TL;DR: China-linked intrusions against telecommunications show how technical debt, inherited exposure, and long-lived persistence can let attackers remain hidden for years, with Salt Typhoon activity tied to at least 200 American companies and more than 80 countries according to SecurityScorecard. The practical lesson is that visibility and coordinated response now matter as much as perimeter defense.
At a glance
What this is: SecurityScorecard’s analysis argues that telecommunications networks remain a high-value target because technical debt, supply chain inheritance, and weak visibility let China-linked actors embed for long periods.
Why it matters: For IAM, PAM, and broader security teams, the lesson is that persistent access and inherited trust relationships can outlast normal detection and review cycles, especially in complex provider ecosystems.
By the numbers:
- Salt Typhoon has already compromised at least 200 American companies, and global targeting has extended to over 80 countries.
👉 Read SecurityScorecard’s full webinar on Salt Typhoon and telecom persistence
Context
Telecommunications is a trust-heavy infrastructure layer, which makes visibility and access control failures especially costly. When old assets, inherited relationships, and long-lived administrative pathways accumulate, attackers can persist without triggering the kind of obvious event-driven alerting many programmes still depend on.
This article is about a cyber risk with a genuine identity angle: long-term intrusion depends on who or what can access carrier infrastructure, how privileged accounts are governed, and whether third-party trust paths are continuously reviewed. In that respect, telecom compromise is also an access governance problem, not only a network security problem.
Key questions
Q: What breaks when telecommunications access is not continuously governed?
A: When telecommunications access is not continuously governed, attackers can keep privileged footholds long after the original purpose for access has disappeared. That creates an environment where persistence looks like normal operations, especially across legacy infrastructure, inherited trusts, and vendor paths. The result is delayed detection, broader lateral movement, and harder containment once the intrusion is discovered.
Q: Why do legacy telecom environments increase the risk of long-term intrusion?
A: Legacy telecom environments increase risk because they often combine old infrastructure, operational exceptions, and slow remediation cycles. Those conditions let attackers hide inside management layers and wait for later opportunities to pivot. The issue is not only technical weakness, but the absence of tight ownership and lifecycle control over privileged access and trusted pathways.
Q: How do security teams know whether carrier monitoring is actually working?
A: Carrier monitoring is working when it can identify unexpected access to management planes, configuration drift, unusual privileged sessions, and trust relationships that persist without business justification. If alerts only fire after disruption or only cover customer-facing systems, the monitoring model is too shallow. Effective monitoring should reveal persistence before it becomes operationally normal.
Q: Who is accountable when persistent access remains in a carrier environment after changes?
A: Accountability should sit with the teams that own the access lifecycle, the environment owner, and the risk function that approves exceptions. If acquisitions, integrations, or vendor relationships leave old credentials and trusts in place, those transitions need explicit review and sign-off. Frameworks such as NIST SP 800-53 and NIST Zero Trust Architecture both expect access to be governed continuously, not assumed safe by default.
Technical breakdown
Why technical debt extends attacker dwell time in telecom networks
Technical debt in telecommunications is not just old code or outdated infrastructure. It includes legacy routing systems, fragmented ownership, inherited configurations, and slow remediation cycles that leave useful access paths in place for years. In that environment, an attacker does not need to win quickly. They can quietly maintain footholds, learn the topology, and wait for a later opportunity to pivot. The longer the lifecycle of access, the more likely conventional monitoring misses the pattern. This is why a sector can be deeply compromised while appearing operationally stable.
Practical implication: inventory and review long-lived administrative access paths and tie them to explicit ownership and lifecycle controls.
How embedded access becomes a supply chain and identity problem
The article points to acquisitions and inherited vulnerabilities as a way risk spreads through telco supply chains. That matters because infrastructure trust is often inherited along with the asset, but privilege and monitoring rarely arrive with the same clarity. When a provider absorbs another environment, access entitlements, service accounts, and operational accounts may remain active even when their original purpose is gone. For identity teams, this is the same class of problem seen with unmanaged non-human identities: access outlives intent, and intent is no longer visible in the system of record.
Practical implication: treat acquired infrastructure and third-party operational access as a privileged identity review problem, not only a network integration exercise.
Why continuous monitoring matters more than point-in-time remediation
Point-in-time remediation can remove a known flaw, but it does not reveal whether an attacker has already built persistence around it. Continuous monitoring is the control that turns a static inventory into an operational picture of access, anomaly, and exposure. In telecom environments, that means watching for unusual device access, unexpected configuration drift, lateral movement between management planes, and cross-environment trust relationships that should have expired. The article’s core lesson is that the threat is not just exploitability, but survivability after intrusion.
Practical implication: pair remediation with continuous detection on privileged sessions, configuration drift, and cross-boundary trust paths.
Threat narrative
Attacker objective: The objective is long-term strategic access to telecommunications infrastructure for intelligence collection, metadata exploitation, and future geopolitical leverage.
- Entry begins when China-linked actors exploit weakly governed or outdated telecom infrastructure and its inherited trust relationships.
- Escalation follows as they maintain embedded access, move through network management layers, and preserve persistence inside carrier environments.
- Impact is strategic intelligence collection, with adversaries positioned to monitor communications and influence decision-making during a future crisis.
NHI Mgmt Group analysis
Persistent carrier access is now an identity governance problem, not only a network defense problem. The article makes clear that adversaries win by staying embedded, which means the real failure mode is durable access without durable accountability. When privileged paths, service credentials, and inherited trust relationships are not continuously revalidated, the environment becomes governable only after the attacker has already settled in. Practitioners should treat telecom persistence as a lifecycle control failure.
