U.S. Telecoms Launch C2 ISAC After Salt Typhoon Breached Carrier Networks
Major U.S. telecommunications providers have formed the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) to strengthen real-time threat sharing and collective defense after the China-linked Salt Typhoon campaign compromised carrier networks in the United States and abroad. The intrusions, described by Sen. Mark Warner as the worst telecom hack in U.S. history, affected multiple major providers including AT&T, Verizon, Lumen Technologies, T-Mobile, and others, with investigators saying the activity has been ongoing since at least 2019 and there is still no clear public evidence the threat actors have been fully removed from communications networks.
Officials and reporting said the espionage campaign enabled attackers to move between telecom networks, exfiltrate large volumes of data, and in some cases listen to audio calls in real time while targeting high-value intelligence, government, and political communications. Investigators also found breaches of U.S. lawful intercept systems used for court-ordered surveillance, while a separate suspected China-linked compromise of an FBI surveillance system likely exposed phone numbers of monitored targets; the campaign has also been linked to exploitation of vulnerabilities in Cisco routers to gain access to telecom infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
21 events from the most recent confirmed update back to the earliest known activity.
Telecom firms launch the C2 ISAC information-sharing group
Major U.S. telecommunications companies formed the Communications Cybersecurity Information Sharing and Analysis Center to improve real-time intelligence sharing and collective defense in response to persistent threats exposed by the Salt Typhoon campaign.
Sen. Warner calls Salt Typhoon the worst telecom hack in U.S. history
Sen. Mark R. Warner publicly characterized the China-linked telecom intrusions as the worst telecom hack in the nation's history, highlighting the scale of surveillance and data theft tied to Salt Typhoon.
T-Mobile identified as latest known telecom victim
Recent reporting identified T-Mobile as the latest carrier affected in the Salt Typhoon campaign, following earlier disclosures involving AT&T, Verizon, and Lumen Technologies.
Salt Typhoon compromises telecom providers and lawful intercept systems
Investigators found that Salt Typhoon breached telecom providers in the United States and abroad, including U.S. lawful intercept systems used for court-ordered surveillance. The campaign was described as enabling real-time call monitoring, movement between telecom networks, and large-scale data theft targeting high-value intelligence communications.
Suspected China-linked breach of FBI surveillance system is discovered
Earlier in 2026, a suspected China-linked breach of an FBI surveillance system was discovered and likely exposed phone numbers of monitored targets.
Salt Typhoon attack on U.S. congressional email system reported
Reporting said the China-linked Salt Typhoon campaign targeted or compromised a U.S. congressional email system, extending concern beyond telecom networks to core government communications infrastructure. The disclosure highlighted congressional communications as an additional victim set in the broader espionage campaign.
FBI announces joint cybersecurity advisory on Salt Typhoon
The FBI announced a joint cybersecurity advisory related to the China-linked Salt Typhoon campaign. The advisory marked a formal government guidance and technical disclosure effort intended to help organizations detect, respond to, and defend against the telecom-focused intrusions.
Canada says telecom companies were breached in China-linked hacks
Canadian authorities said telecommunications companies in Canada were breached in a China-linked espionage campaign associated with Salt Typhoon. The disclosure expanded the known victim set beyond previously reported U.S. telecom providers.
Report names Charter, Consolidated, and Windstream as Salt Typhoon victims
Public reporting identified Charter Communications, Consolidated Communications, and Windstream as additional telecommunications companies affected by the China-linked Salt Typhoon campaign. The disclosure added specific victim names after earlier government statements had said more U.S. telecom firms were compromised than had been publicly identified.
Lumen says it cleared Salt Typhoon from its network
Lumen disclosed that it had removed the China-linked Salt Typhoon hackers from its network, marking a public remediation update from one of the affected U.S. telecom providers. The statement indicated the company no longer saw the threat actor in its environment.
