The public facts are simple and ugly. A China-linked espionage campaign that security researchers and U.S. authorities link to groups tracked as Salt Typhoon or RedMike has been actively compromising telecommunications infrastructure by exploiting unpatched network devices. The operation has not been a scattershot nuisance. It has been targeted, persistent, and aimed at the plumbing that carries voice and metadata for governments and businesses alike.

The interagency response has been correspondingly blunt. In December 2024, the U.S. and Five Eyes partners published joint guidance titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure to give network operators concrete steps to detect and evict malicious activity. That guidance spells out the hard truth: when backbone routers, provider edge equipment, or management planes are compromised, defenders lose the ability to see what is true on their own networks. The guidance focuses on centralized logging, out of band management, strict access controls, and checking for unauthorized GRE or IPsec tunnels.

Washington has moved from guidance to sanctions. On January 17, 2025 the U.S. Treasury designated entities and individuals it says are tied to the Salt Typhoon campaign, naming a Sichuan-based company and a Shanghai-based cyber actor in a public action meant to both punish and signal attribution. That step confirms U.S. authorities judge the campaign to be state enabled at a minimum, and it elevates the incident from technical crisis to geopolitical incident.

Independent research has filled in technical detail. Recorded Future’s Insikt Group tracked activity from December 2024 into January 2025 that attempted to exploit known Cisco IOS XE vulnerabilities to create local privileged accounts and then add GRE tunnels for persistent, covert connectivity. The researchers observed attempts against more than a thousand internet-exposed Cisco devices and confirmed several compromises affecting telecom providers across multiple countries. The pattern is classic network-level espionage: reconfigure devices, hide connections, pivot, and collect metadata and traffic as it flows.

Why this matters beyond the tech shops and security operations centers is straightforward. Telecommunications providers host lawful intercept systems and metadata used by law enforcement and intelligence. When those systems are co-opted the attacker gains access to call records, location data, and potentially content that was supposed to be available only under court order. That changes the strategic calculus. This is not theft of a corporate secret. It is the hijacking of national surveillance and communications infrastructure. Public officials have every right to be alarmed.

The operational checklist for short term damage control is equally straightforward and non-negotiable. Operators must assume compromise until they can prove otherwise. Priorities are: 1) identify and isolate internet-exposed management interfaces, 2) apply vendor fixes and remove unsupported legacy software, 3) rebuild management credentials and enforce phishing resistant multifactor authentication, 4) implement out of band management and strict ACLs to prevent lateral management traffic, 5) look for unauthorized GRE or IPsec tunnels and unexplained route changes, and 6) preserve forensic evidence to allow coordinated law enforcement analysis. These are the practical actions in the Five Eyes guidance and in the follow up advisories.

Longer term the response must be policy as much as patching. Regulators and national security agencies need stronger visibility into carrier remediation progress, and they need the authority to compel replacement of devices that cannot be trusted. Supply chain risk management must be raised from checkbox exercise to a continuous control. Public private information sharing must move faster and with more teeth, including compelled disclosure when national security systems are affected. Sanctions and public attribution are useful tools, but they do not evict actors from firmware or erase stolen keys. That takes coordinated operational work and sustained investment.

Finally, treat the Salt Typhoon pattern as a case study in modern asymmetric risk. Low-cost exploitation of exposed management interfaces gives a patient adversary outsized leverage. The defensive answer is not clever words. It is durable execution: disciplined patching, hardened configurations, segmented networks, encrypted end points for sensitive users, and the political will to require accountability from carriers when national level assets are on the line. If Five Eyes and partner regulators want to stop being surprised they must stop treating telecom infrastructure like another IT problem. It is strategic infrastructure. Act like it.