Salt Typhoon, One Year On: Why Trusted, Monitored Network Infrastructure Matters

Key takeaways

• Salt Typhoon, a China-linked espionage group, compromised major US telecom carriers including AT&T, Verizon, T-Mobile and Lumen, and the FBI has tied the broader campaign to more than 200 organizations across 80 countries.
• As of 2026 the actors may not be fully eradicated. In June, Senator Maria Cantwell pressed AT&T and Verizon to produce Mandiant assessments showing the intrusions were actually remediated, underscoring how hard nation-state persistence is to verify.
• The campaign targeted the network gear itself, the routers, switches and edge devices that sit beneath everything else, which is why trusted, TAA-compliant, supported infrastructure now matters as much as endpoint defense.
• Defense is not a product. It is continuous assurance and visibility, segmentation, identity-driven access, and a supported lifecycle that keeps gear patched, monitored, and replaceable when it ages out.
• A contested debate over rolling back post-Salt-Typhoon FCC security rules means buyers cannot assume regulation will carry the load. Hardening your own estate is the controllable variable.

What happened, and why it is still open

Salt Typhoon is the name given to a China-linked cyber-espionage campaign that compromised the core of US telecommunications. Investigators confirmed the actors breached at least nine major American carriers, a list that public reporting has placed as including AT&T, Verizon, T-Mobile and Lumen, among others. The FBI has tied the wider campaign to more than 200 organizations across roughly 80 countries. This was not a smash-and-grab for credit card numbers. It was a patient intelligence operation aimed at call records, the communications of specific targeted individuals, and in some reporting the lawful-intercept systems that carriers maintain for law enforcement.

The reason it remains a live story in 2026 is that nobody can comfortably declare it over. Espionage actors who reach this depth do not leave loudly. They establish redundant footholds, blend into normal administrative traffic, and wait. In June, Senator Maria Cantwell pressed AT&T and Verizon to hand over the Mandiant assessments behind their claims that the intrusions had been remediated, a pointed reminder that 'we cleaned it up' and 'we proved we cleaned it up' are different statements. Security professionals and lawmakers have continued to caution that the actors may not be fully eradicated.

For buyers in federal, defense, SLED, and healthcare, the lesson is uncomfortable but clarifying. The target was the network infrastructure layer itself, the routers and switches and edge devices that carry everything else. If that layer can be quietly occupied for months, then who built it, whether it is supported, and whether you can actually see what it is doing are no longer back-office questions.

Why this hit the layer nobody watches closely enough

Most security budgets point at the endpoint and the application. Salt Typhoon went underneath all of that. Network devices are an attractive target precisely because they are trusted by default, they often run for years between major software updates, and they rarely carry the same endpoint detection that a laptop or server does. A compromised edge router does not trip the alarms a compromised workstation would, and it sits in the data path for everything.

That changes the risk calculus around what infrastructure you buy and how long you run it unattended. Hardware of uncertain origin, gear that is past end-of-support and no longer receiving patches, and devices that nobody is actively monitoring are exactly the conditions an actor like this exploits. The campaign did not necessarily rely on exotic zero-days. Aging, unmonitored, weakly segmented network estates give a determined adversary plenty to work with.

This is the practical case for trusted, supported infrastructure. Equipment with a verifiable supply chain, a documented hardware root of trust and signed software, and an active support contract is harder to tamper with and faster to remediate. It is the difference between a network you can attest to and one you simply hope is clean.

Step one: see your own network the way an adversary already does

You cannot remediate what you cannot see, and the central uncomfortable fact of Salt Typhoon is that the victims often could not see the intruders for a long time. So the first move is visibility, continuously, not as a one-time sweep. This is where Cisco's assurance and observability tooling earns its place. Cisco ThousandEyes gives you path-level visibility across networks you do not own, including the internet and carrier links that a campaign like this rides, so unexplained changes in routing or reachability become signal rather than mystery. We scope and deploy this as part of our full-stack observability practice.

Telemetry only helps if something is correlating it. Cisco Splunk aggregates logs, flow data, and device telemetry so that the faint, patient signals of a persistent intruder, the off-hours administrative session, the configuration change nobody requested, the new tunnel, can be surfaced and investigated instead of scrolling past unread. Continuous assurance is the posture that turns 'we think we are clean' into evidence, which is precisely the standard lawmakers are now demanding of the carriers.

Uniqcli helps stand this up without it becoming shelfware. We size the deployment to your environment, place the agents and collectors where they actually see the traffic that matters, and tie alerting to the people who can act on it. Visibility you bought but never operationalized is the kind of gap that lets an intrusion run for a year.

Step two: assume breach, then segment and verify identity

Once you accept that a sufficiently capable actor may get in, the goal shifts to making sure a foothold cannot become free movement across the whole network. That is the entire premise of Zero Trust, and it is the most durable answer to a persistence-focused adversary. The work is segmentation and identity, not a single appliance.

