Public reporting in late September exposed an active, stealthy campaign investigators are calling Salt Typhoon. According to multiple sources, operators linked by investigators to Chinese state-affiliated actors have placed persistent footholds inside a handful of U.S. internet service provider networks. That access is not trivial. When adversaries live on core carrier gear they gain vantage points to metadata, routing, and broad slices of customer and enterprise traffic.

What makes this operation dangerous is its targeting of infrastructure choke points rather than individual endpoints. The value of a foothold inside ISP routing and management planes is twofold: long-term intelligence collection and the option to pre-position effects in a crisis. Being inside an ISP gives an attacker the ability to observe calling patterns, traffic flows, and where high-value targets connect to the network. In short, this is classic counterintelligence tradecraft applied to communications infrastructure.

Public detail remains limited. Reports so far describe a “handful” of compromised providers rather than an all-of-market breach. That ambiguity is typical early in large intrusions. Expect more discovery as defenders run network-wide forensics and as victims notify customers or regulators. Do not mistake limited public detail for limited risk. The adversary’s objective appears to be persistence and breadth, not short-term disruption.

Immediate technical priorities for carriers and enterprise partners

1) Assume compromise of management plane. Treat router and switch management as a high-risk trust boundary. Audit and restrict who can modify routing, ACLs, and peer relationships. Lock down out-of-band management and require hardware-backed MFA for any operational access.

2) Harden and inventory core devices. Maintain an authoritative inventory of routers, controllers, and network management servers. Apply vendor patches where available and validate firmware integrity. If a vendor has not issued a patch, increase monitoring and isolate the device’s management interfaces.

3) Segmentation and telemetry. Segment network management traffic from customer traffic aggressively. Enable detailed telemetry and store it externally so intruders cannot erase traces from a single environment. Centralize logs and retain them long enough to support a forensic timeline.

4) Egress filtering and anomaly detection. Monitor for unusual GRE, IPsec, or tunneled traffic originating from core devices. Flag large or persistent mirror/span exports, unexpected configuration changes, or any use of administrative ports on nonstandard interfaces.

5) Rapid threat-sharing and coordinated response. ISPs need to move beyond private assessments to rapid cross-carrier indicators of compromise, anonymized if necessary. Forensic yields must be shared with trusted industry groups and federal partners to accelerate detection and takedown.

Strategic and policy actions

1) Mandate basic hardening across the sector. Voluntary guidance is not enough for infrastructure that forms the backbone of national security. Regulators should require baseline controls for core network equipment, management plane protections, and forensic-ready logging.

2) Prioritize supply chain and firmware security. Attackers targeting carriers will look for weak firmware, management appliances, and third-party service providers. Require attestations for supply chain integrity and accelerate vetting of critical components.

3) Fund persistent exercises and red-team campaigns. Carriers must be tested regularly with realistic adversary emulation focused on management-plane compromise, lateral movement across peering and transit, and exfiltration via covert channels.

4) Establish clear escalation and notification timelines. Governments and providers need pre-agreed playbooks for breach notification, containment, and public disclosure. Ambiguity slows remediation and increases downstream risk.

Bottom line: treat this like counterintelligence, not just another intrusion. When adversaries get inside the plumbing of communications they gain situational awareness and options that extend well beyond commercial espionage. The defensive response must be immediate, coordinated, and uncompromising. Protect the management plane, get better telemetry, share indicators fast, and adopt policy changes that harden the entire sector. If you run networks or depend on them for high-value communications, do not wait for more public detail. Assume the threat is real and act now.