Every phone call you make in America is wiretappable.

Not metaphorically. By federal law.

In nineteen ninety four, the United States Congress passed a statute called CALEA — the Communications Assistance for Law Enforcement Act. It required every telecommunications carrier in the country to engineer a permanent surveillance interface into its own infrastructure. A door, mandated by Washington, into every conversation routed through every American switch.

The door was built so the FBI could listen when a judge signed a warrant.

In twenty twenty four, the United States government admitted that someone else had been listening through it. For at least two years. Possibly longer.

The someone else was the Ministry of State Security of the People's Republic of China.

This is the story of how the most consequential intelligence breach in American history was not a breach in the conventional sense. The intruders did not bypass a security system. They did not exploit a forgotten port. They did not phish a careless administrator.

They walked through a door that the United States government had legally required telecommunications companies to maintain.

They walked through it for over two years. They listened to whoever they wanted. They took the list of every American the FBI was wiretapping.

And in late twenty twenty five, four years after the initial intrusion, the experts who track this group were no longer confident that they were gone.

This is Fragment Zero, Case File forty-three. Salt Typhoon. And the door that Washington built.

To understand what was lost, you need to understand what CALEA is and why it exists.

In the early nineteen nineties, the FBI faced a problem. American telecommunications were going digital. The old analog phone networks, which the bureau had been wiretapping since the days of J. Edgar Hoover, were being replaced by packet-switched digital systems. Cellular networks. Internet protocols. Encryption.

For the FBI, this represented an existential threat. The bureau's traditional wiretap capability depended on physical access to copper lines. With digital switching, intercepting a single suspect's calls required cooperation from the carriers themselves — cooperation that, in the early nineties, the carriers were not legally required to provide.

The bureau's solution was legislative. In October nineteen ninety four, after years of lobbying by then-FBI Director Louis Freeh, Congress passed the Communications Assistance for Law Enforcement Act.

CALEA was simple in its requirement and revolutionary in its implication. Every telecommunications carrier operating in the United States was required, by law, to design its switching equipment in a way that allowed for real-time interception of any subscriber's communications. The carrier had to maintain a dedicated portal — physically and logically separate from normal operations — through which law enforcement could, upon presentation of a court order, monitor any specified line. The interception had to be invisible to the subscriber. It had to capture both call content and call metadata. And the carrier was forbidden from disclosing the existence of the interception.

The portal had a name in industry shorthand: the LI system. Lawful Intercept.

By the year two thousand, every major carrier in the United States had built one. AT&T. Verizon. Sprint. T-Mobile. Centurytel. The cable operators. The regional Bells. Every switch in the country routed copy traffic, when commanded, to an LI server. The LI server, in turn, exposed an interface to law enforcement.

This interface was, in essence, a backdoor.

Security researchers had warned about CALEA for decades. The argument was straightforward and obvious. A door that exists for one party can be opened by another. A wiretap interface designed for the FBI is, structurally, a wiretap interface. If a foreign intelligence service gains access to it, they get the same capability the FBI has — with one difference. The FBI requires a court order. A foreign intelligence service does not.

For thirty years, this warning was treated as theoretical.

In May of twenty twenty four, the Federal Bureau of Investigation began a quiet internal investigation.

The trigger has never been publicly disclosed in full. What is known is that signals analysts at the bureau, working with counterparts at the Cybersecurity and Infrastructure Security Agency, detected anomalous traffic patterns on the networks of multiple American internet service providers. The traffic was small. It was encrypted. It moved through tunnels constructed inside the carriers' own backbone infrastructure. And it appeared to be originating from inside the carriers' lawful intercept systems.

The bureau opened a counterintelligence inquiry. The investigation was classified at the highest levels. The carriers were notified individually. They were instructed not to disclose the existence of the inquiry to their customers, their shareholders, or the press.

For three months, the United States government quietly monitored a foreign intelligence operation that was monitoring the United States government.

On August twenty-seventh, twenty twenty four, the silence broke.

The Washington Post published a story stating that Chinese state-affiliated hackers had penetrated multiple major American internet service providers by exploiting a zero-day vulnerability in software produced by a company called Versa Networks. The story was thin on attribution and thinner on consequence. It read like a routine cybersecurity report.

