The Salt Typhoon Telecom Hacks Provide Key Lessons for Strengthening Cybersecurity
By Pamela Isom, Member of the Consensus for American Security
The telecommunications industry is experiencing an ongoing crisis. Hackers affiliated with China’s Ministry of State Security have compromised eight telecommunications firms, extracting lawful wiretaps and critical intelligence data from some. Known as “Salt Typhoon,” this state-sponsored hacking group, identified by Microsoft in August 2024, has left some of the affected companies struggling to secure their systems. Amid this challenge, there are key lessons from the attacks that highlight examples of proactive and resilient cybersecurity practices that could guide the entire industry.
Operating since at least 2020, Salt Typhoon has targeted telecommunications providers, government agencies, political figures, internet service providers, and consulting firms worldwide. The group’s tactics are sophisticated, involving prolonged infiltration, stealthy data exfiltration, and the exploitation of lawful surveillance systems, making them particularly dangerous to national security. Once embedded, attackers are extremely difficult to remove, often remaining undetected for months or even years, and extracting sensitive information without triggering alarms.
The Salt Typhoon attacks have revealed vulnerabilities across the telecommunications sector. Verizon and AT&T, some of the largest U.S. telecommunications providers, were among the firms targeted by Salt Typhoon. Reports indicate that hackers infiltrated and potentially accessed sensitive data. According to The Wall Street Journal, U.S. wiretap systems were specifically targeted, posing a significant national security risk. The attacks highlight systemic vulnerabilities and the urgent need for more robust defenses.
Amid these challenges, T-Mobile’s Chief Security Officer (CSO), Jeff Simon, has said that while looking for evidence of a Salt Typhoon attack, his team has since detected and thwarted an attack from an unknown actor within a matter of days. The team identified the point of entry to be originating from a compromised wireline provider’s network that was connected to T-Mobile’s. According to Simon, the attack did not access “sensitive customer data” like calls, texts, or voicemails.
Their experience provides valuable insights into strategies that can benefit the entire telecommunications industry. After this failed attack, T-Mobile took the notable steps of sharing a detailed profile of the attackers with industry peers and government agencies. Their success lies in several proactive strategies. For instance, T-their network was segmented, creating strategic layers to protect and contain potential intrusions. Passwordless, multifactor authentication systems were also in place, reducing the chance that a hacker could trick an employee into revealing their credentials. Additionally, the company has prioritized modernizing its infrastructure to newer standards and enhanced encryption, that are more resilient to intrusion. These practices enabled them to detect repeated failed attempts to penetrate layered defenses. Adopting these practices across the industry could strengthen the entire telecommunications sector.
The Salt Typhoon attacks highlight the urgent need for systemic change in how telecommunications providers approach cybersecurity. Government and industry leaders must work together to establish a proactive approach, prioritizing threat intelligence to improve defenses before incidents occur, not solely as a response to them. This requires proactive threat intelligence sharing.
Encouraging a bidirectional exchange between federal agencies and industry peers on actionable intelligence about emerging threats before incidents materialize would help better secure our country against state-sponsored hackers. Policymakers should establish programs that promote two-way real-time threat sharing and collaboration between the government and the private sector, transforming isolated observations into proactive defense. Real-time government intelligence sharing will promote industry openness and propel meaningful and less burdensome oversight.
Telecom providers should also modernize aging infrastructure for resilience, creating adaptable infrastructures capable of implementing advanced security measures. Vulnerabilities in aging systems provide opportunities for exploitation. Modernizing against security threats requires integrating real-time threat intelligence with proactive security measures leveraging artificial intelligence and emerging technologies. These actions help ensure defenses remain current, resilient, and effective against evolving threats.
Additionally, comprehensive security must extend across the supply chain. Mandating robust security standards for third-party providers, applying least privilege, plus verification and validation of all vendor touch points is actionable cybersecurity supply chain risk management and ensures that attackers cannot exploit vulnerabilities in external systems to compromise critical infrastructure, demonstrating end-to-end zero trust.
Finally, transparency is critical to increasing resilience across the industry. T-Mobile’s evolving approach offers valuable lessons for improving collective national security. Cybersecurity is not a zero-sum game; protecting one network strengthens the collective security of all. Any reluctance to disclose incidents undermines collective defense and leaves vulnerabilities unaddressed. Public-private partnerships can help bridge this gap, enabling firms to share insights while maintaining confidentiality.
The Salt Typhoon incident is a sobering reminder of the risks posed by cyber-espionage campaigns and advanced persistent threats. Yet, it also presents an opportunity to reshape the telecommunications industry’s approach to cybersecurity. By learning from the successes as well as the failures, the industry can foster greater transparency, collaboration, and resilience. Federal policymakers are critical to driving this transformation. By mandating threat intelligence sharing, incentivizing infrastructure modernization, and encouraging cybersecurity practices grounded in transparency, they can work with the private sector to inform citizens and secure civilian systems against threats to national security. Only through collaboration, innovation, and transparency can we protect the critical infrastructure that underpins national security, economic stability, and public trust.
