Salt Typhoon is still inside telecom networks: why cybersecurity now starts at Layer 3 field diagnostics
Salt Typhoon APT compromised 9 US operators and remains active. How Layer 3 field diagnostics detect signaling anomalies, IMSI catchers, and rogue base stations. Telecom cybersecurity is now a field measurement discipline.
In December 2024, the FBI confirmed that Salt Typhoon β a Chinese state-sponsored APT group β had compromised at least nine major US telecommunications operators. In early 2025, Anne Neuberger, Deputy National Security Advisor, acknowledged that the threat actor remained embedded in carrier infrastructure. As of March 2026, no public statement confirms full eradication.
This is not a data breach story. This is a persistent, nation-state intrusion into the signaling fabric of mobile networks. And it changes what βtelecom cybersecurityβ means for every field engineer, every regulator, and every operator worldwide.
The scope of Salt Typhoon: what we know
Salt Typhoon (also tracked as GhostEmperor and FamousSparrow) targeted lawful intercept systems, SS7/Diameter signaling infrastructure, and core network elements. The objectives were clear: metadata collection, call interception, and long-term persistence inside carrier networks.
Confirmed and reported impacts
| Parameter | Value |
|---|---|
| US operators confirmed compromised | 9 (AT&T, Verizon, T-Mobile, Lumen among named) |
| Duration of access | Estimated 1-2 years before detection |
| Target systems | Lawful intercept, SS7/Diameter, core routers |
| Geographies affected | US confirmed; UK, Australia, Canada suspected |
| FBI remediation status (Q1 2026) | βOngoingβ β no full eradication confirmed |
The attack vector exploited vulnerabilities in edge routers (Cisco IOS XE CVE-2023-20198 among others), then moved laterally into signaling infrastructure. Once inside the SS7/Diameter plane, the attacker could intercept calls, track subscribers, and manipulate routing β all without touching the radio access network directly.
Why traditional SOCs miss telecom-specific threats
Enterprise SOCs monitor IP traffic, endpoints, and cloud workloads. Telecom signaling operates on a different plane entirely. SS7 messages, Diameter AVPs, GTP tunnels, and SIP/IMS flows follow protocols that most SIEM platforms do not parse natively.
Salt Typhoon exploited this blind spot. The group operated within legitimate signaling paths, making detection through IP-layer monitoring alone nearly impossible.
The three telecom attack surfaces SOCs typically miss
- Signaling plane (SS7/Diameter/GTP): Location tracking, call interception, SMS interception via MAP/CAP manipulation
- RAN-level anomalies: Rogue base stations (IMSI catchers), abnormal handover patterns, unauthorized cell broadcasts
- OTA provisioning channel: Remote SIM updates, eUICC profile manipulation, Java Card applet injection
Each of these attack surfaces has observable indicators β but only if you measure at the right protocol layer, in the field.
The telecom cybersecurity market is responding
The scale of the threat is reflected in market dynamics. According to Mordor Intelligence, the global telecom cybersecurity market is projected to reach $56.77 billion by 2029, growing at a CAGR of 12.2%. This growth is driven not by abstract risk assessments but by incidents like Salt Typhoon that demonstrate real-world compromise of carrier infrastructure.
European regulators are accelerating response. ENISAβs 2025 threat landscape report elevated βtelecom signaling manipulationβ to a top-5 risk category for the first time. Franceβs ANSSI issued sector-specific guidance for MNOs in Q4 2025, explicitly referencing state-sponsored threats to signaling infrastructure.
IMSI catchers and rogue base stations: the field dimension
While Salt Typhoon operated at the core network level, the same class of threat exists at the radio access layer. IMSI catchers (also known as Stingrays or cell-site simulators) exploit the fact that mobile devices will connect to the strongest signal on a given frequency, with limited authentication in 2G/3G and incomplete verification even in 4G/5G NSA configurations.