It was not a routine cybersecurity report.

On September twenty-fifth, the Wall Street Journal published the story that the bureau had been trying to suppress. The hackers were not random. They were a group that Microsoft's threat intelligence team had been tracking for years under a codename. The codename was Salt Typhoon. And the companies they had penetrated included AT&T, Verizon, and Lumen Technologies — three of the four largest internet backbone operators in the United States.

Ten days later, on October fifth, the Journal followed with the detail that no one in the intelligence community wanted to see in print.

Salt Typhoon had specifically targeted the CALEA interfaces.

The technical mechanism by which Salt Typhoon achieved this is not exotic. It is mundane in a way that makes it more disturbing.

The group's primary entry point into American telecommunications networks was a vulnerability in Cisco's IOS XE operating system, the firmware that runs on the majority of enterprise and carrier-grade routers in the United States. The vulnerability was catalogued as CVE-twenty-twenty-three-twenty-one-ninety-eight. The Common Vulnerability Scoring System rated its severity at ten point zero — the maximum possible score.

CVE-twenty-twenty-three-twenty-one-ninety-eight allowed an unauthenticated remote attacker to create an administrative account on any vulnerable Cisco device exposed to the internet. No exploit chain. No credentials required. The attacker simply sent a specially crafted web request to the device's management interface and the device responded by creating a new account with full administrative privileges.

Cisco disclosed the vulnerability in October of twenty twenty three. By the time the disclosure occurred, over ten thousand Cisco devices on the public internet were already compromised.

Salt Typhoon was among the operators using the exploit. The group complemented it with several other Cisco vulnerabilities — CVE-twenty-eighteen-zero-one-seventy-one in the Smart Install service, CVE-twenty-twenty-three-twenty-two-seventy-three in IOS XE management, and CVE-twenty-twenty-four-twenty-zero-three-ninety-nine in NX-OS — to maintain access even as individual flaws were patched.

What they did with that access was the part that mattered.

Once inside a router, Salt Typhoon operators used a Cisco feature called Guest Shell to execute Linux containers on the device. The containers gave them a complete Unix environment running inside the router itself, invisible to standard monitoring tools. From the Guest Shell, they established Generic Routing Encapsulation tunnels — GRE tunnels — back to infrastructure they controlled. The tunnels appeared to network administrators as normal carrier-to-carrier traffic. Inside the tunnels, they exfiltrated everything.

To move laterally across the carrier networks, Salt Typhoon used the Simple Network Management Protocol — SNMP — the same protocol that network engineers use to monitor their own equipment. SNMP credentials, harvested from the initial compromised routers, gave them access to thousands of additional devices.

When investigators eventually analyzed the recovered tooling, they identified malware that Kaspersky Lab had been tracking under the name Demodex. Demodex is a Windows kernel-mode rootkit. It operates below the level at which standard endpoint security software can detect it. It modifies kernel data structures to hide processes, files, and network connections. Once installed on an administrator workstation, it gives the operator complete and undetectable control of the system.

The group also developed custom tooling specifically for the lawful intercept environment. The exact capabilities of this tooling remain classified. What is publicly known is that, by the time of discovery, Salt Typhoon had achieved persistent and unmonitored access to the systems through which American telecommunications carriers fulfilled FBI wiretap orders.

What did they take.

The most consequential single piece of information that Salt Typhoon extracted from the LI systems was the target list itself.

When a federal judge in the United States authorizes a wiretap on an American resident, the order is transmitted to the relevant telecommunications carrier. The carrier configures its LI system to copy that subscriber's traffic to a designated FBI server. The carrier keeps a record of every active interception — which numbers are under surveillance, when each order began, when each order expires.

This record exists for accounting purposes. It allows the carrier to bill the bureau for the interception. It allows compliance auditors to verify that interceptions are tied to valid court orders. It allows the bureau to track which of its own operations are running through which carrier.

It also exists in one consolidated place per carrier. And it is, in aggregate, a complete list of every American citizen, foreign agent, or foreign visitor currently under federal surveillance.

According to multiple sources in the intelligence community, Salt Typhoon obtained this list across all nine carriers it compromised.

Read that sentence again.

