0.0
Every phone call you make in America is
2.419
wire-tappable, not metaphorically, by federal law.
6.66
In 1994, the United States Congress passed a
11.14
statute called CALEA, the Communications Assistance for Law
15.82
Enforcement Act.
17.1
It required every telecommunications carrier in the country
20.879
to engineer a permanent surveillance interface into its
24.539
own infrastructure.
25.399
A door, mandated by Washington, into every conversation
29.96
routed through every American switch.
32.78
The door was built so the FBI could
35.32
listen when a judge signed a warrant.
37.899
In 2024, the United States government admitted that
42.039
someone else had been listening through it, for
44.52
at least two years, possibly longer.
47.52
The someone else was the Ministry of State
50.24
Security of the People's Republic of China.
54.16
This is the story.
55.399
This is the story of how the most
56.46
consequential intelligence breach in American history was not
59.979
a breach in the conventional sense.
61.859
The intruders did not bypass a security system.
65.06
They did not exploit a forgotten port.
67.42
They did not fish a careless administrator.
70.56
They walked through a door that the United
72.939
States government had legally required telecommunications companies to
76.959
maintain.
78.18
They walked through it for over two years.
81.2
They listened to whoever they wanted.
83.7
They took the list of everything.
85.4
They did everything they could to ensure that
85.48
every American, the FBI, was wiretapping.
88.26
And in late 2025, four years after the
91.76
initial intrusion, the experts who tracked this group
94.68
were no longer confident that they were gone.
97.379
This is Fragment Zero, Case File 43, Salt
101.42
Typhoon, and the door that Washington built.
104.579
To understand what was lost, you need to
107.599
understand what CALEA is, and why it exists.
111.719
In the early 1990s, the FBI faced a
115.019
problem.
115.379
American telecommunications were going digital.
118.56
The old analog phone networks, which the Bureau
121.68
had been wiretapping since the days of J.
123.879
Edgar Hoover, were being replaced by packet-switched
126.739
digital systems.
128.159
Cellular networks.
129.58
Internet protocols.
131.379
Encryption.
132.479
For the FBI, this represented an existential threat.
136.52
The Bureau's traditional wiretap capability depended on physical
140.319
access to copper lines, with digital switching intercepting
144.319
a single suspect's voice.
145.36
The Bureau's calls required cooperation from the carriers
147.759
themselves.
148.56
Cooperation that, in the early 90s, the carriers
151.78
were not legally required to provide.
154.159
The Bureau's solution was legislative.
157.479
In October 1994, after years of lobbying by
161.159
then, FBI Director Louis Frisch, Congress passed the
165.0
Communications Assistance for Law Enforcement Act.
167.659
CALEA was simple in its requirement, and revolutionary
170.879
in its implication.
172.139
Every telecommunications carrier operating in the United States
176.419
was required, by law, to design its switching
179.3
equipment in a way that allowed for real
181.419
-time interception of any subscriber's communications.
184.5
The carrier had to maintain a dedicated portal,
187.659
physically and logically separate from normal operations, through
191.68
which law enforcement could, upon presentation of a
194.639
court order, monitor any specified line.
197.439
The interception had to be invisible to the
199.9
subscriber.
200.599
It had to capture both calls.
202.139
Both call content and call metadata.
204.219
And the carrier was forbidden from disclosing the
206.879
existence of the interception.
208.439
The portal had a name and industry shorthand.
211.539
The LI system.
212.979
Lawful intercept.
214.68
By the year 2000, every major carrier in
218.319
the United States had built one.
220.36
AT&T.
221.419
Verizon.
222.52
Sprint.
223.219
T-Mobile.
224.479
CenturyTel.
225.379
The cable operators.
227.0
The regional bells.
228.439
Every switch in the country routed copy traffic.
231.219
When commanded, to an LI server.
233.759
The LI server, in turn, exposed an interface
237.06
to law enforcement.
238.4
This interface was, in essence, a back door.
243.139
Security researchers had warned about CALEA for decades.
246.78
The argument was straightforward and obvious.
249.979
A door that exists for one party can
252.259
be opened by another.
