CEA
All cases

Salt Typhoon, US Telecommunications Backbone Compromise

Access established earlier; disclosed September–December 2024 (note: investigation and disclosures ongoing as of May 2025)

EspionagePeak: IntrusionAttribution: ConfirmedTelecommunicationsCritical InfrastructureGovernment
Year
2024
Actor country
China
Target regions
United States, multiple allied jurisdictions
Unpeace score
8

Executive Summary

China-linked intrusion campaign against US telecommunications operators including AT&T, Verizon, Lumen, and others, gaining access to portions of the carriers' core network infrastructure including, in some operators, the systems used to service US lawful-intercept (CALEA) requests. The campaign exposed call metadata and content for an unknown number of US persons, with US officials publicly confirming targeting of senior US political figures' communications during the 2024 election cycle. The US Treasury OFAC sanctioned Sichuan Juxinhe Network Technology and a Shanghai-based individual (Yin Kecheng) in January 2025, part of a wider 2024–2025 wave of sanctions against China-linked cyber contractors (alongside actions against Integrity Technology Group / Flax Typhoon and Sichuan Silence Information Technology).

Why This Matters

Salt Typhoon is the temporal pivot of the matched-pair argument. It is structurally similar to Belgacom (a foreign state compromising another state's telecommunications backbone) but draws a sharply higher consequence, OFAC sanctions on a named contractor, because the perpetrator is positioned outside the Western attributing coalition. Read alongside Belgacom and OPM, it shows the consequence axis tracking political relationship rather than technical facts; read alongside Volt Typhoon, it shows that the relationship can move within a short time horizon (sanctions arrived for Salt Typhoon faster than for the parallel Volt Typhoon campaign).

Escalation Profile

7-Dimension Profile

Escalation Ladder

Probing
Intrusion
Disruption
Degradation
Destruction
Strategic

Phases

2024
Intrusion

Initial access into US telecom carriers

Long-duration access established into core networks of multiple US telecommunications operators using credential abuse and exploitation of network-edge devices.

2024-10
Intrusion

Access to lawful-intercept systems and high-profile targets

US officials publicly confirmed that operators had accessed systems used to service CALEA lawful-intercept requests, and had targeted phones used by the 2024 Trump and Harris campaigns and senior congressional staff.

2025-01-17
Intrusion

Public attribution, OFAC sanctions, and ongoing remediation

FBI/CISA joint advisories named PRC actors; US Treasury OFAC sanctioned Sichuan Juxinhe Network Technology and Yin Kecheng on 17 January 2025. CISA, NSA, and Five Eyes partners issued hardening guidance for telecom infrastructure. Forensic remediation across carriers is ongoing as of May 2025.

Threshold Crossings

  • First publicly documented compromise of US lawful-intercept (CALEA) infrastructure by a foreign state
  • First US OFAC sanctions against a PRC commercial contractor for telecommunications-sector cyber espionage (Sichuan Juxinhe, 17 Jan 2025)
  • Marked the consolidation of a 2024–2025 US sanctions posture against PRC cyber contractors, alongside Flax Typhoon / Integrity Tech and Sichuan Silence designations

Restraint Factors

  • Activity to date consistent with intelligence collection; no public evidence of destructive payload or manipulation of communications integrity
  • Public US government framing distinguishes Salt Typhoon (collection) from Volt Typhoon (pre-positioning for disruption), though the two campaigns are run by separate PRC actors

Attribution Assessment

ConfirmedSalt Typhoon, attributed by the US government to PRC Ministry of State Security (MSS) and contractor Sichuan Juxinhe Network Technology
China
Salt TyphoonEarth Estries
1. Technical

Threat actor mapped to China based on infrastructure analysis, malware attribution, and operational patterns.

Evidence: Microsoft Threat Intelligence: 'Salt Typhoon / Earth Estries, adversary profile'

2. Political / Legal
Public AttributionSanctions Imposed
  • FBI/CISA joint advisories on Salt Typhoon TTPs (Dec 2024)
  • Senate Intelligence and House Energy and Commerce hearings on telecom backbone security (Nov 2024 – Jan 2025)
  • US Treasury OFAC designation of Sichuan Juxinhe Network Technology and Yin Kecheng (17 Jan 2025)
  • Five Eyes hardening guidance for telecommunications operators (Dec 2024)
  • Bipartisan Congressional letters calling for review of CALEA architecture and lawful-intercept design

Sources: US Department of the Treasury: 'Treasury Sanctions Cyber Actors Involved in PRC State-Sponsored Hacking of U.S. Telecommunications'; CISA / FBI / NSA Joint Cybersecurity Advisory: PRC-Affiliated Actor Compromise of US Telecommunications Providers

3. Open Source
  • Wall Street Journal: 'China-Linked Hackers Breach U.S. Internet Providers in New Salt Typhoon Cyberattack'(2024-09-25)
  • Washington Post: 'Chinese hack of U.S. telecoms compromised more than Trump campaign phones'(2024-10-26)

Confirmed” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.

Unpeace Position

8

Unpeace Score

Composite severity rating on the peace–conflict spectrum

Stable
Contested
Escalatory
03060100

Contributing Dimensions

Escalation peak2/6
Threshold crossings3/4
Governance flags5/8
Sectors affected3/6
Entanglement7/10
Country scope2/6

Coercive Function

Espionage

Intelligence collection, coercive value lies in the information advantage gained and the implicit signal that the adversary can access sensitive systems.