A foreign intelligence service obtained the complete list of every individual being wiretapped by United States law enforcement, including counterintelligence targets. Which is to say: every Chinese intelligence asset that the FBI had identified inside the United States and was actively monitoring — Salt Typhoon now had the names of those assets.

Every undercover human source the bureau was running. Every penetration target. Every foreign agent who had been turned and was operating under American direction. The list of who the bureau knew was a spy.

In a single intrusion, the People's Republic of China gained the entire counterintelligence picture of its principal adversary.

Beyond the target list, Salt Typhoon obtained operational data on at least forty high-profile individuals. Among them: members of the staff of the Kamala Harris twenty twenty-four presidential campaign. Then-former President Donald Trump. His running mate, J.D. Vance. According to Deputy National Security Advisor Anne Neuberger, speaking publicly in December twenty twenty-four, a large number of additional individuals — Neuberger described them as government targets of interest — also had communications data accessed.

For most of these individuals, the access included call detail records: the metadata of every phone call they had made or received over a period of months. Who they spoke to. When. For how long. From what location. For fewer than one hundred individuals, the access extended to the actual content of calls and text messages.

Over one million subscribers had metadata extracted from their carrier records. The majority were located in the Washington, D.C. metropolitan area.

When the United States government first identified Salt Typhoon's penetration of American telecommunications, the public estimate was that nine carriers had been compromised.

The nine were: AT&T. Verizon. T-Mobile. Charter Communications, operating under the brand Spectrum. Lumen Technologies. Consolidated Communications. Windstream Holdings. A Canadian telecommunications operator, never publicly named, breached separately in February twenty twenty-five. And, in June twenty twenty-five, the satellite communications operator Viasat.

The estimate has expanded.

In August twenty twenty-five, the Federal Bureau of Investigation issued a statement updating its assessment of Salt Typhoon's footprint. By that date, the bureau stated that the group had compromised at least two hundred organizations across eighty countries. Telecommunications companies remained the principal target type. But the list now included managed service providers, cloud infrastructure operators, lodging and hospitality networks, government agencies, and, in at least one publicly disclosed instance, a United States Army National Guard component.

In November twenty twenty-five, the Australian Signals Directorate issued a public warning that Salt Typhoon had been probing critical infrastructure networks within Australia. In December twenty twenty-five, intrusions linked to the group were detected within networks operated by committees of the United States House of Representatives.

These detections occurred a full year after Verizon and AT&T had publicly stated, in December twenty twenty-four, that the threat actor had been removed from their networks.

The statements may have been accurate as to the specific access vectors Salt Typhoon had been using at the moment of containment. They were not accurate as to the broader operation. The group had simply pivoted.

The official American response to Salt Typhoon has progressed in three phases.

The first phase, immediate and largely invisible to the public, consisted of forensic remediation across the nine identified carriers. This work was performed primarily by the security firm Mandiant under contract to the affected operators. The remediation involved firmware rebuilds, configuration audits, credential rotation across millions of network devices, and the construction of new monitoring infrastructure capable of detecting GRE tunnel anomalies and unauthorized Guest Shell execution.

The second phase consisted of sanctions and indictments. In January twenty twenty-five, the United States Department of the Treasury sanctioned three Chinese technology firms identified as material contributors to Salt Typhoon's operations: Sichuan Juxinhe Network Technology Company Limited, Beijing Huanyu Tianqiong Information Technology Company Limited, and Sichuan Zhixin Ruijie Network Technology Company Limited. The Treasury designation alleged that these firms operated as commercial contractors to the Ministry of State Security and provided the technical infrastructure used in the carrier compromises.

The third phase has been congressional. Senator Maria Cantwell, ranking member of the Senate Commerce Committee, has sent multiple letters demanding detailed remediation reports from the carriers. As of February twenty twenty-six, she stated publicly that the carriers had hired Mandiant to conduct security assessments but that Mandiant had not yet provided the requested reports to her office.

In parallel, the Federal Communications Commission, under new leadership appointed in twenty twenty-five, rescinded a set of cybersecurity rules that had been drafted in the final months of the previous administration in direct response to Salt Typhoon. The rescinded rules would have required telecommunications carriers to implement specific minimum-security controls — including mandatory encryption of CALEA interfaces and mandatory logging of access to lawful intercept systems. The Commission's stated rationale for rescission was that the rules represented regulatory overreach.

