Salt Typhoon is not a one-off headline. It is a case study in how persistent, intelligence-driven cyber operations exploit long-standing blind spots in telecommunications infrastructure and seep into the wider defense ecosystem. Public reporting and government action since December 2024 show a pattern we see again and again: sophisticated actors redundantly use old, unpatched flaws, target management and control planes, and rely on weak operational hygiene to build long-term access.

Telecom operators publicly stated they evicted the intruders from at least some affected networks, but those statements do not mean the underlying risks have been eliminated. Companies including major carriers reported containment after forensic work, but containment is not the same as full assurance. Attackers who have had time inside core routing, switching, or lawful-intercept subsystems can plant backdoors, steal configurations, and harvest credentials that allow return access if defenses are not rebuilt from the ground up.

Attribution and punitive actions have followed. The U.S. Treasury imposed sanctions in January 2025 linked to companies and individuals alleged to have supported the campaign. Sanctions help impose cost on operations and disrupt logistical support, but they do not substitute for technical remediation or change the tactical reality that vulnerable devices remain exposed on networks worldwide. Operators and DoD partners must plan for a protracted remediation timeline rather than a quick fix.

Technical lessons are straightforward but often ignored. Public telemetry and industry researchers observed active exploitation of known Cisco vulnerabilities and legacy management features during the period when Salt Typhoon activity was reported. In particular, exploitation activity against CVE-2018-0171 (Smart Install) and CVE-2023-20198 (IOS XE web UI privilege escalation) was documented by network-scanning telemetry, indicating the adversary favored chaining known flaws and exposed management interfaces rather than novel zero-days. That behavior means defenders can materially reduce exposure by aggressive patching and removing internet-facing management services.

For defense and telecom stakeholders the risk model has three persistent elements. First, device and configuration sprawl. Telecom backbones and carrier edge networks contain a vast set of routers, switches, and virtual functions, many with years-old firmware and inconsistent configuration baselines. Second, management plane exposure. Remote administration interfaces, shared credentials, and overly permissive access control lists provide attackers with lateral movement corridors. Third, dependent systems. Lawful-intercept systems, roaming fabrics, and carrier-supplied network services concentrate sensitive metadata and call content in places where a successful compromise yields high-value intelligence.

Operational recommendations that matter now

  • Assume breach and validate eviction: Treat any ejection claim as provisional. Running a single forensic engagement is only step one. Plan coordinated hunts across providers, shared indicator exchanges, and repeated, independent verifications before declaring networks clean.

  • Prioritize patching of management-plane CVEs and remove exposed services: Track hardening guidance for affected platforms and remove smart-install and web UI services from internet-facing interfaces. Where patches cannot be applied immediately, isolate devices onto management VLANs and limit remote admin to jump hosts with multi-factor authentication and public-key only logins.

  • Harden credential posture: Replace shared or default account usage with per-user certificates and hardware-backed keys. Force rotation of service accounts and keys that may have been exfiltrated. Use out-of-band channels and cryptographic attestation when rebuilding trust for critical links.

  • Encrypt high-value communications end-to-end: Federal agencies publicly advised senior officials to move to end-to-end encrypted voice and messaging for sensitive discussions while carriers and operators harden their cores. That recommendation is not just about privacy; it is an emergency compensating control when transport and interception risk is elevated.

  • Broaden telemetry and threat sharing across sectors: Telecom providers, DoD networks, and civilian agencies must treat carrier backbones as national critical infrastructure and share technical indicators rapidly. Automated exchange of YARA rules, Snort signatures, and behavioral detections reduces re-infection risk and speeds hunts across linked networks. The long dwell times observed in these campaigns show that siloed incident response is insufficient.

  • Conduct eviction as a coordinated operation when high assurance is required: True eradication from core infrastructure requires synchronized takedowns, credential resets, firmware reinstallation or replacement, and staged reconstitution of services. Half measures leave roots intact. Expect these operations to take weeks to months for complex carrier environments.

Policy and supply chain considerations

Sanctions and public attribution are important levers but they must be paired with regulation and resilience investments. The FCC, CISA, and DoD-level security requirements should drive minimum configuration standards, mandatory patch windows for critical infrastructure, and funding to replace end-of-life network gear. Carrier modernization plans must include secure-by-default management practices and verifiable supply chain provenance for hardware and embedded software.

Concluding caution

Salt Typhoon exposed how dependent both national security and daily life are on the integrity of telecommunications infrastructure. The immediate headlines focused on which carriers were hit and which individuals might have been surveilled. The lasting lesson is operational. Adversaries who exploit predictable, long-lived weaknesses will continue to succeed until we treat carrier management planes and lawful-intercept systems with the same rigor the DoD applies to combat networks. For operators and defense planners, the guidance is simple: assume the adversary will attempt a return, rebuild trust deliberately, and make the cost of re-entry intolerable.