Salt Typhoon Campaign: Global Espionage Findings Reveal 80 Countries Compromised

The digital age has long been defined by the tension between connectivity and security, but the revelations brought to light during the April 29, 2026, House Committee on Homeland Security hearing have fundamentally shifted the landscape. The Salt Typhoon campaign, a sophisticated and persistent cyber-espionage operation linked to Chinese state-sponsored actors, has emerged as perhaps the most consequential breach of global telecommunications infrastructure in history. With confirmed compromises spanning more than 80 countries and the direct infiltration of American court-authorized surveillance systems, the scale of this operation is not merely a technical failure; it is a profound geopolitical crisis that demands an immediate and total modernization of the Department of Homeland Security (DHS) IT infrastructure.

The Great Digital Siphon: Unmasking the Salt Typhoon Campaign

For nearly two years, the actors behind the Salt Typhoon campaign operated in the shadows, burrowing deep into the “nervous system” of the global internet. According to testimony from the April 29 hearing, the group—identified by intelligence agencies as a Tier-1 advanced persistent threat (APT) backed by the Chinese Ministry of State Security (MSS)—successfully compromised at least 200 organizations across the globe. The reach of the campaign extended far beyond the borders of the United States, affecting strategic allies including the United Kingdom, Canada, Germany, and Japan.

The primary objective of the Salt Typhoon campaign was not disruption or sabotage, but the clinical extraction of high-value intelligence. To achieve this, the actors targeted the very core of telecommunications providers: the backbone routers and edge devices that facilitate the flow of global data. By gaining persistence in these critical nodes, the attackers were able to monitor traffic in real-time, effectively turning the world’s communications infrastructure into a giant surveillance apparatus. The specific data stolen includes:

• Over one million American call records, including sensitive metadata such as timestamps, source and destination IP addresses, and geolocation data.
• Unencrypted text messages and, in some high-priority cases, real-time audio recordings of telephone conversations.
• Internal configuration files for U.S. government and critical infrastructure entities, including at least two state-level National Guard systems.
• Email communications from high-profile congressional staff within the House Foreign Affairs, Intelligence, and Armed Services committees.

The Achilles’ Heel: Infiltration of the CALEA Systems

Perhaps the most chilling detail revealed during the House hearing was the confirmation that Salt Typhoon successfully infiltrated the systems used to fulfill requests under the Communications Assistance for Law Enforcement Act (CALEA). Designed to allow U.S. law enforcement and intelligence agencies to conduct court-authorized wiretapping, CALEA represents a centralized point of access for sensitive surveillance. By compromising these “lawful intercept” systems, Chinese intelligence did more than just listen in on conversations; they effectively “watched the watchers.”

This breach allowed the adversaries to identify which individuals were under investigation by U.S. authorities, providing a strategic counter-intelligence map of American law enforcement priorities. Security experts at the hearing noted that the attackers exploited unpatched vulnerabilities in core routers—some dating back to 2018—to gain entry into these surveillance portals. This represents a catastrophic failure of supply chain security and highlights a systemic lack of oversight regarding how telecommunications providers manage the legal intercept requirements mandated by the federal government.

Technical Mechanics of the Salt Typhoon Campaign

The technical proficiency displayed during the Salt Typhoon campaign underscores the evolution of state-sponsored hacking. Moving away from traditional malware-heavy approaches, the actors utilized “Living off the Land” (LotL) techniques to maintain an 18-month dwell time without detection. By using legitimate administrative tools already present on the systems, the attackers minimized their digital footprint, making their activity indistinguishable from routine network management.

Exploitation of Core Infrastructure

The group focused heavily on vulnerabilities in Cisco routers and other carrier-grade networking equipment. By exploiting these devices, they were able to modify Access-Control Lists (ACLs) to facilitate remote access and create covert tunnels using protocols such as Generic Routing Encapsulation (GRE) and IPsec. This allowed for the exfiltration of massive volumes of data through “hard-to-detect” batches that bypassed standard security monitoring.

Persistence and Lateral Movement

Once initial access was achieved, the actors moved laterally within the networks of major providers like AT&T and Verizon. They utilized custom-built Linux containers (Guest Shell) on Cisco devices to run malicious scripts, ensuring that even if a specific vulnerability was patched, their access remained. They also harvested credentials through weak passwords and exploited trust relationships between different telecommunications providers to jump from one network to another, a technique known as “network hopping.”

Policy Fallout: The FISA Section 702 Battleground

The timing of the hearing coincided with a major procedural hurdle cleared in the U.S. House regarding the reauthorization of FISA Section 702. This divisive surveillance program, which allows the government to collect communications of non-U.S. persons located abroad without a warrant, has become the centerpiece of the legislative response to the Salt Typhoon campaign. Lawmakers favoring reauthorization argue that the campaign proves the necessity of robust surveillance tools to identify and track foreign adversaries who are already embedded within our infrastructure.

However, the breach of CALEA systems has complicated this narrative. Critics argue that the government’s insistence on “backdoors” and centralized surveillance points has created the very vulnerabilities that Salt Typhoon exploited. The hearing emphasized that while Section 702 remains a critical tool for the intelligence community, the security of the infrastructure supporting these tools is woefully inadequate. The push for reauthorization now includes a heavy emphasis on IT modernization and mandatory cybersecurity certifications for telecommunications carriers to prevent a repeat of the Salt Typhoon breach.

Modernizing DHS: The Urgency of IT Infrastructure Reform

A central theme of the April 29 testimony was the aging state of the Department of Homeland Security’s IT infrastructure. Lawmakers warned that the DHS, in its role as the Sector Risk Management Agency (SRMA) for the communications and IT sectors, lacks the necessary resources and modern technology to defend against a peer-level adversary like China. Witnesses, including Mark Montgomery of the Foundation for Defense of Democracies, noted that the federal government is currently operating with a significant workforce shortage—estimated at over 500,000 vacant cybersecurity positions nationwide.

To address these gaps, the hearing highlighted several legislative and administrative priorities:

1. The Cyber PIVOTT Act: A proposed ROTC-style scholarship program designed to funnel hundreds of thousands of new cybersecurity professionals into the public sector in exchange for government service.
2. Mandatory Risk Management Plans: A new framework proposed by the FCC that would require telecommunications providers to certify their cybersecurity risk management plans annually, focusing specifically on the security of CALEA and other intercept systems.
3. Investment in Data Centers and Space Systems: Expanding the DHS’s authority to protect subsea cables, space-based assets, and the data centers that power the cloud, all of which were identified as targets of the Salt Typhoon campaign.

Conclusion: The New Frontier of Cyber Defense

The Salt Typhoon campaign serves as a stark reminder that the battle for digital sovereignty is won or lost at the level of core infrastructure. The compromise of 80 countries and the theft of a million American call records demonstrate that our adversaries no longer need to break into our homes to hear our secrets; they have simply hijacked the walls themselves. As the legislative dust settles around FISA Section 702 and DHS modernization, one thing is clear: the era of “rudimentary” security is over. We are now in a permanent state of high-stakes digital engagement, where the integrity of our telecommunications networks is synonymous with the integrity of our national security.