The FBI and CISA disclosed yesterday afternoon substantial Chinese-state-actor cyber-espionage activity against US telecommunications networks, attributed to a cluster they are tracking as Salt Typhoon (CISA-FBI joint statement on Salt Typhoon, December 3). The disclosure confirms substantial public reporting through October-November about the cluster's targeting of US-and-international telecommunications infrastructure, with the affected operators including AT&T, Verizon, T-Mobile, Lumen, and several others. The targeting includes the lawful-intercept infrastructure that the affected telecommunications operators maintain for US government surveillance purposes, and metadata-and-content-of-communications for senior US political figures including President-elect Donald Trump's campaign-period communications.
The technical content. The cluster's TTPs include exploitation of vulnerabilities in network-infrastructure devices (Cisco routers and other major-vendor equipment), credentialled-access through compromise of administrative-account credentials, and sustained dwell-time across affected networks measured in months. The lawful-intercept-infrastructure-targeting is the part of the case that has produced the most substantive subsequent strategic conversation — the lawful-intercept systems are, by their nature, designed for sustained-monitoring of communications, and a state-actor with operational access to those systems has access to the same monitoring capability that the lawful-intercept systems were designed to provide. The post-Salt-Typhoon US-side regulatory-and-policy response is going to be substantial.
The encryption-and-policy implications. The post-Salt-Typhoon US-side commentary has, in a notable departure from the previous decade's "Going Dark" framing, included substantive recommendation from CISA, the NSA, and other US-side agencies that consumers and organisations use end-to-end-encrypted messaging applications for sensitive communications, on the basis that the telecommunications infrastructure cannot, in the post-Salt-Typhoon environment, be assumed secure against Chinese-state-actor monitoring (CISA Mobile Communications Best Practice Guidance, December). The recommendation is, in policy-evolution terms, the most explicit US-government endorsement of end-to-end encryption as a defensive posture against state-actor adversary that the post-Snowden period has produced. The longer-running US-policy conversation about encryption-and-government-access (which has continued through the post-2016 Apple-FBI period and beyond) is going to be reshaped substantially by the post-Salt-Typhoon environment.
For the customer-portfolio briefings. The Salt Typhoon case has produced specific conversations at customer organisations whose senior-leadership communications have political-or-economic-intelligence-collection value. The defensive posture recommendations align with the CISA guidance — end-to-end-encrypted messaging for sensitive communications, MFA-with-phishing-resistant authentication on the messaging platforms used, careful selection of messaging-platform vendors with substantive security-engineering posture, and acceptance that telecommunications-network-infrastructure cannot be assumed confidential against state-actor adversary. The customer-organisation programme work on executive-communications-protection has been substantively informed by the case.
The wider strategic point about state-actor cyber capability against critical infrastructure. The post-SolarWinds (Russia, IT-supply-chain), post-3CX (DPRK, software-supply-chain), post-Salt-Typhoon (China, telecommunications-infrastructure) sequence demonstrates that substantial state-actor capability against critical-infrastructure-categories is now operationally proven across multiple state-actor clusters. The customer-organisation threat-modelling needs to incorporate this dimension explicitly. The defensive disciplines remain the substantive answer; the operational urgency continues to develop.
I will return to this. The Salt Typhoon situation will continue to produce subsequent disclosure-and-policy output through 2025.