Verizon says it secured its network after Salt Typhoon breach
Verizon said it had secured its network following a breach by the China-linked Salt Typhoon group. The statement marked a public remediation update from another major U.S. telecom provider affected by the campaign.
White House says Salt Typhoon hit a ninth U.S. telecom firm
The White House disclosed that the China-linked Salt Typhoon hacking campaign had compromised a ninth U.S. telecommunications company. The announcement marked a public escalation in the known scope of the telecom intrusions beyond the previously identified carriers.
U.S. moves to ban China Telecom Americas after telecom hacks
The Biden administration moved to ban the remaining U.S. operations of China Telecom Americas, saying its network presence and cloud services posed a national security risk amid the China-linked telecom espionage campaign. Officials described the step as the first publicly announced U.S. response to the Salt Typhoon intrusions.
White House says Salt Typhoon recorded calls of senior U.S. officials
The White House disclosed that the China-linked Salt Typhoon campaign intercepted and recorded telephone calls involving very senior U.S. government officials. The statement added a concrete impact detail showing the espionage operation reached high-level official communications.
U.S. urges use of encrypted messaging apps after Salt Typhoon hack
U.S. officials publicly urged the use of encrypted messaging applications in response to the Salt Typhoon telecom intrusions. The guidance reflected an official response aimed at reducing interception risk after the campaign's impact on communications security became clear.
Sen. Warner calls Salt Typhoon the worst telecom hack in U.S. history
Sen. Mark R. Warner publicly described the China-linked Salt Typhoon intrusion as the worst telecom hack in U.S. history. The statement underscored the severity of the espionage campaign against telecommunications infrastructure.
FBI and CISA warn of broad Chinese telecom espionage campaign
The FBI and CISA said their investigation uncovered a broad and significant China-linked cyberespionage campaign compromising multiple U.S. telecommunications companies. Officials said the hackers obtained customer call records, accessed communications of a limited number of mostly government or political figures, and sought data tied to lawful U.S. surveillance requests.
Reports link Salt Typhoon to breaches of telecom lawful-intercept systems
Public reporting said the China-linked Salt Typhoon group had compromised systems at Verizon, AT&T, and Lumen Technologies used to support lawful government access to communications data. The disclosure highlighted that surveillance backdoor infrastructure at major U.S. telecom providers had been exploited.
CNN reports Chinese hackers accessed U.S. telecom firms
CNN reported that Chinese hackers had gained access to U.S. telecommunications companies, raising concern among U.S. national security officials. The report marked an early public disclosure of the telecom intrusions later linked to Salt Typhoon.
The Register reports Salt Typhoon inside U.S. ISPs
The Register reported that China-linked Salt Typhoon cyber spies were detected deep inside U.S. internet service providers, marking an early public disclosure of the telecom espionage campaign. The report indicated the intrusions affected core provider environments before broader reporting on the operation emerged.
Salt Typhoon intrusions into telecom networks begin
The FBI said the China-linked intrusions associated with Salt Typhoon have been active since at least 2019, marking the start of a long-running campaign against telecommunications providers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
26 references tracked. Mallory keeps watching after this page renders.
