Recent open-source reporting details the activity of Chinese nation-state advanced persistent threat (APT) Salt Typhoon amidst the 2024 presidential election. Salt Typhoon has compromised telecommunications infrastructure, including infrastructure associated with court-ordered wiretaps. A Department of Homeland Security (DHS) panel is currently reviewing the incident and assesses that it will likely take months before any findings will be publicized. Confirmed compromised organizations include telecommunications companies such as AT&T, Verizon, and Lumen. The impact on Foreign Influence Surveillance Act (FISA) courts is currently unclear. Compromising FISA courts could provide Beijing insight into overseas surveillance targets. Salt Typhoon’s operation likely began months ago, as assessed by DHS, and no clear initial access method is publicly known.

Salt Typhoon targeted key political figures’ cell phones and communications in the 2024 presidential election. The targeting is largely bipartisan and impacted Democrats, such as the staff of Majority Speaker of the House Chuck Schumer, and Republicans within the Trump campaign, including Donald Trump and JD Vance. According to reporting from The Washington Post, Salt Typhoon accessed the unencrypted messages of Trump’s campaign advisors.

This targeting is the second publicly reported incident of an adversary compromising campaign officials’ communications in the 2024 presidential election following Iran’s compromise of the Trump campaign in August 2024. Salt Typhoon is not the first People’s Republic of China (PRC) state-sponsored APT to compromise US telecommunications. Salt Typhoon activity reflects Beijing’s espionage goals of counterintelligence operations to uncover key US targets of surveillance and presidential communications. The telecommunications industry is key to facilitating operations throughout other sectors and in the data it possesses. In response to Salt Typhoon activity, the White House established the Cyber Unified Coordination Group in October.

Salt Typhoon’s actions contribute to the PRC’s greater overall strategy of espionage and gaining prepositioned access to US critical infrastructure. According to a Congressional Research Service report, the Intelligence Community (IC) assessed that the PRC is the most active and persistent cyber threat to US institutions.

Recommendations

• Implement cybersecurity best practices, including a robust patch management program, user awareness training, and identity and access management controls.
• Develop and exercise incident response plans and preparedness activities.
• Employ strong encryption standards for sensitive communications.