TL;DR: China-linked intrusions against telecommunications show how technical debt, inherited exposure, and long-lived persistence can let attackers remain hidden for years, with Salt Typhoon activity tied to at least 200 American companies and more than 80 countries according to SecurityScorecard. The practical lesson is that visibility and coordinated response now matter as much as perimeter defense.
NHIMG editorial — based on content published by SecurityScorecard: how China-linked hackers exploit telecom technical debt and persistence
By the numbers:
- Salt Typhoon has already compromised at least 200 American companies, and global targeting has extended to over 80 countries.
Questions worth separating out
Q: What breaks when telecommunications access is not continuously governed?
A: When telecommunications access is not continuously governed, attackers can keep privileged footholds long after the original purpose for access has disappeared.
Q: Why do legacy telecom environments increase the risk of long-term intrusion?
A: Legacy telecom environments increase risk because they often combine old infrastructure, operational exceptions, and slow remediation cycles.
Q: How do security teams know whether carrier monitoring is actually working?
A: Carrier monitoring is working when it can identify unexpected access to management planes, configuration drift, unusual privileged sessions, and trust relationships that persist without business justification.
Practitioner guidance
- Map long-lived privileged access paths Build an inventory of administrative, service, and vendor-held access across carrier and backbone environments, then require named ownership and expiration dates for each path.
- Re-attest access after acquisitions and integrations Treat every acquisition, network integration, and outsourced operation as a mandatory revalidation event for accounts, secrets, and trust relationships.
- Pair remediation with continuous detection Do not rely on vulnerability closure alone.
What's in the full article
SecurityScorecard's full webinar covers the operational detail this post intentionally leaves for the source:
- Panel discussion on how telecommunications technical debt creates long-dwell intrusion conditions
- Threat-intelligence context from SecurityScorecard’s STRIKE team on the Salt Typhoon and LapDogs campaigns
- Practical guidance on using CISA, FBI, and JCDC feeds in sector response workflows
- Discussion of public-private coordination and information-sharing constraints after CISA 2015 expired
👉 Read SecurityScorecard’s full webinar on Salt Typhoon and telecom persistence →
Telecommunications technical debt: are your controls keeping up?
Explore further
Persistent carrier access is now an identity governance problem, not only a network defense problem. The article makes clear that adversaries win by staying embedded, which means the real failure mode is durable access without durable accountability. When privileged paths, service credentials, and inherited trust relationships are not continuously revalidated, the environment becomes governable only after the attacker has already settled in. Practitioners should treat telecom persistence as a lifecycle control failure.
A question worth separating out:
Q: Who is accountable when persistent access remains in a carrier environment after changes?
A: Accountability should sit with the teams that own the access lifecycle, the environment owner, and the risk function that approves exceptions. If acquisitions, integrations, or vendor relationships leave old credentials and trusts in place, those transitions need explicit review and sign-off. Frameworks such as NIST SP 800-53 and NIST Zero Trust Architecture both expect access to be governed continuously, not assumed safe by default.
👉 Read our full editorial: Telecom persistence and technical debt are widening nation-state risk