253.539
A wiretap interface designed for the FBI is,
257.18
structurally, a wiretap interface.
259.319
If a foreign intelligence service gains access to
262.54
it, they get the same capability the FBI
264.879
has, with one difference.
266.8
The FBI requires a court order.
269.36
A foreign intelligence service does not.
271.759
For 30 years, this warning was treated as
275.3
theoretical.
277.54
In May of 2024, the Federal Bureau of
281.22
Investigation began a quiet internal investigation.
285.62
The trigger has never been publicly disclosed in
288.92
full.
289.139
What is known is that signals analysts at
292.54
the Bureau, working with counterparts at the Cybersecurity
295.439
and Infrastructure Security Agency,
297.74
detected anomalous traffic patterns on the networks of
301.139
multiple American internet service providers.
303.839
The traffic was small.
305.759
It was encrypted.
307.019
It moved through tunnels constructed inside the carrier's
310.339
own backbone infrastructure.
312.019
And it appeared to be originating from inside
314.699
the carrier's lawful intercept systems.
316.819
The Bureau opened a counterintelligence inquiry.
321.12
The investigation was classified at the highest levels.
324.899
The carriers were notified individually.
327.68
They were instructed not to disclose the existence
330.48
of the inquiry to their customers, their shareholders,
333.24
or the press.
334.339
For three months, the United States government quietly
337.54
monitored a foreign intelligence operation that was monitoring
340.959
the United States government.
343.86
On August 27, 2024,
346.819
the silence broke.
348.839
The Washington Post published a story stating that
352.259
Chinese state-affiliated hackers had penetrated multiple major
356.06
American internet service providers
357.839
by exploiting a zero-day vulnerability in software
360.819
produced by a company called Versa Networks.
363.8
The story was thin on attribution and thinner
367.06
on consequence.
368.1
It read like a routine cybersecurity report.
371.399
It was not a routine cybersecurity report.
374.74
On September 25,
376.819
the Wall Street Journal published the story that
379.18
the Bureau had been trying to suppress.
381.62
The hackers were not random.
383.639
They were a group that Microsoft's threat intelligence
386.279
team had been tracking for years under a
388.62
codename.
389.339
The codename was Salt Typhoon.
391.579
And the companies they had penetrated included AT
394.54
&T, Verizon, and Lumen Technologies,
397.699
three of the four largest internet backbone operators
400.939
in the United States.
402.72
Ten days later, on October 5,
405.22
the Journal followed with a detail that no
407.98
one in the intelligence community wanted to see
410.54
in print.
411.5
Salt Typhoon had specifically targeted the Kilia interfaces.
417.889
The technical mechanism by which Salt Typhoon achieved
420.759
this is not exotic.
422.6
It is mundane in a way that makes
424.579
it more disturbing.
426.009
The group's primary entry point into American telecommunications
429.98
networks
430.339
was a vulnerability in Cisco's IOS XE operating
434.5
system,
435.18
the firmware that runs on the majority of
437.66
enterprise and carrier-grade routers in the United
440.379
States.
441.079
The vulnerability was cataloged as CVE-2023-2198.
446.86
The Common Vulnerability Scoring System rated its severity
450.379
at 10.0,
451.8
the maximum possible score.
453.759
The maximum possible score.
456.259
CVE-2023-2198 allowed an obvious
460.319
and unauthenticated remote attacker to create an administrative
463.22
account
463.98
on any vulnerable Cisco device exposed to the
467.019
internet.
467.56
No exploit chain, no credentials required.
470.8
The attacker simply sent a specially crafted web
473.72
request
474.079
to the device's management interface,
476.36
and the device responded by creating a new
478.699
account with full administrative privileges.
481.939
Cisco disclosed the vulnerability in October of 2023.
485.96
By the time the disclosure occurred,
487.759
over 10,000 Cisco devices on the public
491.1
internet were already compromised.
493.74
Salt Typhoon was among the operators using the
496.959
exploit.
