In late 2024, two significant cyberattacks targeting critical U.S. systems came to light. Recent media reports describe a massive penetration of major U.S. telecommunications companies’ networks by a Chinese state-affiliated hacking organization, “Salt Typhoon.” [1] On the heels of the revelation of the Salt Typhoon intrusion came widely reported news of a separate penetration of the Department of Treasury Office of Foreign Assets Control (OFAC) and the attempted penetration of the Office of the Treasury Secretary. [2] [3]

These two significant attacks occurred in the context of persistent geopolitical competition between the U.S. and China and increasing assertiveness by security and regulatory agencies to reduce, mitigate and affirmatively respond to cybersecurity risk, and follow tough trade and industrial policy positions signaled by the incoming Trump administration. The Salt Typhoon attack was also especially sophisticated, targeting access points within telecommunications networks that support legal processes.

The attacks highlighted critical vulnerabilities despite existing protocols and have necessitated a thorough reexamination of cybersecurity protocols. In response to these attacks there likely will be further amplification of the already intense focus by government regulators on data security controls implemented by telecommunications companies, other critical infrastructure sectors, and third-party service providers that have access to sensitive government or U.S. person information. 

Identified Vulnerabilities

Salt Typhoon reportedly exploited backdoors engineered into the targeted telecommunications systems to enable law enforcement to access information pursuant to lawful intercept. After infiltration, the hackers reportedly appear to have exploited trust relationships to laterally access other systems and infrastructure. Attackers were able to burrow deep into associated systems, reconfigure controls and conceal their exploitation. [4]

In the second breach, according to initial reports, an outside vendor notified the government agency that a hacker had obtained credentials used to provide remote technical support to the agency’s personnel. The hacker used that access to remotely access agency workstations. This exploitation reportedly allowed the hacker to review certain unclassified documents. [5]

Policy Context and Impact

The Salt Typhoon attack led U.S. policymakers to demand significant responsive action. The Federal Communications Commission (FCC) announced an intent: (i) to clarify that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) that creates legal obligations for telecommunications carriers to secure their networks against unlawful access; and (ii) to create a new compliance framework pursuant to a new proposed rulemaking that would establish for telecommunications companies annual cybersecurity controls certifications and sufficient cybersecurity risk management plans. [6]

It is also expected the regulators will redouble efforts to ensure that third-party service providers, which have access to government information by virtue of the services they provide, achieve and maintain compliance with cybersecurity standards. Various ongoing efforts to increase regulatory oversight and enforcement authority are described below.

Practically, these breaches likely will result in enhanced regulatory focus on cybersecurity protocols and sensitive data security controls, with regulators seeking opportunities for significant enforcement action in the wake of identified noncompliance to both penalize specific noncompliance and more broadly signal to the market the material consequences of noncompliance and security breaches. There are various regulatory lenses through which this likely enforcement approach may come to the fore, which include among others:

• The U.S. Department of Defense’s proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, which is designed to ensure companies handline Federal Contract Information and Controlled Unclassified Information are compliant with cybersecurity requirements; [7]
• The Department of Justice’s (DOJ) recently issued Notice of Final Rulemaking on “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” that will give DOJ sweeping new enforcement authority over certain third-party access to bulk U.S. person and U.S. government sensitive data. [8]
• The U.S. Department of Commerce’s Bureau of Industry and Security’s (BIS) recent final rule “cementing” procedures that it will follow to investigate foreign adversary threats to information and communications technology and services (ICTS) transactions that may harm U.S. national security; [9] and
• The FCC’s announced intent to exercise, where appropriate, its authority under CALEA.

Practical Steps for Mitigating Cyber and Compliance Risk

Given the evolving cyber risk landscape and in recognition of expected regulatory pressure, telecommunications organizations should consider reviewing their cybersecurity and compliance programs, including:

Implement national security-driven compliance programs: Considering the most recent breaches, telecommunications organizations should implement national security-driven compliance regimes that are satisfactory to regulators and are practical, sustainable and cost-effective for the company. This includes:

• Identifying and mapping sensitive data across logical and physical environments
• Controlling access to sensitive data
• Building information security programs responsive to standards like CMMC or the NIST Cybersecurity Framework
• Implementing U.S. government guidance regarding enhanced visibility and hardening for cyber infrastructure [10]
• Implementing clear and executable controls and processes for incident detection and incident response
• Enhancing continuous monitoring efforts, vulnerability testing and patching, and early threat intelligence capabilities
• Developing the critical trust relationship with regulators, other government agencies organizations including the Cybersecurity and Infrastructure Security Agency (CISA) and (Federal Bureau of Investigation (FBI), as well as private sector collaboration including with industry Information Sharing Analysis Centers (ISACs)

