BLUF

Chinese intelligence did not enter through the back door. They entered through the door built for the FBI.

That is Salt Typhoon: a confirmed, government-attributed intrusion into at least nine telecommunications providers, including AT&T, Verizon, and Lumen Technologies, active for an assessed one to two years before discovery in late 2024. The carriers did not know. Their boards did not know. You did not know.

Volt Typhoon is the companion operation, with a different purpose. Where Salt Typhoon collects intelligence, Volt Typhoon builds the capability to cause disruption. Chinese military planners have placed dormant access inside water systems, electrical grids, transport networks, and communications infrastructure across Western allied nations. The purpose is not just espionage. It is the ability to disrupt and destabilise at the moment a Taiwan type operation begins.

Neither operation is an IT department problem. Both are board-level strategic risks with direct implications for M&A due diligence, regulatory exposure, and operational continuity. If your business operates in or near critical infrastructure, defence, technology, or telecoms, this is your risk, not someone else’s.

1. What Salt Typhoon Actually Did

Confidence: CONFIRMED

Salt Typhoon is attributed by the US government and Five Eyes intelligence partners to Chinese state-sponsored actors. The group achieved persistent access to at least nine US telecommunications carriers. Confirmed targets include AT&T, Verizon, and Lumen Technologies. The intrusion is assessed to have persisted for one to two years before discovery, with the breach publicly confirmed by carriers and government agencies in late 2024.

The critical detail is not which carriers were affected. It is what was accessed. Salt Typhoon penetrated lawful intercept infrastructure: the systems US carriers are legally required to maintain under the Communications Assistance for Law Enforcement Act (CALEA) so that law enforcement can execute court-ordered access to calls and data. The operational consequence is direct. Call metadata and, in assessed cases, call content routed through affected carriers during the access window was potentially available to Chinese intelligence. The FBI confirmed that collection focused on individuals of intelligence value, including people connected to US political campaigns and senior government officials. The full scope of collection remains classified. CISA, NSA, and FBI issued a joint advisory in December 2024. FCC guidance on mandatory carrier security improvements followed in 2025.

For individual readers: if you or your colleagues use AT&T, Verizon, or Lumen as your carrier, your call metadata was potentially accessible to Chinese intelligence services for up to two years. Call duration, timing, and contact patterns constitute a targeting and pattern-of-life dataset. That is not a theoretical privacy concern. It is an operational intelligence product.

2. What Volt Typhoon Actually Did

Confidence: CONFIRMED

Volt Typhoon is separately attributed by CISA, NSA, FBI, and all Five Eyes partners in joint advisories published in May 2023 and February 2024. The group is assessed as a Chinese state actor operating under People’s Liberation Army or Ministry of State Security direction.

The operational logic is distinct from Salt Typhoon. Volt Typhoon does not collect intelligence. It pre-positions disruption capability inside US critical infrastructure: water treatment facilities, electrical distribution systems, transportation control networks, and communications. CISA’s assessment states explicitly that this targeting pattern is inconsistent with espionage and consistent with preparation for a Taiwan contingency. The goal is the ability to complicate US military mobilisation and civilian resilience at the moment hostilities begin.

What makes Volt Typhoon difficult to detect is its technique. Living off the land means using legitimate system tools already present in the target environment: Windows PowerShell, Windows Management Instrumentation, and standard network administration utilities. There is no custom malware to detect. Standard antivirus and endpoint detection systems do not flag legitimate processes running legitimate commands. In some assessed cases, Volt Typhoon maintained dormant access for five or more years before discovery.

Former CISA Director Jen Easterly described it publicly as “the defining threat of our generation.” Then-FBI Director Christopher Wray gave equivalent testimony in 2024. That framing reflects a precise operational assessment. This is not crime. It is preparation for war. The activation decision belongs to Beijing, not to a ransomware gang in Eastern Europe.

3. The Board-Level Risk: Four Categories

Confidence: ASSESSED

Most boards encounter cyber risk as an IT governance item: annual penetration test, cyber insurance renewal, audit committee report. Salt Typhoon and Volt Typhoon do not fit that model. They require a different taxonomy.

Strategic intelligence exposure. Communications routed through compromised carriers were potentially accessible regardless of whether your own network was secure. If your business involves M&A transactions, regulatory submissions, legal proceedings, or sensitive personnel decisions, the metadata of those communications may have been collected. Pattern-of-life analysis from call records is sufficient to identify deal processes, counterparties, and timing windows.

M&A liability. Any acquisition target operating in telecoms, critical infrastructure, defence supply chain, or technology may be carrying an undisclosed Typhoon-class compromise. A buyer who completes diligence without specifically testing for this inherits both the intrusion and the regulatory exposure that flows from it.

Regulatory risk. The SEC’s cyber disclosure rules, effective December 2023, require listed companies to disclose material cybersecurity incidents within four business days of determining materiality. The EU NIS2 Directive, effective October 2024, imposes comparable obligations across energy, transport, banking, health, and digital infrastructure operators in Europe. A board that knew, or should have known, of a Typhoon-class intrusion and failed to disclose faces regulatory, litigation, and director-level personal liability exposure.

