Thirteen countries. One shared advisory. Zero agreement on how long the intruders had already been inside before anyone noticed.
That’s the strange residue of the Salt Typhoon episode, more than a year on. Start with the document that actually named the intrusion in real time. In November 2024, the FBI and CISA said plainly that PRC affiliated actors had compromised networks at multiple telecommunications companies, enabling theft of customer call records, compromise of the private communications of a limited number of individuals involved in government or political activity, and copying of information subject to law enforcement requests under court order. Within weeks, AT&T and Verizon each confirmed the breach and said they’d contained it. T-Mobile said it detected and blocked related attempts with no significant impact. Every one of those statements used the vocabulary of a fire put out.
Here’s the question that should have followed each one, and mostly didn’t: contained from doing what, exactly?
The record got more complicated, not less, as it aged. Nearly a year after that November statement, in August 2025, CISA, the NSA, the FBI, the Department of Defense Cyber Crime Center, and cybersecurity agencies from twelve other countries, Australia, Canada, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain, jointly published a much broader advisory on PRC state sponsored actors compromising networks worldwide to feed a global espionage system. It’s worth being precise about what that document is and isn’t. It doesn’t call itself the Salt Typhoon advisory. It covers a wider, multi-sector campaign, not telecom exclusively, and it says the activity it describes ‘partially overlaps’ with industry reporting on five separate named clusters, Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, without fully adopting any one of those names. Two different documents, a year apart, describing overlapping but distinct footprints. Governments rarely draw that fine a line unless attribution is genuinely harder than the headlines suggest.
That’s the doctrine gap. For twenty years, telecom network security has run on an implicit assumption that carrier infrastructure earns a kind of tenure. Equipment or a service account that’s been part of the network for years, that passed its onboarding checks once, gets treated as trusted by default from then on. Whole security programs sit on top of that assumption: harden the edge, watch for anomalies, and if something gets past the edge, find it and evict it. Eviction is the doctrine. It’s a fine doctrine against smash and grab. It’s close to useless against tradecraft built around never looking like an intrusion at all.
The rolling sequence of carrier confirmations is itself the tell. AT&T, Verizon, and T-Mobile didn’t all disclose on the same day, or describe the same footprint. Industry reporting through the end of 2024 kept surfacing overlapping but distinct intrusions rather than one clean, bounded event, and none of the public statements from the carriers or the agencies pinned down a single dwell time. That pattern, containment claims arriving in a drawn-out sequence rather than a coordinated single announcement, is consistent with an adversary whose tradecraft is built to persist quietly rather than smash and grab, though the specific mechanics of any one intrusion are for the carriers and investigators involved to characterize, not for an outside observer to reconstruct. In December 2024, CISA, the NSA, the FBI, and international partners including Australia’s ACSC, Canada’s Cyber Centre, and New Zealand’s NCSC-NZ released joint hardening guidance in direct response. Separately, around that same window, FBI and CISA officials went so far as to publicly recommend that Americans, particularly senior government and political figures, simply use end to end encrypted communications. Sit with what that concedes. Nobody was confident the network layer itself could be trusted to keep the conversation private. So they told people to encrypt around the network instead.
That’s not a failure of any one carrier’s security team. It’s what happens when the operating assumption is ‘inside equals trusted’ and the adversary’s tradecraft is built to become, and remain, indistinguishable from something already inside.
The regulatory response complicates any tidy conclusion here. In January 2025, the FCC issued a declaratory ruling asserting that carriers were obligated under CALEA to secure their networks against unauthorized access, paired with a proposed rule requiring annual cybersecurity certifications. In November 2025, the FCC reversed itself, finding the original ruling had misinterpreted CALEA and calling it unlawful and unnecessary, over a dissent from Commissioner Anna Gomez. So the one concrete regulatory lever pulled in response to the telecom intrusions got pulled back within the year. Whatever discipline carrier architecture gets going forward isn’t coming from that rule. It has to come from inside the industry’s own doctrine.
That leaves the actor pool question hanging rather than resolved. The August 2025 advisory’s own carefulness, five named clusters, none of them fully adopted as the story, is itself a signal about how crowded this threat profile has become. A single campaign name was never going to hold five distinct sets of tradecraft still long enough to regulate around. Treating any one of them as the whole picture, or as a closed case, misreads what the agencies themselves were careful to leave open.
Which brings back the sharper question. Not ‘did we evict them,’ a question about a single actor at a single moment, one carriers can usually answer affirmatively in good faith. The harder question is what any credential or piece of equipment inside the network can still reach, right now, regardless of whether today’s actor has already been found and removed. Trust earned once, years ago, at onboarding, doesn’t hold up against tradecraft designed to look exactly like the routine traffic of something that belongs there. The industry’s answer can’t keep being a better eviction. It has to be an architecture where ‘already inside’ stops meaning ‘already trusted,’ where every request for access gets checked against what that identity is actually supposed to touch, every time, not once at the door.
Carriers didn’t build the network to be trusted forever. They built it to be trusted for now. Security has to catch up to that distinction before the next advisory, with its own new set of names, has to say the same thing again.
Inside Telecom provides you with an extensive list of content covering all aspects of the Tech industry. Keep an eye on our Press Releases section to stay informed and updated with our daily articles.