Review national security compliance obligations: Organizations should regularly review their compliance obligations including access controls:

• U.S. person records, principal equipment
• Domestic communications infrastructure
• Source code
• CALEA and lawful intercept requirements

Use encrypted messaging applications: U.S. officials have recommended using encrypted messaging apps to ensure communications stay hidden from foreign hackers. [11] The FBI and CISA continue to render technical assistance, rapidly share information to assist other potential victims, and work to strengthen cyber defenses across the commercial communications sector. Organizations that believe it might be a victim of a cyber breach should consider engaging their local FBI field office or CISA.

About A&M’s National Security, Trade and Technology Services:

We help organizations, investors and their counsel navigate an increasingly expansive and dynamic environment around investment, trade and technology on national security and industrial policy grounds. We provide enterprise risk management, risk and compliance assessments, program and controls development, and investigations services related to bulk sensitive data controls and diligence, data center integrity and security, and infrastructure as a service (IaaS) Customer Identification Programs (CIPs).

About A&M’s Global Cyber Risk Services:

Our global team has been developed to assist Fortune 500 and Global 1000 management executive leadership teams and boards in understanding their organization’s cyber risk, developing and implementing cyber resilience strategy and incident response readiness programs, and providing effective cyber and forensic response when incidents do arise. Our methods are grounded in guidance from the regulatory and industry frameworks and best practices that govern our clients’ specific business. Our global team of cybersecurity experts, strategically set up in specific locations around the world, provide prioritized findings, observations, recommendations and a roadmap for gap closure. We use expertly developed A&M methodologies, tools and techniques to identify vulnerabilities. and we design and implement programs to improve organizations’ overall cyber resilience.

[1]. “Chinese hackers gained access to huge trove of Americans’ cell records,” Politico, November 6, 2024, https://www.politico.com/news/2024/11/06/chinese-hackers-american-cell-phones-00187873 

[2]. “Treasury breached by Chinese hackers in ‘major’ cybersecurity incident,” Politico, December 30, 2024, https://www.politico.com/news/2024/12/30/treasury-breached-chinese-hackers-cybersecurity-00196140 

[3]. “Treasury’s sanctions office hacked by Chinese government, officials say,” Washington Post, January 1, 2025. https://www.washingtonpost.com/national-security/2025/01/01/treasury-hack-china/ 

[4]. “Chinese hackers gained access to huge trove of Americans’ cell records,” https://www.politico.com/news/2024/11/06/chinese-hackers-american-cell-phones-00187873 

[5]. “Treasury breached by Chinese hackers in ‘major’ cybersecurity incident,” https://www.politico.com/news/2024/12/30/treasury-breached-chinese-hackers-cybersecurity-00196140 

[6]. “Implications of Salt Typhoon Attack and FCC Response,” FCC Office of the Chairwoman, December 5, 2024, https://www.fcc.gov/document/implications-salt-typhoon-attack-and-fcc-response 

[7]. “Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements,” Defense Acquisition Regulations System, Department of Defense, August 15, 2024, https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of 

[8]. “Justice Department Issues Final Rule Addressing Threat Posed by Foreign Adversaries’ Access to Americans’ Sensitive Personal Data,” DOJ Office of Public Affairs, December 27, 2024, https://www.justice.gov/opa/pr/justice-department-issues-final-rule-addressing-threat-posed-foreign-adversaries-access

[9]. “Final Rule Formalizes Implementation of ICTS Program Authorities to Address Undue and Unacceptable Foreign Adversary Risks to ICTS Transactions in the United States,” BIS Office of Congressional and Public Affairs, December 5, 2024, https://www.bis.gov/press-release/commerce-issues-final-rule-formalize-icts-program 

[10]. “Enhanced Visibility and Hardening Guidance for Communications Infrastructure,” Cybersecurity and Infrastructure Security Agency, December 4, 2024, https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure 

[11]. “Joint Statement from FBI and CISA on the People's Republic of China (PRC) Targeting of Commercial Telecommunications Infrastructure, Cybersecurity and Infrastructure Security Agency, November 13, 2024, https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications