The Salt Typhoon Attack and What it Tells Us about Network Vulnerabilities

11.21.24 - 7 min read

An image of silhouettes of people

Today, nearly everyone relies on secure, continuous wireless communication in their professional and personal lives—but recent events have exposed serious gaps in telecommunications security that could threaten that foundation.

As initially reported in September 2024, a sophisticated hacking group linked to Chinese intelligence, known as “Salt Typhoon,” breached all three major U.S. telecom networks, Verizon, T-Mobile, and AT&T. Their targets were high-profile figures, including U.S. government officials and members of the Trump and Harris presidential campaigns.

Based on current reports, the breach started at least 8 months ago (if not earlier), and is likely ongoing to this day. In fact, in early November, both the Department of Homeland Security and the Consumer Financial Protection Bureau announced that employees should not use cellular networks to conduct official business.

This stunning intrusion into U.S. telecommunications networks has been called by Senate Intelligence Committee Chairman Mark R. Warner as “one of the most serious breaches in [his] time on the Intelligence Committee.”

The breadth of the incident is still being investigated, but current reporting suggests that hackers accessed communications content (voice and text) and certain call log data. One aspect of the breach in particular—the exploitation of Lawful Interception—helps explain telecommunications vulnerabilities and how they affect us all.

Inside the Salt Typhoon’s Breach of Lawful Interception

Lawful Interception (LI) is a set of systems and protocols intended to support lawful surveillance for criminal investigations by executing warrants and managing data collection. These protocols are defined in the industry-maintained 3GPP Standard, and are effectively required to exist on every telco network in the world for it to interconnect to the rest of the global network, to ensure compliance with law enforcement needs. Unfortunately, the attackers seem to have leveraged the LI process to conduct their own data collection, undetected.

Assume the police obtain a warrant which allows collection of data from Target A when they are contacted by Person X. At the network infrastructure level, LI systems–usually maintained by a vendor hired by the telco, not the telco itself–execute this warrant in a sequence of steps, including validating the warrant, processing the target criteria, evaluating network traffic for collection, and then triggering collection when the specified criteria are met. Many of these steps are automated, without human intervention.

The Salt Typhoon group was able to control the protocols governing LI, effectively giving them the capabilities of a privileged insider—and could identify and collect communications data from their targets of choice, unrestricted by compliance processes restricting access for lawful purposes only. This type of breach represents a severe risk because it allows attackers to selectively monitor data without setting off alarms.

The media is tending to characterize these LI plug in points as a back door in the system, which is understandable. But in reality, they are intentionally installed “front doors,” which exist in plain sight and are easily exploited when an attacker gains access to telco servers.

Why This Matters

1. Protocol-Based Automation Enables Exploitation

Modern telecommunications systems rely on automated protocols to manage vast amounts of data traffic and enforce rules for data routing, including in response to warrants from law enforcement. While these protocols are essential for performance and compliance, the Salt Typhoon breach reveals how easily attackers can exploit them. By mimicking these protocols, hackers can blend their activity into network operations, making it difficult for traditional security measures to detect or intercept them.

In practical terms, this means attackers can “hide in plain sight” while collecting metadata and communication details from individuals across your organization. Even standard network security tools like firewalls or intrusion detection systems often fail to recognize these subtle incursions because they are operating within the rules.

2. Global Network Interconnectedness Exacerbates Risk

Unfortunately, the vulnerabilities similar to those exploited in the LI breach are common across our networks. Telecommunications networks are interconnected systems that rely on shared protocols to route calls and manage data worldwide.

While this interconnectedness allows for quick and reliable communication, it also makes the network vulnerable to attacks.

Every segment of network infrastructure is a potential attack vector, from cellular towers to backend servers. As reliance on cellular networks continues to grow, this means the potential surface area for attack grows in parallel. And if unauthorized access is attained, the interconnectedness of the network enables multiple potential paths for exploitation.

Effective network security, therefore, depends on every segment of the network being secure.

However, network security practices vary significantly by region and vendor, and compliance standards are difficult to enforce consistently. Further, many telecommunications companies are financially incentivized to focus on expansion over security measures, and therefore outsource much of their software and infrastructure without requiring rigorous security protocols. For example, it’s not uncommon for systems to rely on software with known vulnerabilities or passwords to be stored insecurely.

This means sensitive data is consistently at risk due to gaps in security well outside anyone’s immediate control.

3. The Public Unwittingly Shares Significant Amounts of Personal Data to Cellular Networks

The conventional wisdom seems to be that our data and security can be managed on our device. For example, Vice President-elect J.D. Vance, a target of the Salt Typhoon breach, joked to Joe Rogan that, “They only got some offensive memes and me telling my wife to buy more milk at the grocery store. They couldn’t get my encrypted messages; I use Signal and iMessage.”

This common way of thinking underestimates the risk. While app-based tools like Signal do protect the content of your communications through encryption, they are an incomplete solution because they don’t mitigate entire categories of vulnerabilities.

Every mobile phone, by virtue of attaching to network towers, volunteers data to the network about the owner’s location, where they go, who is in physical proximity to them, who they contact and who contacts them, as well as their internet activity.

Together or in part, this data can provide deep insights into where individuals live and work, but also their associations and the locations they frequent.

Further, subscriber identity details and call record data are commonly stored and linked by carriers in order to facilitate account management and billing.

When exposed, this personal data can be bought, sold, and traded indefinitely, as new exploits and use cases for it arise. This affects everyone, not just public figures, because there’s always someone who can take advantage of or profit from your data.

What’s Next

The U.S. government continues to investigate the Salt Typhoon breach and its implications for national security. However, focusing solely on this incident would miss the larger issue: our telecommunications networks have deep, systemic vulnerabilities that expose our privacy and security to significant risks.

Technology fortunately offers multiple pathways to address the challenges in network security—including de-coupling personal identity from network activity—but these solutions depend on the public and our government having better appreciation of the risks we face and the collective effort required to fix them.

Until that time, we should not be surprised to see more attacks from China and other countries with malicious intent toward U.S. security interests.

In some ways, the United States is fortunate they were able to identify the Salt Typhoon breach and take steps to rectify the damage and learn from it. We may not be so lucky in the future.

Share it

Want to be first? Join our mailing list and stay up to date on all things Cape.

SIGN UP TODAY
Your email will be used to send you updates from Cape. It will never be associated with your account or shared with anyone else.
All provided information is protected by our Privacy Policy.
This site is secured by reCAPTCHA, which is subject to Google's Privacy Policy and Terms of Service.