Chinese Hackers Lurked in US Telecom Shadows for a Year

A man using laptop with system hacked alert warning sign

Depositphotos

The Silent Infiltration

U.S. telecom providers unknowingly became the target of an unprecedented cyberespionage campaign. Chinese state-backed hackers, known as Salt Typhoon, secretly infiltrated critical infrastructure and quietly harvested sensitive data for nearly a year.

This covert operation went undetected until the investigations uncovered the depth of the intrusion. Here we will explore newly surfaced facts from June 2025, revealing how this advanced operation unfolded, which entities were impacted, and what new national security concerns have emerged.

2023 year with blank notebook and wooden number

Depositphotos

Earliest Breach Timeline

Investigations revealed that Salt Typhoon initially breached telecom networks in summer 2023. Security teams had long assumed the infiltration was more recent, but forensic analysis of system logs confirmed the malware operated silently for seven months.

This extended dwell time allowed the hackers to map networks thoroughly and exfiltrate valuable data without triggering alarms. The delayed detection has raised serious concerns about the visibility of advanced persistent threats and the weaknesses in real-time monitoring within U.S. telecom environments.

new york usa 15 february 2021 fortinet website in

postmodernstudio/Depositphotos

Malware Signature

The attackers deployed sophisticated kernel-mode malware called Demodex, a Windows rootkit engineered for deep system penetration. This malicious tool operated beneath antivirus detection layers, allowing Salt Typhoon to maintain persistent access.

They exploited zero-day vulnerabilities in Versa Director systems and unpatched Cisco and Fortinet network devices, bypassing conventional defenses.

The malware’s advanced design reflects years of state-sponsored research, giving attackers powerful capabilities to evade forensic analysis, modify system processes, and manipulate traffic without leaving standard digital footprints behind.

Comcast glass building in Philadelphia US

askarimullin/Depositphotos

Expanding Victims

Security agencies disclosed that the breach extended beyond major telecom providers, including data centers like Digital Realty and service giants like Comcast. This expansion shifted the scope from telecom to broader internet infrastructure, compromising data storage and transfer points critical to countless businesses.

The compromise of backbone providers and intermediary services exponentially increased the potential exposure, involving private enterprises, cloud services, and sensitive customer data. Each newly identified victim broadened the national security implications dramatically.

Partial view of translator typing on laptop near paper with

Depositphotos

Attack Group Identity

Salt Typhoon is part of a sophisticated cluster of Chinese hacking units directly linked to China’s Ministry of State Security. Unlike independent criminal groups, this APT (Advanced Persistent Threat) operates under official directives, targeting industries of strategic interest.

Their operations demonstrate deep resources, technical expertise, and long-term espionage goals. Intelligence experts stress that Salt Typhoon’s activities represent not isolated incidents but a sustained effort to embed within key sectors, silently gathering economic, political, and technological intelligence over extended periods.

Depositphotos

Broader Ecosystem

Salt Typhoon operates within a larger web of state-backed cyber groups, including Brass Typhoon (APT-41) and Volt Typhoon. These interconnected units collaborate or share tools, creating an evolving ecosystem capable of attacking multiple industries simultaneously.

Brass Typhoon focuses on the financial and tech sectors, while Volt Typhoon recently targeted critical infrastructure.

Collectively, these groups embody China’s hybrid warfare approach, blending espionage with cyber sabotage capabilities, positioning them as one of the most complex threats U.S. national security faces today.

Depositphotos

Data Harvested

The hackers’ primary objective was extensive metadata collection. They exfiltrated call timestamps, phone numbers, IP addresses, and, in select cases, intercepted actual voice communications involving sensitive political and corporate figures. This granular data provides valuable intelligence on personal networks, habits, and legal investigations.

Analysts warn that compiling this type of information over time enables highly detailed profiling of targets, making future espionage, blackmail, or manipulation campaigns easier to execute with tailored precision, amplifying the long-term national security risks.

zhudifeng/Depositphotos

Scope of Telecom Firms

At least nine major telecom and internet providers were compromised, including AT&T, Verizon, T-Mobile, Lumen, Charter, Consolidated, Windstream, Spectrum, and smaller ISPs. Attackers deeply penetrated internal routing devices, load balancers, and fiber network control systems. Each company offered unique entry points, allowing attackers to diversify their attack surfaces.

This broad penetration reflects the attackers’ systematic approach, combining opportunistic vulnerability scanning with highly targeted manual exploitation, leveraging each company’s unique architecture to ensure wide-reaching data collection.

Female programmer coding on desktop computer with multiple screens.

Depositphotos

Targeted Personnel

One especially alarming aspect involved the attackers accessing telecom infrastructure that supports law enforcement wiretaps. These systems handle court-authorized surveillance operations, meaning hackers could intercept live wiretaps authorized for criminal investigations and national security cases.