497.62
The group complemented it with several other Cisco
500.639
vulnerabilities,
501.74
CVE-20,
503.759
1801-71 in the Smart Install service,
507.06
CVE-20-23-22,
509.56
2273 in IOS XE management,
512.759
and CVE-2024-20-0399 in NXOS.
517.759
To maintain access even as individual flaws were
520.679
patched,
521.559
what they did with that access was the
524.159
part that mattered.
525.74
Once inside a router,
527.559
Salt Typhoon operators used a Cisco feature called
530.919
Guest Shell
531.779
to execute Linux containers on the device.
534.6
The containers gave them a complete Unix environment
537.82
running inside the router itself,
540.019
invisible to standard monitoring tools.
542.46
From the Guest Shell,
544.159
they established generic routing encapsulation tunnels,
547.139
GRE tunnels,
548.659
back to infrastructure they controlled.
550.6
The tunnels appeared to network administrators
552.82
as normal carrier-to-carrier traffic.
555.46
Inside the tunnels,
556.74
they exfiltrated everything.
558.419
To move laterally across the carrier networks,
561.779
Salt Typhoon used the simple network management protocol,
565.44
NANagement,
566.48
the same protocol that network engineers use
569.22
to monitor their own equipment.
571.32
SNMP credentials,
572.98
harvested from the initial compromised routers,
575.58
gave them access to things like
577.139
thousands of additional devices.
579.12
When investigators eventually analyzed the recovered tooling,
583.2
they identified malware that Kaspersky Lab
586.22
had been tracking under the name Demodex.
589.72
Demodex is a Windows kernel-mode rootkit.
592.82
It operates below the level
594.6
at which standard endpoint security software can detect
597.62
it.
598.019
It modifies kernel data structures
600.34
to hide processes, files, and network connections.
603.98
Once installed on an administrator workstation,
607.139
it gives the operator complete
608.6
and undetectable control of the system.
611.889
The group also developed custom tooling
614.5
specifically for the Lawful Intercept environment.
617.96
The exact capabilities of this tooling remain classified.
622.139
What is publicly known is that,
624.24
by the time of discovery,
625.899
Salt Typhoon had achieved persistent
627.98
and unmonitored access to the systems
630.58
through which American telecommunications carriers
633.36
fulfilled FBI wiretap orders.
637.86
What did they take?
639.779
The most consequential single piece of information
642.7
that Salt Typhoon extracted from the LI systems
645.2
was the target list itself.
647.6
When a federal judge in the United States
650.159
authorizes a wiretap on an American resident,
653.46
the order is transmitted to the relevant
655.7
telecommunications carrier.
657.36
The carrier configures its LI system
659.879
to copy that subscriber's traffic
661.7
to a designated FBI server.
664.22
The carrier keeps a record of every active
666.86
interception, which numbers are under surveillance,
669.759
when each order began, when each order expires.
673.659
This record exists for accounting purposes.
676.419
It allows the carrier to bill the Bureau
678.679
for the interception.
680.0
It allows compliance auditors to verify
682.519
that interceptions are tied to valid court orders.
685.6
It allows the Bureau to track which of
688.0
its own operations
688.879
are running through which carrier.
691.039
It also exists in one consolidated place per
694.679
carrier.
695.08
And it is, in aggregate, a complete list
698.659
of every American citizen, foreign agent,
701.539
or foreign visitor currently under federal surveillance.
705.139
According to multiple sources in the intelligence community,
709.179
Salt Typhoon obtained this list across
711.279
all nine carriers it compromised.
713.86
Read that sentence again.
716.419
A foreign intelligence service obtained
718.519
the complete list of every individual being wiretapped
722.279
by United States law enforcement,
724.139
including counterintelligence targets.
726.799
Which is to say, every Chinese intelligence asset
730.299
that the FBI had identified inside the United
733.139
States
733.659
and was actively monitoring.
735.98
Salt Typhoon now had the names of those
738.62
assets.
739.539
Every undercover human source the Bureau was running.
743.019
Every penetration target.
744.96
Every foreign agent who had been turned
747.299
and was operating under American direction.
749.919
The list of who the Bureau knew was
751.919
a spy.