Telecom firms form new cyber information-sharing group - Nextgov/FCW
nextgov.com
Open sourceUS Senator says China-linked hack the "worst telecom hack in nation’s history" - SDxCentral
sdxcentral.com
Open sourceChinese telecom hackers likely holding stolen data ‘in perpetuity’ for later attempts, FBI official says - Nextgov/FCW
nextgov.com
Open sourceChinese hackers breached phones at ‘heart of Downing Street,’ reports say | Fox News
foxnews.com
Open sourceChina hacked AT&T, Verizon and Lumen in apparent counterspy operation - The Washington Post
washingtonpost.com
Open sourceChinese hackers access US telecom firms, worrying national security officials | CNN Politics
cnn.com
Open sourceChina's Salt Typhoon cyber spies spotted deep inside US ISPs
theregister.com
Open sourceSalt Typhoon | NJCCIC
cyber.nj.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
China-Linked Espionage Campaign Hit Telecoms, Cloud Email, and Manufacturers
China-linked hacking groups were reported to have penetrated a wide range of targets across the United States and allied regions, including manufacturers, U.S. government email systems, internet providers, and major telecommunications networks. Earlier reporting described broad economic espionage aimed at stealing trade secrets from manufacturing sectors in the U.S., Europe, and Asia, while later disclosures said Chinese operators breached U.S. government email accounts through Microsoft cloud infrastructure and infiltrated American internet providers for surveillance. Subsequent investigations tied the telecom intrusions to the **Salt Typhoon** campaign, which officials said exposed sensitive metadata and provided insight into U.S. surveillance targets. U.S. officials characterized the activity, alongside related operations such as **Volt Typhoon**, as one of the most serious cyber threats to American critical infrastructure in recent years. Reporting said investigators believed the attackers may have retained access to at least eight telecom firms, including **Verizon** and **AT&T**, and that the campaign extended to dozens of telecoms and government agencies. In response, the Biden administration moved to bar the remaining U.S. operations of **China Telecom Americas**, citing national security risks and signaling the first public retaliatory step tied to the telecom compromises, even as debate continued over broader sanctions, technology restrictions, and offensive cyber responses.
May 26, 2026
FBI Warns Salt Typhoon Telecom Intrusions Remain an Ongoing Risk
A senior FBI cyber intelligence official warned that **Salt Typhoon**, a China-linked cyber espionage group tied to the widespread compromise of telecommunications infrastructure disclosed in 2024, remains an active and broad threat to U.S. public- and private-sector organizations. Speaking at *CyberTalks* in Washington, D.C., FBI Deputy Assistant Director Michael Machtinger said organizations that engaged early with the FBI and agencies such as **CISA** were more successful at mitigating the impact of the intrusions, and he emphasized that the campaign largely exploited **basic security weaknesses** rather than relying primarily on zero-days. Machtinger also assessed that Salt Typhoon is likely retaining stolen data “**in perpetuity**” for future surveillance and exploitation, noting uncertainty about how the PRC intends to use the information but expressing confidence it could enable follow-on operations. Reporting highlighted that the group accessed **dozens of telecom providers globally** in a multi-year effort and, in the U.S., targeted sensitive communications by accessing **“lawful intercept”** systems used for court-ordered wiretaps; it remains unconfirmed whether the actors have been fully removed from affected American networks. The FBI official further stated that Salt Typhoon “for certain” stole information from **well over a million Americans directly**, reinforcing the long-term counterintelligence and privacy risk posed by persistent access and large-scale data theft from telecom environments.
Mar 21, 2026
Salt Typhoon Cyber Espionage Campaign Targeting U.S. Telecom and Government Networks
Salt Typhoon, a threat group linked to the People’s Republic of China, conducted a multiyear cyber espionage campaign targeting major U.S. telecom providers such as Verizon, AT&T, and T-Mobile, compromising the data of hundreds of millions of users. The campaign is considered by U.S. officials to be the most significant cyber espionage operation in history, with attackers gaining access to sensitive information including call logs, unencrypted texts, and audio from high-ranking political figures, as well as targeting law enforcement intercept backdoors and military networks. The group’s activities have raised concerns about potential election interference, political blackmail, and threats to national security. Salt Typhoon exploited unpatched, end-of-life, and forgotten network perimeter devices—such as routers, VPNs, and firewalls—using sophisticated “living off the land” tactics to establish long-term persistence and evade detection. The attackers stole administrator credentials, network traffic diagrams, and personal information from military and state cybersecurity personnel, using this intelligence to fuel further intrusions. The campaign highlights the urgent need for organizations to address technical debt and proactively secure legacy infrastructure, as reactive patching cannot undo compromises on already breached devices.
Mar 21, 2026