Close
Blog November 4, 2025

How China-Backed Hackers Are Targeting Telecom and What Needs to Happen Next

Table of Contents:

    Chinese nation-state hackers have spent years compromising the telecommunications sector, embedding themselves inside telecommunications networks and lying in wait. They have compromised presidential campaign communications, siphoned up data on high-profile individuals, and remained hidden for years before they were uncovered.

    In a recent webinar, SecurityScorecard’s Senior Content Writer Shannon Vavra, Head of Public Policy Michael Centrella, and VP of Threat Intelligence Jeremy Turner discussed the geopolitical stakes, how groups of hackers like Salt Typhoon are able to exploit technical debt in the telecommunications sector, and how cybersecurity teams can respond.

    Centrella and Turner emphasized that stronger coordination, continuous monitoring, and deeper  public-private collaboration are critical to managing this persistent threat.

    Listen to the audio here, or watch the full webinar on-demand here.

    Why Telecommunications Is the Bullseye

    The flow of communications around the world, from government communications to sensitive personal data, depends on telecommunications infrastructure. That makes it a strategic, high-value target for adversaries like China, as Turner emphasized.

    “Telecommunication networks carry the world’s most sensitive data,” Turner said. “From government communications to corporate and banking transactions, even though there’s a lot of encryption, there’s still a lot of information and metadata that’s really useful to further the objectives that nation states have: Collecting intelligence and targeting individuals.”

    As Centrella put it, whoever controls access to these networks controls “the arteries of our modern communication.”

    Vavra pointed to the strategic logic behind the intrusions: Chinese-linked actors may be embedding themselves now to hold adversaries’ decision-making at risk in a future crisis. Gaining access to communications infrastructure now can give threat actors leverage if geopolitical tensions escalate.

    How Does Telecommunications’ Technical Debt Make it Vulnerable?

    The telecommunications sector faces a unique problem: It was the first to build out large-scale internet infrastructure.

    “There is no other entity or class of business in the world that probably has more tech debt than telco because they were the first ones to stand up a lot of this infrastructure,” Turner noted. “The demand for traffic volume and delivery superseded concerns about cybersecurity.”

    As telcos grow through acquisitions, they can often inherit unknown vulnerabilities as a result. That’s how risk spreads through the supply chain.

    How Salt Typhoon Operates

    Although many reports refer to Salt Typhoon as the main culprit in telecommunications compromises, the panelists pointed out that it’s not just one group conducting intrusion campaigns.

    Turner emphasized the activity we often blame on Salt Typhoon actually comes from a series of specialized China-affiliated teams with different tasking, targeting different parts of telecommunications infrastructure.

    Some compromise large backbone routers and then pivot. Others go after SOHO (small office/home office) routers. Recent reporting from the UK reinforces the threat’s breadth. The UK has found groups with ties to Salt Typhoon targeting routers.

    SecurityScorecard’s STRIKE Threat Intelligence team exposed the “LapDogs” campaign from China-linked hackers earlier this year. In this case, too, suspected China-affiliated hackers  compromised over 1,000 nodes around the globe. Targets included those in the United States, Japan, South Korea, Hong Kong, and Taiwan.

    The key theme is persistence. These groups don’t break in noisily. They stay, often undetected, by exploiting outdated infrastructure.

    “Salt Typhoon was a wake up call not because they stole data, but because they stayed so long in our systems. They were embedded into the fabric of our telecom,” Centrella said.

    How to Thwart Telco Compromise: TTPs, Policy, and Partnership

    Turner and Centrella agreed that defending against this long-term, embedded threat requires more than traditional security. It requires sector-wide coordination and visibility.

    This includes identifying tactics, techniques, and procedures (TTPs) early and contextualizing threat intelligence from government sources like CISA, the FBI, and initiatives like the Joint Cyber Defense Collaborative (JCDC).

    Organizations can lean on ISACs, or Information Sharing and Analysis Centers, to share threat intelligence and tackle cybercrime in unison.

    Turner urged organizations that have previously attempted to coordinate with the federal government and partnerships like these to consider tapping into them again, as information-sharing practices have matured in recent years.

    Defending against a threat that has already broken in is a major challenge and requires a team effort, Turner and Centrella acknowledged. But collaboration faces challenges. Centrella warned that the expiration of the Cybersecurity Information Sharing Act (CISA 2015) on October 1 may discourage companies from sharing threat intelligence due to new legal uncertainties.

    Any hesitation could widen the gap between proactive defense and attackers.

    Actionable Steps

    • Continuous Monitoring: You can’t defend what you can’t see. Persistent monitoring illuminates the threat landscape—both internally and across the supply chain.
    • Prioritized Remediation: Salt Typhoon and affiliated groups often exploit specific vulnerabilities. Organizations should focus remediation efforts on known, high-risk flaws.
    • Proactive Engagement: Build public-private partnerships before an incident. Exchanging business cards in the middle of a breach is too late.

    Salt Typhoon has already compromised at least 200 American companies, and global targeting has extended to over 80 countries. Keeping pace with well-resourced, patient adversaries means establishing early-warning systems, real-time visibility, and resilient collaboration long before the next intrusion is discovered.

    Contact STRIKE for Incident Response

    SecurityScorecard’s STRIKE Team has access to one of the world’s largest databases of cybersecurity signals, dedicated to identifying threats that evade conventional defenses. With proactive risk management and a rapid response approach, SecurityScorecard offers companies protection against third-party risks and the ability to counter active threats like those in the telecommunications sector.

    Discover how SecurityScorecard and its STRIKE Team can strengthen your enterprise’s security. 

    For STRIKE media inquiries, contact us here.