Salt Typhoon, a sophisticated Chinese state-sponsored cyber threat actor, is conducting one of the most aggressive and sustained espionage campaigns ever uncovered against U.S. critical infrastructure. This episode explores how the group—linked to China’s Ministry of State Security—compromised a U.S. state’s Army National Guard, infiltrated telecom giants like AT&T, Verizon, and T-Mobile, and exfiltrated massive volumes of configuration files, call metadata, and wiretap logs.
Operating with alarming stealth, Salt Typhoon leveraged zero-day vulnerabilities in network devices, misconfigured infrastructure, and high-privilege accounts lacking MFA. Their goal? Strategic intelligence and counterintelligence dominance—mapping the communications lifelines of U.S. government, military, and private sector entities.
We explore:
- How Salt Typhoon infiltrated over 100,000 routers, including core components of global telecommunications infrastructure
- The breach of the National Guard network, including admin credentials and communications with fusion centers across multiple states
- Exploited vulnerabilities (e.g., CVE-2023-20198, CVE-2023-20273) and GRE tunneling used to maintain persistent access
- The group’s broader footprint, including targets in Canada, universities worldwide, and access to U.S. court-authorized wiretap systems
- The tools and tactics of RedMike (aka Salt Typhoon), from living-off-the-land attacks to custom malware and encrypted exfiltration
- Why this is being called the worst telecom hack in U.S. history—and what it means for national security
As U.S. officials roll out sanctions, international advisories, and enhanced telecom defenses, Salt Typhoon continues to adapt—illustrating the limitations of reactive security postures in an age of advanced persistent threats. The question is no longer if a breach will happen, but how long it takes to detect and contain it.