752.299
In a single intrusion,
754.7
the People's Republic of China
756.58
gained the entire counterintelligence picture
759.34
of its principal adversary.
762.059
Beyond the target list,
763.58
Salt Typhoon obtained operational data
765.919
on at least 40 high-profile individuals.
768.98
Among them, members of the staff
771.24
of the Kamala Harris 2024 presidential campaign.
774.659
Then former President Donald Trump.
777.179
His running mate, J.D.
778.84
Vance.
779.36
According to Deputy National Security Advisor
781.98
Ann Neuberger, speaking publicly in December 2024,
785.799
a large number of additional individuals
788.08
Neuberger described them as
790.0
government targets of interest,
791.72
also had communications data accessed.
794.72
For most of these individuals,
796.94
the access included call detail records.
799.879
The metadata of every phone call they had
802.659
made
803.019
or received over a period of months.
805.74
Who they spoke to.
807.34
When.
808.12
For how long.
809.44
From what location.
810.72
For fewer than 100 individuals,
813.7
the access extended to the actual content
816.5
of calls and text messages.
818.759
Over 1 million subscribers had metadata
821.679
extracted from their carrier records.
823.799
The majority were located
825.44
in the Washington, D.C.
826.919
metropolitan area.
829.84
When the United States government
831.779
first identified Salt Typhoon's penetration
834.34
of American telecommunications,
836.58
the public estimate was that
838.44
nine carriers had been compromised.
840.72
The nine were
842.48
AT&T,
843.58
Verizon,
844.639
T-Mobile,
845.72
Charter Communications,
847.159
operating under the brand Spectrum,
849.259
Lumen Technologies,
851.019
Consolidated Communications,
852.779
Windstream Holdings.
854.22
A Canadian telecommunications operator,
856.779
never publicly named,
858.24
breached separately in February 2025,
860.94
and in June 2025,
863.179
the satellite communications operator Viasat.
866.22
The estimate has expanded.
868.72
In August 2025,
870.159
the Federal Bureau of Investigation
872.779
issued a statement updating its assessment
875.379
of Salt Typhoon's footprint.
877.159
By that date,
878.44
the Bureau stated that the group had compromised
880.62
at least 200 organizations across 80 countries.
884.539
Telecommunications companies remained
886.179
the principal target type.
887.74
But the list now included
889.179
managed service providers,
890.94
cloud infrastructure operators,
892.6
lodging and hospitality networks,
894.539
government agencies,
895.74
and, in at least one publicly disclosed instance,
898.82
a United States Army
900.1
National Guard component.
901.639
In November 2025,
904.379
the Australian Signals Directorate
906.48
issued a public warning that Salt Typhoon
909.08
had been probing critical infrastructure networks
911.44
within Australia.
912.72
In December 2025,
914.919
intrusions linked to the group
916.62
were detected within networks operated by committees
919.7
of the United States House of Representatives.
922.32
These detections occurred a full year
924.84
after Verizon and AT&T had publicly stated,
927.96
in December 2024,
929.299
that the threat actor had been removed
931.62
from their networks.
932.82
The statements may have been accurate
935.179
as to the specific access vectors Salt Typhoon
938.379
had been using at the moment of containment.
941.059
They were not accurate as to the broader
943.379
operation.
944.44
The group had simply pivoted.
948.48
The official American response to Salt Typhoon
951.84
has progressed in three phases.
954.059
The first phase,
955.58
immediate and largely invisible to the public,
958.399
consisted of forensic remediation
960.5
across the nine identified carriers.
963.019
This work was performed primarily
965.139
by the security firm Mandiant
967.179
under contract to the affected operators.
969.659
The remediation involved
971.2
firmware rebuilds,
972.72
configuration audits,
973.94
credential rotation across millions
975.879
of network devices,
977.22
and the construction of new monitoring infrastructure
979.639
capable of detecting GRE tunnel anomalies
982.62
and unauthorized guest shell execution.
986.159
The second phase consisted of sanctions
988.399
and indictments.