Wartime disruption risk. If Volt Typhoon’s pre-positioned access is activated in a Taiwan scenario, businesses dependent on US critical infrastructure face potential operational disruption. This is a planning scenario, not a certainty. It belongs on the risk register and inside business continuity planning, alongside other geopolitical contingencies.

4. The M&A Liability

Confidence: ASSESSED

Standard penetration testing does not find Typhoon-class intrusions. Living-off-the-land techniques produce no malware signature for scanners to identify. A clean penetration test result in a Volt Typhoon-affected network does not mean the network is clean. It means the wrong question was asked.

Pre-acquisition cyber diligence for assets in affected sectors requires three specific components.

Threat hunting, not penetration testing. A threat hunt is an active, hypothesis-driven search for indicators of compromise using known Typhoon tactics, techniques, and procedures. CISA has published specific indicator sets for both Salt Typhoon and Volt Typhoon. A qualified team hunting against those indicators will find evidence that standard tools cannot.

Privileged access review. Volt Typhoon uses legitimate administrative credentials to maintain persistence. Reviewing account creation dates, privilege grants, and usage patterns against expected business need identifies anomalies that endpoint detection misses entirely.

Network baseline analysis. Volt Typhoon generates low-volume, low-frequency traffic to command-and-control infrastructure. Establishing a normal traffic baseline and identifying deviations, particularly in legacy or dormant system traffic, surfaces intrusions that blend into operational noise.

Any M&A advisory process in these sectors that does not include cyber infrastructure provenance as a named diligence workstream is not meeting the standard that regulators and sophisticated counterparties now expect. Representations and warranties should address the possibility of undisclosed state-actor compromise explicitly, not as a catch-all, but as a named risk category with specific attestation requirements.

5. What Governments Are Doing

Confidence: CONFIRMED

The regulatory direction across the UK, EU, and US is converging on three requirements: mandatory disclosure, personal board liability, and supply chain attestation.

Under NIS2, board members of in-scope entities across energy, transport, banking, health, and digital infrastructure face personal liability for non-compliance. The UK’s Cyber Security and Resilience Bill extends mandatory incident reporting to a wider set of operators and supply chain providers. The SEC’s cyber disclosure rules require listed companies to report material incidents within four business days of determining materiality. The Cyber Resilience Act (in force December 2024, compliance phasing through 2027) extends security requirements to connected products across the EU.

Supply chain attestation is the next frontier. Regulators are moving from “secure your own network” to “attest to the security of every supplier in your chain.” Any company whose infrastructure touches telecoms carriers, cloud providers, or operational technology vendors will be in scope. That is most large organisations.

6. What Balances This Position

Confidence: POSSIBLE

Two counter-arguments require acknowledgment.

First, attribution confidence is high but not absolute. Both Typhoon operations are attributed by multiple governments using consistent technical indicators. The public record does not contain full technical disclosure. It is possible, though assessed as unlikely, that attribution overstates the operational coherence of a single Chinese programme versus multiple actors with overlapping methods and access to the same target set.

Second, the scope of actual commercial damage from Salt Typhoon may be narrower than worst-case assessments suggest. Confirmed targeting focused on individuals of specific intelligence value, primarily government and political targets, rather than broad commercial communications. Most corporate communications routed through affected carriers may not have been of sufficient intelligence value to collect and retain at scale.

Neither argument removes the board obligation. The risk is documented, the regulatory framework is live, and the due diligence gap in M&A is structural regardless of how wide the actual collection window was. The question is not whether to act. It is how to sequence action given finite resources and competing priorities.

7. What Boards Should Do Now

Three actions, in priority order.

Commission a threat hunt. Direct your CISO or external security provider to conduct a Typhoon-specific threat hunt using CISA’s published indicators for both Salt Typhoon and Volt Typhoon. This is not a penetration test. It is an active search for evidence of specific, known intrusion techniques. Organisations operating in telecoms, defence supply chain, critical infrastructure, or technology should treat this as the minimum evidential step required before making any board-level disclosure decision under SEC or NIS2 obligations.

Add cyber infrastructure provenance to M&A diligence as a named workstream. In every deal where the target operates in an affected sector, require a threat hunt as part of technical diligence. Capture findings in the diligence report. Adjust representations and warranties to address undisclosed state-actor compromise explicitly. Brief the investment committee on what a clean result means and, critically, on what it does not.

Brief your board on the distinction between ransomware and state pre-positioning. These are different risks. Ransomware is criminal, financially motivated, and typically recoverable with adequate incident response. State pre-positioning is strategic, designed to persist undetected, and activated at a moment chosen by a foreign government, not a criminal network. The risk framework most boards have used for the past decade does not account for an adversary with no financial motive and a five-year time horizon. That briefing should happen before a Taiwan scenario moves from planning assumption to news headline.

The Interlock publishes weekly intelligence assessments for senior professionals and individual subscribers who need to understand geopolitical risk before it reaches their P&L. If this assessment was useful, forward it to one person who should be reading it. Subscribe at theinterlock.org.