The discovery that the Chinese hacking group Salt Typhoon infiltrated multiple U.S. telecommunications networks has raised alarming questions about national security and the resilience of America’s telecom infrastructure. The group reportedly accessed the phones of a presidential campaign and collected geolocation data on high-value targets in the Washington D.C. area, exposing vulnerabilities across the sector.
Experts warn that fully removing Salt Typhoon from U.S. telecom networks may be impossible, citing the immense scale and complexity of modern telecommunications systems. Former cybersecurity officials and industry leaders emphasize that even if one intrusion is blocked, attackers can exploit alternate pathways, similar to leaving multiple windows open in a house while locking the front door.
“I think everybody’s rushing to say, ‘yes, we’ve evicted Salt Typhoon, Salt Typhoon is no longer a problem.’ But that’s not how [cybersecurity] works,” said Silas Cutler, principal security researcher at Censys.
Why Expulsion Is So Challenging
Telecom networks in the United States are a patchwork of legacy and modern technologies, often riddled with software and hardware vulnerabilities. The sector has a history of consolidation, with companies acquiring smaller carriers and inheriting their complex infrastructures, along with their security weaknesses.
Experts identify three primary factors that make complete expulsion unlikely:
- Network Complexity: U.S. telecoms operate sprawling systems with multiple entry points that can be exploited repeatedly.
- Identity and Access Management Challenges: Controlling who can access networks is difficult, especially across merged or inherited systems.
- Fragmented Industry Practices: Inconsistent cybersecurity protocols and limited visibility hinder coordinated threat detection.
Even large telecoms like AT&T, Verizon, and Lumen have admitted to breaches, claiming containment or temporary purging of the group. However, U.S. officials continue to warn that Salt Typhoon may still be active, leveraging previously deployed persistence mechanisms.
Exploited Technologies and Persistent Threats
Salt Typhoon has repeatedly targeted network edge devices and identity management systems to maintain access while masking activity. By compromising VPNs, SOHO routers, and WiFi devices, hackers can operate within trusted U.S. networks, effectively blending in with legitimate traffic.
A six-month analysis from Censys found over 200,000 exposed network and edge devices vulnerable to exploitation, most located within the U.S. Despite increased awareness, only a modest reduction in exposed devices—about 25%—was observed since October 2024.
“They very much understand that our authorities are much harder to use once you’ve jumped to U.S. IP space,” said Laura Galante, former head of the Cyber Threat Intelligence Integration Center at ODNI.
The Legacy Problem: Consolidation and Vulnerabilities
Telecom consolidation has created complex technology stacks where security vulnerabilities accumulate with each acquisition. Many companies absorbed legacy systems without fully integrating them into secure protocols, creating a “Frankenstein” network of varying equipment, from copper lines to 5G/6G infrastructure.
“When a company acquires another one, they are very much acquiring the security vulnerabilities of that company, too,” Galante explained.
Research from the University of Florida highlights the challenge further. Using advanced testing methods like fuzzing, researchers identified hundreds of exploitable vulnerabilities in LTE and 5G core networks, some of which could allow remote access to network operations or disrupt communications across large areas.
Limited Capacity for Remediation
Even when vulnerabilities are identified, patching them proves difficult. Some vendors lack personnel or expertise, while others fail to respond to disclosure efforts. In many cases, researchers themselves had to develop patches, demonstrating a systemic weakness in U.S. telecom cybersecurity preparedness.
“First, these networks are extraordinarily complicated…we expect there to be more flaws identified if additional parties or security experts were to scrutinize other parts of the U.S. telecom network,” said Professor Patrick Traynor.
Implications for National Security
Salt Typhoon’s continued presence underscores the difficulty of defending U.S. critical infrastructure against sophisticated state-sponsored actors. While telecom companies work to contain threats and patch vulnerabilities, experts emphasize that these systems may never be fully cleansed.
“The best you can do is find them early in the kill chain,” said Gentry Lane, CEO of Nemesis Global. “You can expel [them], and you need to. You can’t keep them from living off the land or living in your system.”
The case of Salt Typhoon highlights the urgent need for greater visibility, coordinated threat hunting, and proactive security measures in telecommunications, particularly as networks become more complex and interdependent.
