In early October 2025, several media outlets reported that United States telecommunications services had been infiltrated by state affiliated threat actors linked to the People’s Republic of China (“PRC”). These reports were followed by a joint press release on October 25, 2024 by the Federal Bureau of Investigation (“FBI”) and the Cybersecurity and Infrastructure Security Agency (“CISA”) stating that the government is investigating “the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” Several days later, on October 29, 2024, the Congressional Research Service (“CRS”) issued an updated report stating that the PRC state sponsored hacker group, dubbed “Salt Typhoon” by security researchers, was reportedly responsible for the attack on U.S. telecommunications companies in early October 2024. According to the report, Salt Typhoon appears “to have conducted counterintelligence operations, seeking information on PRC targets that the United States may be surveilling.” Typhoon is a moniker given by Microsoft, but further adopted by U.S. law enforcement agencies, that refers to threat actors with PRC state sponsorship. Presently, there are three specific groups labeled with the Typhoon moniker—Flax Typhoon, known for using Internet-of-Things (“IoT”) devices as an entry point to target Taiwanese and U.S. critical infrastructure, Volt Typhoon, known for using stealth and espionage to prepare for potential future disruptions of U.S. critical infrastructure, and Salt Typhoon, known for conducting espionage and counter-intelligence.
The CRS report further acknowledges that Salt Typhoon may have infiltrated a built-in telecommunications system used to facilitate court-approved access for law enforcement investigations. This description is consistent with a series of three letters sent to Verizon, AT&T, and Lumen by the United States House of Representatives Committee on Energy and Commerce, stating that “Chinese hackers potentially accessed vulnerable information including court-authorized network wiretapping requests and internet traffic.” Under the Communications Assistance for Law Enforcement Act (“CALEA”), each broadband and telecommunication provider is required to “design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information.” According to the Federal Communications Commission, “CALEA is intended to preserve the ability of law enforcement agencies to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation.”
Although the government has said little about this incident, some members of Congress have publicly raised concerns. In addition to the set of letters sent to each of the targeted telecommunication companies, Senate Intelligence Committee Chairman Mark Warner has warned that the October telecommunications attack “is much more serious and much worse than even what you all presume at this point… It is one of the most serious breaches in my time on the Intelligence Committee.”
It appears that this attack could be a highly significant counterintelligence failure and yet another reminder of the dangers posed by PRC-state sponsored cyber-espionage.