Observed coercive effects

  • First publicly documented compromise of US lawful-intercept (CALEA) infrastructure by a foreign state
  • First US OFAC sanctions against a PRC commercial contractor for telecommunications-sector cyber espionage (Sichuan Juxinhe, 17 Jan 2025)
  • Marked the consolidation of a 2024–2025 US sanctions posture against PRC cyber contractors, alongside Flax Typhoon / Integrity Tech and Sichuan Silence designations

Entanglement Risk

Entanglement score7

Sectors affected

TelecommunicationsCritical InfrastructureGovernment

Countries / regions

United Statesmultiple allied jurisdictions

Impact summary

Access to core network and CALEA-related systems at multiple major US telecommunications operators; metadata and content for an unknown number of US persons exposed; senior political figures' communications targeted. Full scope and remediation status remain under investigation as of May 2025.

Infrastructure Meaning

Malware / tooling

GhostSpiderDemodex (rootkit, historic linkage)

Capability profile

Access to core network and CALEA-related systems at multiple major US telecommunications operators; metadata and content for an unknown number of US persons exposed; senior political figures' communications targeted. Full scope and remediation status remain under investigation as of May 2025.

4 ATT&CK techniques mapped — see ATT&CK mapping below.

Governance Analysis

Governance Flags

!Norm Violation
APublic Attribution
SSanctions Imposed
IIndictment
UUN Discussion
RRegulatory Change
CInternational Cooperation
DDeterrence Signal

Norms invoked

  • UN GGE 2015 Norm 13(f) on critical infrastructure (telecommunications)
  • Tallinn Manual 2.0 Rule 4 (state responsibility for MSS contractor activity)
  • OECD principles on lawful-intercept infrastructure integrity

Policy responses

  • FBI/CISA joint advisories on Salt Typhoon TTPs (Dec 2024)
  • Senate Intelligence and House Energy and Commerce hearings on telecom backbone security (Nov 2024 – Jan 2025)
  • US Treasury OFAC designation of Sichuan Juxinhe Network Technology and Yin Kecheng (17 Jan 2025)
  • Five Eyes hardening guidance for telecommunications operators (Dec 2024)
  • Bipartisan Congressional letters calling for review of CALEA architecture and lawful-intercept design

Regulatory changes

  • FCC declaratory ruling and proposed rulemaking on telecommunications cybersecurity (early 2025)
  • CISA expanded guidance on protecting carrier network-edge infrastructure
  • Renewed legislative interest in revisiting CALEA's lawful-intercept design after demonstrated foreign-state abuse, TODO: status of any enacted legislation as of mid-2025 left for human review

Governance impact assessment

Salt Typhoon marks the consolidation of US OFAC sanctions as a routinised response to PRC telecommunications-sector espionage. Pairing Salt Typhoon (PRC contractor, sanctions imposed) with Belgacom (UK GCHQ, no formal response) isolates the political relationship of the perpetrator from the technical character of the operation; pairing it with Volt Typhoon (parallel PRC campaign, no sanctions in the immediate response cycle) tracks how the 2024–2025 wave shifted the consequence baseline for China-attributed CI espionage.

Sources

G

US Department of the Treasury: 'Treasury Sanctions Cyber Actors Involved in PRC State-Sponsored Hacking of U.S. Telecommunications'

Government2025-01-17
G

CISA / FBI / NSA Joint Cybersecurity Advisory: PRC-Affiliated Actor Compromise of US Telecommunications Providers

Government2024-12-03
J

Wall Street Journal: 'China-Linked Hackers Breach U.S. Internet Providers in New Salt Typhoon Cyberattack'

Journalistic2024-09-25
J

Washington Post: 'Chinese hack of U.S. telecoms compromised more than Trump campaign phones'

Journalistic2024-10-26
V

Microsoft Threat Intelligence: 'Salt Typhoon / Earth Estries, adversary profile'

Vendor Report2024-11

Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.

Related Cases

Volt Typhoon

2023 – 2024 (disclosed 2024) · China

6

Volt Typhoon represents the clearest case of peacetime pre-positioning in adversary critical infrastructure, forcing an urgent policy reckoning on whether such activity constitutes a threat of force and how states should respond to it below the threshold of armed conflict.

EspionageIntrusion

Cloud Hopper

Active circa 2014 – publicly disclosed April 2017; indictment December 2018 · China

7

Cloud Hopper is the strongest pre-2024 data point on the indictment-without-sanctions cell at allied scale. It shows that even a broadly coordinated Five-Eyes-plus public-naming exercise against a PRC MSS contractor model did not, in 2018, escalate to OFAC sanctions. Read forward to Salt Typhoon (Jan 2025 OFAC sanctions on a comparable PRC contractor), it provides the time-series evidence that the consequence baseline for China-attributed espionage shifted in the 2024–2025 window, and that the shift was a political choice rather than a response to new technical facts.

EspionageIntrusion

APT1

2006 – disclosed February 2013; indictment May 2014 · China

7

APT1 is the foundational test case for indictment-as-signal in cyber statecraft. It demonstrates that the United States is willing to publicly name uniformed foreign military personnel, but that this willingness does not, on its own, translate into sanctions or any other coercive consequence. Read alongside Sandworm (indictment plus sanctions) and Salt Typhoon (sanctions on PRC contractor), it shows that the indictment-to-sanctions step is a discretionary political choice, not an automatic escalation.

EspionageIntrusion

Exchange/Hafnium

January – March 2021 · China

9

Hafnium demonstrated how a targeted espionage operation can metastasize into a mass-compromise event affecting tens of thousands, and prompted the widest coalition cyber attribution ever directed at China.

EspionageDegradation