Salt Typhoon Hackers: Every Telecom Giant Hit So Far
China-linked hackers known as Salt Typhoon have executed one of the most sweeping cyber-espionage campaigns in modern history — breaking into the world's largest phone and internet companies, stealing tens of millions of call records, and tapping into the private communications of senior government officials. If you're wondering who was hit, how it happened, and whether your data is at risk, this article has the answers.
 |
| Credit: Getty Images |
What Is Salt Typhoon — And Why Should You Care?
Salt Typhoon is a state-sponsored hacking group attributed to China's intelligence apparatus. Unlike cybercriminal gangs motivated by financial gain, this group operates with a single, chilling objective: gathering intelligence that could give China a strategic advantage — particularly in the event of a military confrontation over Taiwan.
Cybersecurity researchers who track the group describe it as part of a broader ecosystem of Chinese state hackers, each assigned a distinct role. Salt Typhoon focuses squarely on telecommunications infrastructure — the pipes that carry your phone calls, text messages, and internet traffic. Its work is patient, precise, and deeply alarming in scale.
U.S. officials have described China's potential invasion of Taiwan as an "epoch-defining threat." The intelligence Salt Typhoon collects feeds directly into that broader strategic mission, helping Beijing understand the communication patterns of government targets, military personnel, and decision-makers across allied nations.
How Salt Typhoon Gets In: The Cisco Router Exploit
To understand why this campaign has been so successful, you need to understand the entry point. Salt Typhoon has largely focused on exploiting vulnerabilities in Cisco routers — the hardware that sits at the edge of a telecommunications company's network and controls the flow of data in and out.
These aren't obscure, hard-to-find devices. Cisco routers are industry-standard equipment used by virtually every major telecom operator on the planet. Once hackers compromise a router at the network edge, they effectively have a foothold inside the entire infrastructure — able to move laterally, escalate privileges, and ultimately reach the most sensitive systems.
From there, Salt Typhoon has targeted something even more alarming: the lawful intercept systems that telecommunications companies are legally required to install. These systems exist to allow law enforcement agencies to monitor calls and messages with proper court authorization. When hackers gain control of these systems, they can effectively turn the surveillance tools of governments against those very governments — listening in on the same communications that intelligence agencies work to protect.
The Targets: Every Telecom and Internet Giant Confirmed So Far
Salt Typhoon's campaign has swept across multiple continents, hitting some of the most critical communications infrastructure in the world. The confirmed list of targets includes major American carriers that together serve hundreds of millions of subscribers, making this one of the most consequential data breaches ever recorded in the telecom sector.
In the United States alone, the campaign compromised call metadata, text message content, and in some cases actual captured audio from the phone calls of senior government officials. Investigators described the affected individuals as "targets of interest" — people whose communications Beijing has a specific intelligence interest in monitoring.
Beyond the United States, the hackers have struck phone and internet providers across Europe, Asia, and other regions where Chinese strategic interests are active. The breadth of the campaign reflects a level of operational planning and resources that only a nation-state actor could sustain over such a prolonged period.
What Data Was Actually Stolen?
This is the question most people want answered — and the findings are sobering. The stolen data includes three distinct categories, each carrying its own serious implications.
First, call records: metadata showing who called whom, when, for how long, and from where. Even without the actual content of calls, this data is extraordinarily valuable for intelligence agencies. It reveals relationship networks, travel patterns, and daily routines in ways that content alone cannot.
Second, text message content: actual SMS messages intercepted from compromised networks. For anyone communicating sensitive information over standard text messaging — including government officials who hadn't yet adopted encrypted alternatives — this represents a direct breach of confidential communications.
Third, and most alarmingly: captured phone audio. In cases where Salt Typhoon gained control of lawful intercept infrastructure, hackers could listen to actual phone conversations in real time or access recordings. This is the intelligence equivalent of having a wire inside a nation's most sensitive conversations.
Salt Typhoon vs. Other Chinese Hacker Groups: What's Different?
It's easy to conflate China's various state hacking operations, but each group plays a different role in Beijing's broader cyber strategy. Understanding the distinctions matters.
Salt Typhoon is the intelligence-gathering arm targeting telecoms — its goal is information collection, surveillance, and strategic espionage. Volt Typhoon, by contrast, is the sabotage unit. Researchers describe Volt Typhoon as pre-positioning itself inside critical infrastructure — power grids, water systems, transportation networks — ready to trigger destructive attacks if conflict erupts. These aren't intelligence operations; they're preparations for cyberwarfare.
Then there is Flax Typhoon, which operates a botnet — a massive network of hijacked internet-connected devices used to route malicious traffic and obscure the hackers' true identities and locations. Together, these three groups form a layered, complementary offensive cyber capability serving China's military and intelligence objectives.
The U.S. Government's Response — And What It Means for Ordinary People
When the scale of Salt Typhoon's campaign became clear, the response from federal authorities was striking in its urgency. The FBI issued an unusual public advisory urging Americans — not just government officials, but everyday citizens — to switch away from standard phone calls and SMS messages toward end-to-end encrypted messaging applications.
That recommendation is a significant admission. It signals that the agency believes standard telecommunications infrastructure in the United States cannot be considered secure against nation-state adversaries. For millions of people who assumed their carrier's network was protected, this was a wake-up call.
End-to-end encryption means that even if a hacker intercepts your message in transit, they cannot read it — because only you and the recipient hold the decryption keys. Standard SMS and unencrypted phone calls offer no such protection, and Salt Typhoon's campaign has demonstrated exactly how that gap can be exploited at scale.
Why This Campaign Is a Turning Point in Global Cybersecurity
Salt Typhoon's hacking campaign represents more than a series of data breaches — it marks a fundamental shift in how nation-state cyber operations target the infrastructure of modern life. Telecommunications networks were once considered too vast and too critical to be systematically compromised. That assumption is now obsolete.
The fact that a foreign intelligence service can quietly infiltrate the lawful intercept systems of multiple sovereign nations — systems designed to protect citizens — and use those systems to spy on government officials, is a profound challenge to national security doctrine everywhere. It raises urgent questions about how telecom infrastructure is secured, how quickly vulnerabilities are patched, and how much trust governments can place in the private companies that operate their most critical communications networks.
For individuals, the lesson is practical and immediate: the tools you use to communicate matter. Encrypted messaging is no longer just a preference for the privacy-conscious — it is a basic security measure recommended by the nation's top law enforcement agency.
What Happens Next?
The full scope of Salt Typhoon's campaign is still being investigated. Security researchers and government agencies across multiple countries continue to audit affected networks, assess what data was accessed, and work to close the vulnerabilities the group exploited. Some affected companies have confirmed breaches; others are still determining the extent of the intrusion.
What is clear is that Salt Typhoon is not finished. The group has demonstrated both the capability and the intent to conduct long-running, large-scale operations against telecommunications targets globally. Until the underlying vulnerabilities in network infrastructure are addressed — and until lawful intercept systems are hardened against unauthorized access — the threat remains active.
The campaign also puts pressure on governments to move faster on cybersecurity legislation, mandatory disclosure timelines for telecom breaches, and international coordination to attribute and respond to state-sponsored hacking. The era of treating telecom security as a secondary concern is over.
