A hacking campaign tracked as “Salt Typhoon” has been linked by multiple governments and security teams to intrusions affecting major telecommunications and internet infrastructure providers. Public disclosures to date indicate activity spanning several countries and involving attempts to access sensitive network systems used to route calls, messages, and internet traffic.

A cyber campaign known as Salt Typhoon has drawn heightened attention from governments and network operators after a series of public advisories and incident disclosures tied the activity to telecommunications and internet infrastructure. The name is used by security researchers to track a cluster of related tactics and targets rather than a single confirmed organization.

Telecommunications networks are a high-value target because they sit at the center of communications flows and often connect to systems used for lawful intercept, network management, and customer authentication. When attackers gain access to those environments, they may be able to collect metadata, monitor traffic, or move laterally into connected systems. Officials and companies that have commented publicly have generally described the activity as sophisticated and persistent, with a focus on long-term access.

Public reporting and official statements have not provided a complete global accounting of affected entities, and some operators have not disclosed details of investigations. However, a growing list of confirmed or acknowledged incidents has established that the campaign has touched multiple regions and a range of service providers.

## Where intrusions have been publicly acknowledged

Disclosures and advisories indicate that the campaign has affected, or attempted to affect, telecommunications and internet service providers in more than one country. In some cases, governments have issued alerts describing targeting of national telecom infrastructure without naming specific companies; in others, companies have confirmed investigations or remediation actions.

In the United States, federal cybersecurity and law enforcement agencies have previously warned that advanced actors have targeted telecom providers and related infrastructure. Those alerts have emphasized risks to systems that manage network routing and to platforms that support lawful intercept capabilities. Public statements have generally focused on the nature of the threat and recommended mitigations rather than providing a comprehensive list of impacted firms.

In parts of Asia, telecom operators and government agencies have also issued notices about intrusions affecting communications networks, including attempts to compromise core network components and administrative tools. Some of these disclosures have referenced activity consistent with Salt Typhoon tracking, while others have described similar tactics without using the same label.

In Europe, national cybersecurity authorities have issued periodic warnings about state-linked targeting of telecom and managed service providers, including compromises that can enable access to downstream customers. While not all such incidents are attributed publicly to Salt Typhoon, the pattern of targeting telecom infrastructure has been a recurring theme in official guidance.

Because incident response investigations can take months and because companies may be constrained by legal or regulatory processes, the public picture remains incomplete. In several jurisdictions, telecom operators are required to notify regulators of significant incidents, but public disclosure thresholds and timelines vary.

## What attackers seek in telecom and internet environments

Telecom and internet networks include layers of equipment and software that handle authentication, billing, routing, and interconnection with other carriers. They also include administrative interfaces used by engineers and contractors. Security teams have warned that attackers who obtain privileged access can potentially collect call detail records, location-related metadata, or other operational data, depending on the systems reached.

Another area of concern is access to systems associated with lawful intercept. These systems are designed to support court-authorized surveillance and are typically subject to strict controls. Government advisories have cautioned that attackers may attempt to exploit weaknesses in how such systems are integrated into broader network environments, including through compromised credentials, misconfigurations, or unpatched devices.

Officials have also warned that compromises of telecom providers can be used as a stepping stone into other sectors. Large carriers often provide managed services, cloud connectivity, and security products to enterprises and government agencies. A breach in a provider’s environment can therefore create opportunities for attackers to pivot into customer networks, particularly where shared management tools or remote access systems are involved.

## Response measures and what users can do

Telecom operators and governments have emphasized defensive steps focused on hardening privileged access and improving visibility into network activity. Recommended measures in public guidance have included enforcing multi-factor authentication for administrative accounts, restricting remote management interfaces, segmenting sensitive systems, and improving logging and monitoring for anomalous access.

Network operators have also been urged to review relationships with contractors and third-party vendors, since telecom environments often rely on external maintenance and specialized equipment support. Security teams have highlighted the importance of auditing privileged accounts, rotating credentials, and ensuring that access is time-limited and tied to specific tasks.

For individual users, the practical impact of telecom-focused intrusions can be difficult to assess because many of the targeted systems operate behind the scenes. Security agencies have generally advised users to maintain strong account security for services that rely on phone numbers, including enabling multi-factor authentication where available and using authentication apps or hardware keys when possible. Users are also advised to keep devices updated and to be cautious about unsolicited messages that attempt to capture credentials.

Governments and companies continue to investigate the scope of Salt Typhoon-linked activity. As additional incident notifications and technical findings are released, the list of confirmed affected networks may expand, and guidance may be updated to reflect new tactics and mitigations.