On its face the phrase Salt Typhoon had no place in public reporting or government advisories on June 21, 2024. There were, however, clear and contemporaneous warnings that China‑linked state actors were targeting communications and critical infrastructure. That outside evidence is the useful baseline for assessing the hypothetical claim that a campaign called Salt Typhoon had breached telecoms and put Department of Defense communications at risk.

What we actually know now

Federal and industry work published before June 21, 2024 shows a pattern worth taking seriously. Microsoft and U.S. agencies documented an ongoing PRC‑linked campaign nicknamed Volt Typhoon that focused on communications and other critical sectors, relied heavily on living‑off‑the‑land techniques, and used compromised small office and home office routers and legitimate accounts to conceal activity and maintain long term access. In January and February 2024 the Department of Justice, FBI, NSA and CISA publicly described disruption operations and joint advisories that confirmed these tactics and urged immediate mitigations.

Why telecom compromises matter to DoD comms

The Department of Defense depends on a mix of military and commercial infrastructure. Tactical and administrative DoD users routinely interact with commercial carrier networks for voice, text, and data. That makes telecom providers an attractive vector for foreign intelligence services seeking bulk metadata, targeted interception, or pathways to privileged systems.

A few concrete threat pathways to watch for

  • Core network and router compromise. If an adversary controls or can manipulate carrier routing equipment they can observe or redirect traffic, or proxy operations through compromised devices. U.S. reporting on PRC actors shows they have used infected SOHO routers and network misconfigurations to hide and pivot. This is not hypothetical. (See DOJ and CISA advisories.)

  • Credential theft and living off the land. Attackers that harvest valid administrative credentials can operate stealthily from inside carrier networks. CISA and Microsoft observed that these tactics favor persistence and covert reconnaissance over noisy, immediate exploitation.

  • Signaling and interconnect weaknesses. Legacy signaling protocols such as SS7 and their IP successors have documented weaknesses that allow location tracking, message interception, or SMS rerouting when an attacker has sufficient access to network signaling. These flaws are long standing and have been exploited at scale in other contexts.

  • Lawful intercept and provisioning systems. Networks implement systems to support lawful intercept and subscriber provisioning. If an attacker can access these systems they could, in theory, obtain metadata and in some configurations even content for particular targets. The existence of lawful intercept standards and CALEA obligations means those interfaces are present in carrier environments and require careful protection.

Potential impacts for DoD communications

  • Metadata exposure. Even without full content access, call and session metadata — who called whom, when, and from where — can reveal force posture, relationships, and movement patterns.

  • Targeted eavesdropping. With deeper access to switching or mediation systems an attacker may be able to intercept specific calls or messages of interest.

  • Supply chain and staging for disruption. Persistent footholds inside carrier networks are useful not only for espionage but also as prepositioning for disruption or denial of service in a crisis.

What the public guidance recommended up to June 21, 2024

U.S. agencies and major vendors urged a defensive checklist that applies directly to protecting DoD dependencies on commercial carriers:

  • Patch and harden internet‑facing appliances, especially firewalls, VPN concentrators and router management interfaces. Prioritize devices with known exploited CVEs. (CISA guidance.)
  • Eliminate or tightly control exposed management interfaces on network equipment. Avoid public‑facing SSH, web management or SNMP without strong access controls.
  • Enforce phishing resistant multi factor authentication for administrative and privileged accounts. Rotate and remove stale credentials.
  • Centralize and retain logs for network, authentication and application events. Proactive hunting for anomalous account use or lateral movement is essential.
  • Segment networks so that carrier provisioning and lawful intercept interfaces are isolated, monitored, and subject to strict change control and auditing.
  • Treat SOHO and third party devices that interconnect with critical infrastructure as higher risk and apply compensating controls or replace them with managed alternatives.

These recommendations are practical because they neutralize the commonly observed techniques used against communications providers: credential abuse, living off the land techniques, and exploitation of unpatched infrastructure.

What DoD and its partners should do next

1) Map dependencies. The DoD needs an accurate inventory of which operational and administrative flows traverse commercial carriers and which vendor services provide mediation, signaling, or lawful intercept capabilities. Without the map you cannot prioritize defense.

2) Enforce minimum security baselines for supplier networks. Contracts should include hard requirements for patch timelines, privileged access management, security telemetry sharing, and incident notification windows.

3) Push for stronger telemetry sharing between carriers, DoD, and federal cyber centers. Rapid detection and coordinated response depend on the timely exchange of indicators and logs.

4) Expand the use of end to end encryption where operationally feasible. For the highest sensitivity traffic DoD should avoid plain carrier voice or SMS and prefer cryptographic solutions under DoD control.

5) Harden boundary devices in the field. Many adversary campaigns exploit edge devices. Improving configuration hygiene, reducing default credentials, and limiting exposed services will reduce attack surface.

Final assessment

As of June 21, 2024 there was no public record under the Salt Typhoon label. That does not mean the underlying risk is imaginary. The publicly documented Volt Typhoon activity and related PRC‑linked operations demonstrate both intent and capability to probe, infiltrate, and persist in communications infrastructure. For DoD the lesson is simple and urgent. Commercial telecoms are part of the modern communications fabric that supports military operations. They must be treated as contested terrain. The right combination of mapping, supplier controls, telemetry, and pragmatic cryptography will materially reduce mission risk. Ignoring the problem in the hope it never becomes a crisis will only make the next disclosure more damaging.