Salt Typhoon hits U.S. telecoms

Federal reporting and industry tracking show Salt Typhoon’s activity reached networks in more than 80 countries, according to FBI reporting summarized by Defense One. (defenseone.com) Independent researchers have linked intrusions to at least nine U.S.-based telecommunications companies, with long‑term access observed in multiple provider environments. (tenable.com) Investigators and threat analysts found the campaign relied on exploits of edge-router software, including Cisco IOS XE flaws tracked as CVE‑2023‑20198 and CVE‑2023‑20273, to gain and maintain persistence. (securityaffairs.com) A joint advisory from CISA, the NSA and the FBI (AA25‑239A) consolidated multinational findings and published mitigation steps, with the advisory last revised on Sept. 3, 2025. (cisa.gov) A DHS memo reviewed by NBC and follow‑on reporting indicate Salt Typhoon operated inside at least one state Army National Guard network for roughly nine months, exfiltrating maps, network configuration files and personnel data. (nbcnews.com) Technical write‑ups from Cisco Talos and other vendors document attackers abusing the GuestShell feature on Cisco platforms and using “living off the land” techniques to blend with legitimate traffic and evade detection. (blog.talosintelligence.com) Security analysts and public reports warn that backbone‑level access enabled harvesting of metadata, voice records and surveillance‑request details—data sets that can directly degrade geolocation services and sensor‑fed operational systems if disrupted. (securityweek.com) GDIT’s Mischa Beckett has publicly noted the campaign’s telecom focus can seem abstract to the public even as it targets the communications infrastructure underpinning defense and intelligence operations. (cyberscoop.com)