybersecurity testing method known as “fuzzing” that feeds random or unexpected data into a program to identify security issues, Butler’s team developed a bespoke system that could evaluate the cybersecurity of LTE/5G core telecommunications infrastructure.

What they found was stark: many common LTE and 5G implementations (Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN) had more than a hundred distinct and exploitable vulnerabilities. Most of these could be used to either disrupt cellular communications within a geographic area, while a smaller subset could grant remote access to the network core.

For some vulnerabilities, the researchers discovered that sending certain messages to the core network would corrupt the system’s memory, allowing an attacker to run any commands they wanted. The research team developed a proof-of-concept program that could “basically establish a command and control or persistent channel to that network component and then cause further damage from there,” said Nathaniel Bennett, a student at the university and lead author for the paper.

Patrick Traynor, another University of Florida professor involved in the research, told CyberScoop that their report only reflects the vulnerabilities they were able to find with their own limited resources.

But perhaps even more concerning is the way those flaws were eventually addressed. Prior to publication, the team reached out to as many open-source maintainers, commercial entities and others with affected software to go through the vulnerability disclosure process. Some took the issue seriously, while others didn’t respond. In other cases, the team couldn’t identify a responsible party or maintainer — a common problem in critical infrastructure — and many of those that did respond simply lacked the personnel or expertise to address the flaws.

In the end, Bennett wound up spending months communicating with affected stakeholders and creating most of the patches for affected software.  

When asked how the team responded to news of Salt Typhoon’s intrusions into U.S. telecoms, Traynor said they weren’t surprised.

He emphasized that “this is just what we found” with the limited expertise and resources they had available, and flatly stated “we expect there to be more” flaws identified if additional parties or security experts were to apply similar scrutiny to other parts of the U.S. telecom network.

“First, these networks are extraordinarily complicated,” Traynor said. “Certainly securing the internet is hard enough, and for lots of reasons, both the complexity, but also the sort of history of its closed nature, it really means that not as many eyes are able to look at these systems.”

Tim Starks contributed reporting for this story.