Salt Typhoon Proves There Is No 'Safe Lawful Access'

Mon Jun 30 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

cybersecurity policy

(The result of some Summer weekend thinking; I would love feedback.)

The 2024 Salt Typhoon cyber espionage campaign marks a watershed moment in state-sponsored cyber operations, delivering a clear answer to a long-standing debate in the security community: there is no safe form of "lawful access" or "good guys only" backdoor.

This operation, attributed with high confidence to China's Ministry of State Security (MSS), proved that mandated government access capabilities, like those required in the United States by the Communications Assistance for Law Enforcement Act (CALEA), are not just susceptible to compromise but are in fact high-value targets that become powerful weapons in the hands of adversaries.

How They Got In: Common Flaws, Not CALEA Backdoors

It's crucial to understand how Salt Typhoon worked here, in two parts.

The initial breach of at least nine major U.S. telecommunications service providers, including Verizon, AT&T, and Lumen Technologies, was not due to a direct vulnerability in CALEA infrastructure itself. Salt Typhoon's initial breach did not rely on a single, exotic flaw. Instead, the attackers executed a wide-net strategy, exploiting a range of common and often long-known security failures to find available entry points.

They weaponized known software bugs ("N-days") in public-facing network equipment like routers, firewalls, and VPNs from major vendors including Cisco, Ivanti, and Fortinet. They also used the notorious ProxyLogon vulnerability in Microsoft Exchange servers to break into corporate networks. Critically, a primary entry method was even simpler and one we all know too well: logging in with legitimate, stolen user credentials, bypassing the need to exploit a software flaw altogether.

This multi-faceted approach shows that the path to the intercept systems—wiretapping systems, effectively—was paved by conventional hacking techniques exploiting general security failures, rather than a singular CALEA-specific flaw. Of course, that's never the end of the story...

The Ultimate Prize: CALEA's Dual-Use Capabilities

Once inside the networks, Salt Typhoon's operational focus shifted dramatically. Their mission was deliberate and intelligence-driven: to locate, access, and control the CALEA-compliant intercept infrastructure. These systems were not incidental victims or another step in the exploit chain; the intercept systems were the ultimate prize.

Salt Typhoon successfully leveraged the built-in surveillance functionalities of the CALEA architecture for its own counterintelligence purposes. This "dual-use" capability meant that the very architecture designed to provide government access became a powerful tool for malicious state-level espionage.

The compromise of CALEA systems allowed Salt Typhoon to:

Access U.S. law enforcement wiretap requests.
Gain access to call metadata.
In some cases, obtain the content of communications, including actual audio of phone calls, involving high-profile political and government targets.

This disastrous outcome was predicted... a loooooong time ago. The 2004-2005 "Athens Affair," where unknown actors hijacked Vodafone Greece's intercept system to spy on over 100 government officials, was a stark early warning. Furthermore, academic and independent research laid the dangers bare. Work by Tom Cross in 2010, for example, demonstrated that a common CALEA implementation was susceptible to brute-force credential discovery (via SNMPv3) and lacked reliable audit trails, allowing an attacker to issue intercept requests undetected. Research from Professor Matt Blaze and his students in 2009 showed that due to poor design, a wiretap target could easily overwhelm the system's signaling channel, effectively blinding law enforcement's surveillance efforts.

A Catastrophic and Definitive Policy Failure

The intelligence value of compromising intercept systems is unparalleled for a foreign counterintelligence service like China's MSS. It provides a direct, real-time window into a rival nation's most sensitive law enforcement investigations and foreign intelligence collection priorities.

By accessing CALEA systems, the MSS could identify U.S. government targets of interest, gain insight into ongoing investigations, and understand U.S. intelligence tradecraft. This wasn't just about stealing data; it was about gaining "meta-intelligence"—intelligence about the intelligence process itself. The result is a systemic compromise of the U.S. national security apparatus and a catastrophic intelligence loss, forcing agencies to assume their methods and sources have been exposed.

The Salt Typhoon campaign is more than a technical failure; it's a stark policy failure. It provides the definitive, empirical answer that the premise of a "good guys only" backdoor is wrong and dangerous. This vulnerability is inherent to the policy of mandated access, creating a trust inversion where a system designed for privileged access becomes a powerful tool for any adversary who compromises the host network.

The long-running debate is over. The campaign unequivocally demonstrates that any mandated "backdoor" is a vulnerability that will inevitably be discovered and exploited by capable adversaries.