989.639
In January 2025,
992.019
the United States Department of the Treasury
994.159
sanctioned three Chinese technology firms
996.919
identified as material contributors
999.2
to Salt Typhoon's operations,
1001.82
Sichuan Juxinhe Network Technology Company Limited,
1005.299
Beijing Huanyu Tiancheng Information Technology Company Limited,
1009.559
and Sichuan Juxinruijie Network Technology Company Limited.
1014.0
The Treasury designation alleged
1016.059
that these firms operated
1017.779
as commercial contractors
1019.179
to the Ministry of State Security
1020.82
and provided the technical infrastructure used
1023.519
in the carrier compromises.
1025.44
The third phase has been congressional.
1028.42
Senator Maria Cantwell,
1030.259
ranking member of the Senate Commerce Committee,
1032.68
has sent multiple letters demanding
1034.559
detailed remediation reports from the carriers.
1037.48
As of February 2026,
1039.859
she stated publicly that the carriers
1041.9
had hired Mandiant to conduct security assessments,
1045.019
but that Mandiant had not yet provided
1047.4
the requested reports to her office.
1049.579
In parallel,
1051.019
the Federal Communications Commission,
1053.059
under new leadership appointed in 2025,
1056.18
rescinded a set of cybersecurity rules
1058.4
that had been drafted in the final months
1060.539
of the previous administration
1061.7
in direct response to Salt Typhoon.
1064.48
The rescinded rules would have required
1066.559
telecommunications carriers
1067.98
to implement specific minimum security controls,
1071.119
including mandatory encryption of CALEA interfaces
1073.94
and mandatory logging of access
1076.2
to lawful intercept systems.
1078.299
The Commission's stated rationale for rescission
1080.98
was that the rules represented regulatory overreach.
1084.339
The result, as of early 2026,
1087.539
is that the regulatory environment
1089.259
under which Salt Typhoon initially operated
1091.94
remains substantially unchanged.
1094.38
The vulnerabilities that the group exploited
1096.799
have been patched at the individual device level.
1099.579
The structural conditions
1100.96
that made the exploitation possible
1102.819
government-mandated wiretap interfaces,
1106.2
voluntary security standards,
1108.019
fragmented oversight,
1109.48
remain in place,
1110.959
remain in place.
1112.9
Ann Neuberger,
1113.92
in her final public remarks
1115.259
before leaving government in January 2025,
1118.5
characterized Salt Typhoon as
1120.779
one of the most consequential cyber espionage campaigns
1124.16
ever directed against the United States.
1126.98
A former National Security Agency analyst
1129.779
named Terry Dunlap,
1131.42
speaking to reporters in 2025,
1133.74
described the campaign as a component
1136.2
of what he called China's 100-year strategy.
1139.46
The phrase has been used
1140.94
by Chinese state strategic doctrine documents
1143.339
to describe long-term great power competition
1146.099
extending across multiple generations.
1148.819
The Chinese embassy in New Zealand
1150.98
asked about Salt Typhoon by reporters in November
1154.019
2025,
1155.279
described the allegations as
1157.259
unfounded and irresponsible smears.
1161.46
There is a lesson here
1163.38
that the technical reports
1164.779
and congressional hearings
1166.42
do not state directly.
1168.92
A backdoor mandated by a government
1171.46
is not a backdoor for that government alone.
1174.14
It is a backdoor.
1176.66
Cryptographers and security engineers
1178.7
have been making this argument since the 1990s.
1181.779
The argument was applied to
1183.599
Kalia when Kalia was being drafted.
1185.7
It was applied to the Clipper chip
1187.559
when the Clinton administration proposed
1189.5
key escrow for encrypted communications.
1192.46
It was applied to the going dark debate
1194.779
when the FBI demanded weakened encryption in the
1197.48
2010s.
1198.319
In each instance,
1199.7
the argument was dismissed by lawmakers
1201.779
as alarmist, hypothetical,
1203.779
and contrary to the practical needs of law
1206.18
enforcement.
1207.259
Salt Typhoon is the empirical refutation.
1210.4
The same architectural choice
1212.48
that allowed an FBI agent in Newark
1215.0
to listen to a drug trafficker's phone call
1217.44
allowed an MSS officer in Beijing
1220.119
to listen to a presidential candidate's phone call.