On the segmentation side, Cisco Secure Firewall enforces boundaries between enclaves so that a compromise in one zone does not become a compromise everywhere, and Cisco Hypershield extends enforcement deep into modern data center and workload traffic. On the identity side, Cisco Identity Services Engine decides what every device and user is actually allowed to touch, and Cisco Duo hardens authentication so a stolen credential is not a master key. Pairing strong identity with tight segmentation is what shrinks the blast radius when, not if, something slips through. We design and implement these together through our security and Zero Trust services.

Architecture decisions like this are easier to defend when they map to recognized control frameworks. The cryptographic, access-control, and audit families in NIST SP 800-53, and the configuration baselines in the DoD Cyber Exchange STIGs, give you a documented standard to build and assess against rather than improvising.

Step three: a supported lifecycle is a security control, not an expense line

A large share of network risk is simply gear that has aged out. Devices past end-of-support stop receiving fixes, fall off vendor advisories, and quietly become the soft spot in an otherwise modern estate. Knowing what you run, what state it is in, and when each device must be replaced is a defensive capability, not a back-office chore. A current support contract such as Cisco Smart Net Total Care, detailed by Cisco, keeps hardware under coverage and surfaces the advisories that matter to your specific footprint.

Equally important is staying current on what is actually being exploited. Cisco publishes its own advisories through the Cisco Security Advisories portal, and CISA maintains the authoritative Known Exploited Vulnerabilities catalog that tells defenders which flaws are being used in the wild right now. Patching to that signal, rather than patching everything blindly, is how lean teams keep pace.

This is the operational discipline that wins against a persistence-focused adversary, and it is the part most organizations struggle to sustain. Uniqcli runs it as a service through our managed operations and licensing and lifecycle practices, so monitoring, patch cadence, change windows, and hardware refresh do not depend on a single overstretched engineer remembering to look.

Why trusted and TAA-compliant procurement is now front and center

Salt Typhoon turned a supply-chain abstraction into a board-level concern. When the network layer itself is the target, the provenance of every device, who made it, whether its software is signed, whether it can be verified at boot, stops being paperwork and becomes part of the threat model. For government and defense buyers this is not optional. Equipment must be TAA-compliant and, where the mission requires it, drawn from the DoDIN Approved Products List.

The regulatory backdrop makes self-reliance the safer bet. There has been real contention over an FCC move to roll back some of the security rules adopted in the wake of Salt Typhoon, which means buyers cannot assume the regulatory floor will hold or rise. The infrastructure you choose and how you operate it is the variable you actually control. Procuring trusted gear through proper channels, on the right contract vehicles, with compliance documented up front, is a concrete way to reduce exposure regardless of how the rulemaking lands. Federal teams can read how Cisco approaches public-sector contracting on Cisco's federal contracts and funding-vehicles resources.

As an authorized Cisco partner, Uniqcli scopes, sources, and documents this for you. We confirm TAA origin and DoDIN APL status before anything goes on the order, quote against the right vehicle, and handle the full cycle from bill of materials to staging to cutover. If you are modernizing a federal or defense network in direct response to this threat, our defense practice and procurement and compliance team can scope it, and you can request hardened, compliant pricing through our Cisco government network quote.

What to actually do this quarter

You do not need to boil the ocean to make meaningful progress against this class of threat. Start by inventorying your network estate and flagging anything past end-of-support or of uncertain origin, because that is where an adversary looks first. Turn on continuous visibility at the path and telemetry layers so an intrusion cannot run unseen for months. Then tighten the architecture with segmentation and identity so a single foothold cannot spread.

Sequencing matters more than speed. Prioritize the segments carrying your most sensitive or longest-lived data, get those under monitoring and behind enforced boundaries first, and let the rest follow your normal refresh cadence rather than an emergency rip-and-replace. None of this makes any organization invulnerable, and anyone promising that is selling something. What it does is reduce risk, shrink the blast radius, and give you the evidence to attest that your network is in a known, defensible state. That is exactly the bar Salt Typhoon raised, and it is the bar regulators are now holding the carriers to.

Cisco products involved

• Cisco ThousandEyes
• Cisco Splunk
• Cisco Secure Firewall
• Cisco Identity Services Engine (ISE)
• Cisco Duo
• Cisco Hypershield
• Cisco Smart Net Total Care

Bottom line: A year on, Salt Typhoon has stopped being a breach story and become a standing question: can you prove your network is clean and keep it that way? The honest answer is that no vendor makes any organization invulnerable, but trusted, TAA-compliant infrastructure, continuous visibility, segmentation, identity-driven access, and a supported lifecycle measurably lower the risk and give you something to attest to. As an authorized Cisco partner, Uniqcli helps US federal, defense, SLED, healthcare, and enterprise teams scope, procure, deploy, and operate exactly that. If this campaign is on your risk register, request a quote and we will help you turn concern into a hardened, monitored, supportable network.