The result, as of early twenty twenty-six, is that the regulatory environment under which Salt Typhoon initially operated remains substantially unchanged. The vulnerabilities that the group exploited have been patched at the individual device level. The structural conditions that made the exploitation possible — government-mandated wiretap interfaces, voluntary security standards, fragmented oversight — remain in place.

Anne Neuberger, in her final public remarks before leaving government in January twenty twenty-five, characterized Salt Typhoon as one of the most consequential cyber espionage campaigns ever directed against the United States. A former National Security Agency analyst named Terry Dunlap, speaking to reporters in twenty twenty-five, described the campaign as a component of what he called China's one hundred year strategy. The phrase has been used by Chinese state strategic doctrine documents to describe long-term great-power competition extending across multiple generations.

The Chinese embassy in New Zealand, asked about Salt Typhoon by reporters in November twenty twenty-five, described the allegations as unfounded and irresponsible smears.

There is a lesson here that the technical reports and congressional hearings do not state directly.

A backdoor mandated by a government is not a backdoor for that government alone. It is a backdoor.

Cryptographers and security engineers have been making this argument since the nineteen nineties. The argument was applied to CALEA when CALEA was being drafted. It was applied to the Clipper chip when the Clinton administration proposed key escrow for encrypted communications. It was applied to the Going Dark debate when the FBI demanded weakened encryption in the twenty tens. In each instance, the argument was dismissed by lawmakers as alarmist, hypothetical, and contrary to the practical needs of law enforcement.

Salt Typhoon is the empirical refutation.

The same architectural choice that allowed an FBI agent in Newark to listen to a drug trafficker's phone call allowed an MSS officer in Beijing to listen to a presidential candidate's phone call. The same compliance database that allowed a carrier to bill the federal government for its surveillance work allowed a foreign intelligence service to extract the complete operational picture of American counterintelligence. The same interface that enabled lawful interception enabled unlawful interception. They are not two interfaces. They are one interface, used by whoever holds the credentials.

The Chinese intelligence service held the credentials for at least two years.

It may still hold them.

In intelligence work, there is a concept called burned access. A compromised position from which an adversary, even after being identified, retains the ability to operate because the cost of fully eliminating their access exceeds the cost of tolerating it. Removing Salt Typhoon completely from American telecommunications infrastructure would require the rebuilding, from scratch, of the wiretap apparatus that thirty years of federal law has constructed across the entire United States carrier ecosystem. Every router. Every switch. Every lawful intercept appliance.

It would require the carriers, voluntarily or under regulatory compulsion, to commit billions of dollars and several years of operational disruption to the project. It would require the Federal Bureau of Investigation to operate, during the transition, with substantially degraded interception capability.

The political will to do this does not exist.

The Salt Typhoon operators understand this. The Ministry of State Security understands this. The Federal Bureau of Investigation understands this. The carriers understand this.

The American public, who continues to make phone calls on the same networks every day, has not been told.

The story of Salt Typhoon does not have a resolution. The group is still operating. The interfaces it exploited are still in place. The legal architecture that mandated those interfaces has not been revised.

The most recent public indication of Salt Typhoon's continued activity came in December twenty twenty-five, when intrusions associated with the group were detected within networks operated by committees of the United States House of Representatives. The committees in question have not been publicly identified. The duration of the access prior to detection has not been publicly disclosed.

What we know is this. In nineteen ninety four, the United States government passed a law requiring every American telecommunications carrier to construct a permanent surveillance capability into its own network. The capability was justified as a tool of domestic law enforcement. It was built. It was maintained. For three decades, it operated as intended.

In or around twenty twenty-two, an adversary of the United States obtained access to that capability. The adversary used it to monitor American government officials, political candidates, intelligence sources, and ordinary citizens for at least two years before being detected. The detection did not result in the adversary's removal. It resulted in the adversary's identification.

The adversary remains active.

The capability remains in place.

This is Fragment Zero, Case File forty-three. Salt Typhoon.

Subscribe. Turn on notifications. Because the next time someone tells you that a backdoor for law enforcement is only a backdoor for law enforcement, you will know what that promise is worth.

We will be watching. We will be listening.

We are not the only ones.