1223.2
The same compliance decision
1224.779
that allowed a carrier to bill the federal
1227.24
government
1227.72
for its surveillance work
1228.94
allowed a foreign intelligence service
1230.98
to extract the complete operational picture
1233.539
of American counterintelligence.
1235.539
The same interface that enabled lawful interception
1238.74
enabled unlawful interception.
1241.119
They are not two interfaces.
1243.099
They are one interface,
1244.66
used by whoever holds the credentials.
1246.819
The Chinese intelligence service
1248.819
held the credentials for at least two years.
1251.94
It may still hold them.
1253.66
In intelligence work,
1255.48
there is a concept called burned access,
1258.2
a compromised position from which an adversary,
1261.14
even after being identified,
1263.039
retains the ability to operate
1264.94
because the cost of fully eliminating their access
1267.859
exceeds the cost of tolerating it.
1270.579
Removing Salt Typhoon completely
1272.42
from American telecommunications infrastructure
1274.579
would require the rebuilding,
1276.799
from scratch,
1277.68
of the wiretap apparatus
1279.44
that 30 years of federal law has constructed
1281.92
across the entire United States.
1283.66
Every router,
1286.72
every switch,
1287.839
every lawful intercept appliance.
1290.279
It would require the carriers,
1292.539
voluntarily or under regulatory compulsion,
1295.559
to commit billions of dollars
1297.4
and several years of operational disruption
1299.819
to the project.
1300.98
It would require the Federal Bureau of Investigation
1304.039
to operate during the transition
1306.0
with substantially degraded interception capability.
1309.68
The political will to do this
1312.18
does not exist.
1313.599
It would require the Federal Bureau of Investigation
1313.64
to understand this.
1314.5
The Salt Typhoon operators understand this.
1317.14
The Ministry of State Security understands this.
1320.2
The Federal Bureau of Investigation understands this.
1323.519
The carriers understand this.
1326.0
The American public,
1327.68
who continues to make phone calls
1329.4
on the same networks every day,
1331.319
has not been told.
1334.24
The story of Salt Typhoon does not have
1336.759
a resolution.
1337.619
The group is still operating.
1339.4
The interfaces it exploited are still in place.
1342.019
The legal architecture that mandated those interfaces
1345.279
has not been revised.
1347.019
The most recent public indication
1349.339
of Salt Typhoon's continued activity
1351.579
came in December 2025,
1354.059
when intrusions associated with the group
1356.539
were detected within networks
1358.14
operated by committees of the
1360.2
United States House of Representatives.
1362.2
The committees in question
1363.72
have not been publicly identified.
1365.92
The duration of the access prior to detection
1368.779
has not been publicly disclosed.
1371.0
What we know is this.
1373.079
In 1994,
1374.64
the United States government passed a law
1376.5
requiring every American telecommunications carrier
1379.539
to construct a permanent surveillance capability
1381.759
into its own network.
1383.579
The capability was justified
1385.4
as a tool of domestic law enforcement.
1387.98
It was built.
1389.18
It was maintained.
1390.559
For three decades,
1392.079
it operated as intended.
1394.48
In or around 2022,
1396.519
an adversary of the United States
1398.539
obtained access to that capability.
1401.0
The adversary used it to monitor
1403.119
American government officials,
1404.88
political candidates,
1406.299
intelligence sources,
1407.46
and ordinary citizens
1408.72
for at least two years before being detected.
1411.579
The detection did not result in the adversary's
1414.559
removal.
1415.14
It resulted in the adversarial's identification.
1418.2
The adversary remains active.
1420.839
The capability remains in place.
1423.519
This is Fragment Zero, Case File 43, Salt
1427.68
Typhoon.
1428.74
Subscribe.
1429.5
Turn on notifications.
1432.18
Because the next time someone tells you
1434.4
that a backdoor for law enforcement
1436.079
is only a backdoor for law enforcement,
1438.7
you will know what that promise is worth.
1441.279
We will be watching.
1442.819
We will be listening.
1444.66
We are not the only ones.