Such intrusions not only jeopardize sensitive investigations but also expose classified operational details. Intelligence officials are investigating whether any active surveillance programs were compromised, fearing that adversaries may have gained insights into domestic criminal probes and U.S. counterintelligence operations.

Depositphotos

Network Management Access

Salt Typhoon exploited privileged network management accounts often lacking multi-factor authentication. With administrative credentials, hackers gained unrestricted access to network routing, configuration files, and user data streams.

These elevated privileges enabled them to silently observe system operations, introduce backdoors, and erase traces of their activity.

The absence of strict credential management and insufficient segmentation between user accounts and core systems left critical telecom infrastructure extremely vulnerable, demonstrating how basic cyber hygiene failures can open doors to sophisticated state actors.

Telecom network tower and electrical grids

frantic00/Depositphotos

Threat to Infrastructure

U.S. intelligence now believes Salt Typhoon’s activities extend beyond telecom into broader critical infrastructure. Ports, transportation hubs, and electrical grids could also be quietly compromised. Officials fear these dormant footholds may serve as pre-positioned access points for future cyber sabotage or hybrid warfare attacks.

Such capabilities would allow China to destabilize U.S. infrastructure during geopolitical conflicts without traditional military engagement, raising the stakes dramatically in ongoing national security dialogues about resilience and supply chain protections.

The nsa flag national security agency painted on a brick

BreizhAtao/Depositphotos

Investigation Challenges

Federal investigators face significant roadblocks in fully mapping the breaches. Due to differing authorities and access limitations, disparate victim lists exist between the NSA, CISA, and the FBI.

In some cases, telecom companies were legally advised not to search their networks to avoid triggering evidence spoliation rules actively. This legal complexity complicates efforts to verify the full extent of the intrusion. As a result, officials caution that the true scale may remain hidden for years to come.

Internet security and data protection concept

Depositphotos

Eviction Difficulty

Despite months of remediation efforts, U.S. officials admit they cannot guarantee the hackers have been fully removed. The complexity of telecom systems means attackers may have implanted hidden backdoors or sleeper malware designed to reactivate later.

Cleanup operations continue, but identifying deeply embedded code across millions of devices and configurations is an immense challenge. Intelligence leaders warn that even with advanced forensic tools, these state-sponsored intrusions may linger undetected for years, preserving China’s long-term access.

Malware with a triangular caution symbol displayed on phone

rafapress/Depositphotos

Smartphone Risks

New reports from June 2025 revealed that Chinese state hackers also exploit mobile devices. Sophisticated malware targeting Android and iPhone platforms has globally compromised political leaders, journalists, and corporate executives.

These mobile intrusions collect emails, texts, location data, and microphone recordings, expanding the espionage footprint beyond network infrastructure.

The mobile attacks demonstrate China’s ability to target individuals directly, creating full-spectrum surveillance combining physical movements, digital communications, and private conversations for maximum intelligence gathering.

Cyber security shield digital protection concept a professional presents a

Depositphotos

Legislative Pressure

U.S. lawmakers, including Senators Ron Wyden and Eric Schmitt, demand swift federal action. They urge the Defense Department, FCC, and intelligence agencies to enforce stricter cybersecurity mandates for telecom providers.

Proposals include requiring multi-factor authentication, enforcing vendor security audits, and revising supplier contracts to limit foreign technology dependencies.

Congressional committees also explore expanded oversight powers to monitor compliance and impose penalties for lax security practices.

The bipartisan push signals growing frustration with ongoing vulnerabilities, one alarming example is, how North Korean hackers lure devs with fake challenges and why it’s raising alarms.

Depositphotos

National Security Response

The federal government has launched sweeping incident alerts to all affected companies while issuing urgent vulnerability notifications.

In early 2025, coordinated court-ordered operations allowed U.S. agencies to disrupt parts of Volt Typhoon’s infrastructure and related malware operations. These unprecedented legal interventions mark an escalation in active cyber defense strategies.

Officials emphasize that while progress is being made, the persistence of state-sponsored threats like Salt Typhoon demands ongoing vigilance, cross-agency coordination, and continuous private-sector cooperation to counter future attacks.

Like how a Chrome security flaw let hackers track your browsing, and why it’s raising new concerns.

How concerned are you about the growing reach of state-backed cyber espionage? Share your thoughts below, and don’t forget to hit like if you found these insights eye-opening.

Read More From This Brand:

Don’t forget to follow us for more exclusive content right here on MSN.

If you like this story, you’ll LOVE our Free email newsletter. Join today and be the first to receive stories like these.

This slideshow was made with AI assistance and human editing.