Salt Typhoon’s Compromise of Telecommunications Infrastructure: A Strategic Threat to Global Connectivity

Executive Summary: In 2023–2024, the Chinese state-sponsored advanced persistent threat (APT) group Salt Typhoon executed a series of sophisticated intrusions into global telecommunications networks, leveraging compromised infrastructure to facilitate espionage, SIM swap attacks, and broader digital surveillance. These operations exploited systemic weaknesses in telecom authentication, subscriber identity modules (SIMs), and subscriber data management systems. This article examines the technical mechanisms behind the compromise, its operational impact, and the urgent defensive measures required by telecom operators and regulators to protect critical infrastructure.

Key Findings

• Targeted Infiltration: Salt Typhoon gained access to telecom core networks via phishing, zero-day exploits, and insider collusion.
• SIM Swap Capability: Compromised infrastructure enabled rapid SIM swaps, facilitating identity theft, financial fraud, and credential interception.
• Long-Term Persistence: Operators detected covert persistence mechanisms, including firmware implants and rogue network nodes.
• Espionage and Data Exfiltration: Stolen subscriber metadata and call detail records (CDRs) were used for geopolitical intelligence and targeting.
• Evasion and Counter-Detection: The group used living-off-the-land binaries (LOLBins), encrypted C2 channels, and legitimate admin tools to evade detection.

Background: The Role of Telecommunications in Modern Espionage

Telecommunications networks form the backbone of global digital communication. Their compromise by nation-state actors represents a strategic risk, enabling mass surveillance, targeted interception, and identity-based fraud. Salt Typhoon, attributed to China’s Ministry of State Security (MSS), has emerged as a leading actor in this domain, combining advanced cyber capabilities with insider knowledge of telecom operations.

SIM swap attacks—where an attacker convinces a carrier to transfer a phone number to a SIM under their control—have escalated from criminal fraud to state-sponsored intelligence tools. This evolution underscores the convergence of cybercrime and cyber espionage in the telecom sector.

Mechanism of Compromise: How Salt Typhoon Gained Access

Salt Typhoon’s infiltration campaigns followed a multi-stage kill chain:

1. Initial Access via Social Engineering and Exploits

The group exploited weak authentication in telecom customer service portals, often using spear-phishing emails targeting network engineers and helpdesk staff. In some cases, insiders were co-opted or coerced to provide access credentials or bypass security controls. Zero-day vulnerabilities in Huawei, Ericsson, and Nokia network management systems were also weaponized, particularly in legacy 2G/3G infrastructure still in operation.

2. Privilege Escalation and Lateral Movement

Once inside the perimeter, Salt Typhoon moved laterally using stolen admin credentials. They exploited default or weak passwords in network elements (e.g., Home Location Registers, HLRs; Equipment Identity Registers, EIRs) and used legitimate remote access tools such as SSH and RDP to blend into normal traffic.

3. SIM Swap Automation and Identity Hijacking

The most damaging phase involved compromising the subscriber identity module (SIM) provisioning systems. By manipulating the Mobile Station International Subscriber Directory Number (MSISDN) and International Mobile Subscriber Identity (IMSI) mappings, attackers could reassign phone numbers to attacker-controlled SIMs without user consent. This enabled:

• Two-Factor Authentication (2FA) Bypass: Interception of SMS-based codes used to secure bank accounts, emails, and cloud services.
• Cryptocurrency Theft: Redirection of SMS-based login codes for exchange accounts and wallet recovery phrases.
• Geolocation Spoofing: Impersonation of targets for operational security (OPSEC) evasion or disinformation campaigns.

4. Persistence and Data Exfiltration

Salt Typhoon established deep persistence by implanting firmware-level backdoors in baseband processors and core network switches. These implants persisted across reboots and firmware updates, allowing continuous access. Exfiltrated data included:

• Subscriber identity records (SIRs)
• Real-time call metadata (CDRs)
• Location traces tied to IMSI catchers
• Voicemail and SMS content for selected targets

Data was exfiltrated via encrypted tunnels disguised as normal network traffic or through compromised third-party cloud storage providers used by the operator.

Operational Impact: From Fraud to Strategic Intelligence

The consequences of Salt Typhoon’s campaign extend beyond financial fraud:

• National Security Risk: Compromised telecom networks provide a platform for intelligence collection against government, military, and diplomatic targets.
• Economic Espionage: Access to corporate communications aids in intellectual property theft and competitive intelligence.
• Disinformation and Influence Operations: Spoofed identities can be used to seed false narratives or manipulate public opinion.
• Supply Chain Contamination: Compromised network equipment from Chinese vendors (e.g., Huawei, ZTE) may include backdoors, compounding risk.

Notably, in Southeast Asia and the Pacific, Salt Typhoon’s operations aligned with China’s strategic interests in maritime sovereignty disputes, suggesting a direct linkage between cyber intrusions and geopolitical objectives.

Defensive Strategies: Securing Telecom Infrastructure Against Salt Typhoon

To counter Salt Typhoon and similar threats, telecom operators must adopt a zero-trust architecture and operational resilience mindset.

1. Zero-Trust Architecture and Least Privilege Access

• Enforce multi-factor authentication (MFA) for all administrative access, including hardware tokens for critical roles.
• Implement network segmentation to isolate subscriber databases, provisioning systems, and core network elements.
• Adopt role-based access control (RBAC) with time-bound credentials and continuous authentication.

2. SIM Provisioning Hardening

• Introduce biometric or video verification for SIM swap requests, with mandatory callback to registered numbers using out-of-band channels.
• Require physical presence or government-issued ID verification for high-risk changes.
• Implement real-time fraud detection systems using AI to flag anomalous swap patterns (e.g., multiple swaps in minutes, swaps during off-hours).

3. Firmware Integrity and Supply Chain Security

• Conduct regular firmware audits and integrity checks using cryptographic hashes and hardware root-of-trust (e.g., Trusted Platform Module, TPM).
• Avoid reliance on single-vendor equipment; diversify suppliers and conduct third-party security assessments.
• Implement secure boot and measured boot processes to detect unauthorized changes at startup.

4. Continuous Monitoring and Threat Hunting

• Deploy network detection and response (NDR) tools to monitor lateral movement and command-and-control traffic.
• Use AI-driven user and entity behavior analytics (UEBA) to detect anomalous admin activity.
• Establish a 24/7 security operations center (SOC) with telecom-specific threat intelligence feeds.

5. Regulatory and Industry Collaboration

• Enforce mandatory breach reporting and SIM swap logging under national cybersecurity laws.
• Participate in global initiatives such as the GSMA’s “Fraud and Security Group” and the EU’s NIS2 Directive.
• Share anonymized threat data via Information Sharing and Analysis Centers (ISACs).

Future Outlook: The Convergence of Telecom and AI-Driven Threats

Salt Typhoon’s operations signal a broader trend: the fusion of nation-state espionage with telecom infrastructure exploitation. As 5G and 6G networks roll out, the attack surface expands with software-defined networking (SDN), network slicing, and virtualized core functions. AI will play a dual role—both as a defensive tool (e.g., detecting SIM swap fraud in real time) and as an offensive enabler (e