Chinese state-backed hackers (Salt Typhoon) breached the wiretap systems of AT&T, Lumen (formerly CenturyLink), and Verizon — gaining access through the legally mandated CALEA backdoors that US law has required telecoms to build into their infrastructure since 1994. The breach represents the security community’s long-predicted outcome: a backdoor built for law enforcement becomes a backdoor for anyone who can reach it.
Stories Covered
Salt Typhoon Exploits CALEA Backdoors: Chinese Hackers Inside US Telecom Wiretap Systems
Chinese government-backed APT Salt Typhoon breached the wiretap systems of at least three of the largest US internet service providers — AT&T, Lumen (formerly CenturyLink), and Verizon — accessing the systems those companies use to facilitate lawful intercepts for law enforcement and government agencies. The compromise was first reported by the Wall Street Journal and confirmed by CNN and the Washington Post, with US government investigation in early stages. The wiretap systems are among the most sensitive in any telecom’s network: they grant access to customer internet traffic, browsing histories, and communications content. Analysts believe the access was aimed at intelligence collection and pre-positioning ahead of a potential future conflict, particularly around Taiwan.
The legal context is critical. The Communications Assistance for Law Enforcement Act (CALEA), passed in 1994 when cell phones were rare and the internet was nascent, requires telecoms and internet service providers to build wiretapping capability into their infrastructure — or encrypt communications in a way that leaves a backdoor accessible to law enforcement. This created a third-party industry of wiretapping compliance vendors that help carriers satisfy the legal requirement. The post-9/11 surveillance expansion under the Patriot Act significantly extended the use of these systems. Security researchers and technologists have warned for decades that a backdoor built for authorized use is structurally identical to a backdoor that any sufficiently capable attacker can exploit — the access mechanisms do not distinguish between a valid law enforcement request and a compromise by a nation-state adversary. The Salt Typhoon intrusion is the materialization of that warning.
The implications are significant in both directions. For individuals: SMS messages have never been end-to-end encrypted — they transit carrier infrastructure in plaintext, stored in databases during routing. Any carrier-level access exposes that data. For broader national security: the systems breached are not narrow point-access tools; they are administrative interfaces with broad, privileged visibility into customer traffic. The distinction between a government-authorized wiretap and a Chinese intelligence collection operation becomes meaningless once a threat actor gains authenticated access to the same interface. Stanford encryption policy expert Riana Pfefferkorn’s observation is accurate: the system designed to protect citizens through surveillance is, in this instance, the mechanism through which they are being surveilled by an adversary. Signal and similar end-to-end encrypted platforms sit outside this exposure by design — encrypted content intercepted at the carrier level is ciphertext without the keys, which remain on user devices.