Technical debt becomes a privilege multiplier when infrastructure evolves faster than access governance. In telecommunications, old systems, acquisitions, and operational urgency create environments where access accumulates faster than it can be reviewed. That dynamic is structurally similar to non-human identity sprawl: more accounts, more exceptions, and less confidence in who can still reach what. The field should recognise this as a governance lag problem. Practitioners should align remediation with access recertification and ownership refresh.
Supply chain exposure in telco is often inherited privilege with no clean offboarding story. The article shows how acquisitions and third-party dependencies can widen the attack surface without a corresponding reset of trust. That matters because inherited access is easy to activate and hard to explain later, especially when the original business justification no longer exists. The named concept here is inherited privilege persistence: access that remains valid after the operational reason for it has disappeared. Practitioners should make offboarding and access re-attestation mandatory after every environment transition.
Sector-wide visibility is becoming a prerequisite for meaningful response. The emphasis on public-private coordination, ISACs, and government threat sharing reflects a wider truth: defenders cannot correlate what they cannot see across organisational boundaries. For carrier ecosystems, this widens the gap between isolated remediation and coordinated resilience. The practitioner conclusion is straightforward: visibility must extend beyond the perimeter to the trust fabric itself.
What this signals
Persistent access is the real control problem here, and it is converging with NHI governance. When carriers, managed service providers, and backbone operators inherit privileges across environments, the question becomes whether those rights can be revalidated at machine speed. The confidence gap in NHI governance is already visible in our research: 1.5 out of 10 organisations are highly confident in their ability to secure NHIs. That gap matters whenever old infrastructure and hidden access paths coexist.
The practical signal for programmes is that telecom-style persistence demands the same discipline used for service accounts, APIs, and operational secrets. If access can survive ownership changes, then recertification is too slow, and if monitoring cannot surface management-plane anomalies, then detection is too shallow. In Zero Trust terms, the trust fabric itself must become observable, not merely segmented. See NIST SP 800-207 Zero Trust Architecture.
Inherited privilege persistence: access that remains active after the original business reason has gone. In telecom and adjacent infrastructure, that failure mode turns acquisition sprawl and vendor trust into a latent attack surface. Programmes should treat every integration, migration, and offboarding event as a forced review of who and what still has reach.
For practitioners
- Map long-lived privileged access paths Build an inventory of administrative, service, and vendor-held access across carrier and backbone environments, then require named ownership and expiration dates for each path. Focus first on the credentials that can reach management planes and cross-provider links. The goal is to expose standing access before an attacker does.
- Re-attest access after acquisitions and integrations Treat every acquisition, network integration, and outsourced operation as a mandatory revalidation event for accounts, secrets, and trust relationships. Offboard anything that no longer has a current business purpose and verify that inherited access is not silently preserved. This is especially important where the original system owner has changed.
- Pair remediation with continuous detection Do not rely on vulnerability closure alone. Monitor for configuration drift, unusual privileged sessions, and changes in device or management-plane behaviour so you can detect persistence that survives patching. Continuous monitoring should be tuned to the control planes that matter most, not just the user-facing perimeter.
- Use cross-sector threat sharing before the incident Coordinate with ISACs, sector peers, and government advisories before you need urgent help. The article’s lesson is that sharing becomes harder under pressure, so the operating model should already exist for indicators, TTPs, and response coordination. Build the relationships now, not after compromise.
Key takeaways
- Telecommunications compromise is sustained by governance gaps, not only by technical exploitation.
- The scale of the problem is broad, with Salt Typhoon linked to at least 200 American companies and more than 80 countries.
- Continuous monitoring, lifecycle review, and inherited-access cleanup are the controls that can shrink dwell time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement; TA0003 , Persistence | The article centers on long-lived intrusion and movement through telecom environments. |
| NIST CSF 2.0 | DE.CM-1 | Continuous monitoring is a core control theme in the article. |
| NIST SP 800-53 Rev 5 | AC-2 | The problem includes unmanaged and inherited accounts across complex telecom environments. |
| CIS Controls v8 | CIS-5 , Account Management | The article highlights account sprawl, persistence, and shared access risk. |
Map carrier persistence indicators to credential access, lateral movement, and persistence techniques.
Key terms
- Technical debt: Legacy shortcuts or weak design choices that create future cost, risk, or operational friction. In identity programmes, technical debt often shows up as brittle trust relationships, inconsistent revocation, poor traceability, or controls that only work in one environment and fail in another.
- Persistent access: Persistent access is authority that remains valid across time instead of expiring with the task that needed it. For AI agents and other NHIs, persistent access increases blast radius because a single identity can be reused, redirected or abused long after its original business need has changed.
- Privilege Inheritance: Privilege inheritance occurs when a system uses the permissions of the human or service identity that launched it. For agents, this means the workload can access anything the parent role can access, which makes entitlement design more important than the model’s natural-language capabilities.
- Management Plane: The administrative layer used to configure, govern, and enforce behaviour across many endpoints or services. A management plane is not the workload itself. It is the control layer above it, which makes it especially sensitive to privileged misuse and delegated automation.
What's in the full article
SecurityScorecard's full webinar covers the operational detail this post intentionally leaves for the source:
- Panel discussion on how telecommunications technical debt creates long-dwell intrusion conditions
- Threat-intelligence context from SecurityScorecard’s STRIKE team on the Salt Typhoon and LapDogs campaigns
- Practical guidance on using CISA, FBI, and JCDC feeds in sector response workflows
- Discussion of public-private coordination and information-sharing constraints after CISA 2015 expired
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity. It is suited to practitioners who need to connect access lifecycle control to broader security operations.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org