How an IMSI catcher works at Layer 3
An IMSI catcher broadcasts as a legitimate cell, typically on 2G (where mutual authentication does not exist) or on 4G with a downgrade attack:
- Cell selection: The rogue base station transmits a stronger signal than legitimate cells, attracting UE connections
- Identity capture: The device sends its IMSI/IMEI in the Attach Request or Identity Response
- Downgrade attack: For 4G, the rogue eNB may reject the connection and force fallback to 2G, where encryption can be disabled (A5/0 or A5/1)
- Interception: Once on 2G with no encryption, voice and SMS traffic is readable in cleartext
What Layer 3 field diagnostics reveal
A field diagnostic tool capturing Layer 3 signaling (RRC, NAS, EMM/ESM) in real time will observe the following anomalies when an IMSI catcher is operating nearby:
| Observable | Normal behavior | Anomaly indicating rogue cell |
|---|---|---|
| MCC/MNC consistency | Matches registered PLMN | MCC/MNC mismatch or spoofed |
| PCI/EARFCN stability | Consistent with known cell plan | Unknown PCI on unexpected frequency |
| TAC (Tracking Area Code) | Consistent within geographic area | TAC change without physical movement |
| RRC Reject / Redirect | Rare during normal operation | Repeated rejects forcing RAT change |
| NAS Reject cause codes | Cause #3, #6 for legitimate reasons | Unusual cause codes (#7, #8) triggering 2G fallback |
| Cipher mode | EEA1/EEA2 on 4G | EEA0 (null cipher) or forced 2G A5/0 |
| Cell reselection frequency | Low in stationary conditions | Rapid cell changes without mobility |
A single anomaly is not conclusive. But the correlation of multiple indicators β unexpected PCI, forced RAT downgrade, null cipher activation, and TAC instability β constitutes strong evidence of a rogue base station.
43% of French consumers affected by spoofing
The rogue base station problem is not theoretical. In France, ARCEP and the Banque de France reported that 43% of French consumers have been targeted by phone number spoofing β a technique that often relies on SS7 manipulation or, in localized attacks, on IMSI catcher infrastructure.
The French governmentβs response β the STIR/SHAKEN-inspired MAN (Mechanism for Authentication of Numbers) framework β addresses spoofing at the network core. But it does nothing to detect a physical IMSI catcher operating in a specific location. That detection requires field measurement.
Field audit methodology for telecom cybersecurity
The convergence of cybersecurity and field testing creates a new methodology that goes beyond traditional RF optimization. Here is a structured approach for field-based telecom security auditing.
Phase 1: Baseline establishment
Before detecting anomalies, you need a reference. This requires:
- RF environment mapping: Record all visible cells (PCI, EARFCN, RSRP, RSRQ) across all RATs (2G/3G/4G/5G) at the audit location using a professional drive test tool
- Layer 3 signaling baseline: Capture normal RRC/NAS message sequences during attach, handover, and idle mode reselection with an L3 protocol decoder
- Timing advance / propagation delay: Record TA values for each serving cell to establish expected ranges
- Cell identity cross-reference: Validate observed PCIs against the operatorβs published or known cell plan
This baseline should be captured over multiple time periods (morning, afternoon, night) to account for normal network load variation.
Phase 2: Anomaly detection
With a baseline established, continuous or periodic monitoring can flag:
- New PCIs: Any cell identity not present in the baseline, especially on frequencies not typically used by the serving operator
- Signaling anomalies: Unexpected NAS reject messages, authentication failures, cipher mode changes
- RF power anomalies: Unusually strong signals from a single cell (IMSI catchers typically transmit at higher power than macro cells at close range)
- Protocol-level irregularities: Missing or malformed System Information Blocks (SIBs), incorrect PLMN lists, abnormal paging cycles
Phase 3: Correlation and confirmation
Anomaly detection generates alerts. Confirmation requires correlation:
- Temporal correlation: Do anomalies appear and disappear together? (Indicates a single source)
- Spatial correlation: Do anomalies track to a specific physical location? (Walk test with GPS logging)
- Cross-device correlation: Do multiple test devices observe the same anomalies? (Rules out UE-specific issues)
- Layer correlation: Do RF anomalies (power, frequency) correlate with signaling anomalies (reject, redirect)? (Strongest indicator)
This three-phase methodology transforms a smartphone-based diagnostic tool into a field-deployable cybersecurity sensor. No rack-mounted equipment. No TSCM van. A Qualcomm-chipset Android device running Layer 3 capture, RF monitoring, and GPS-tagged logging.
From passive monitoring to active defense
The field audit methodology described above is defensive β it detects threats after deployment. But the same toolset enables proactive security posture:
Pre-event security sweeps: Before high-profile events (summits, elections, corporate board meetings), a field team can sweep the venue for rogue base stations using the baseline/anomaly/correlation methodology.
Regulatory compliance verification: Operators can verify that their own network does not exhibit behaviors that resemble attack patterns (misconfigured cells, incorrect SIB broadcasts, unintended 2G fallback paths).
Post-incident forensics: After a suspected interception or spoofing incident, Layer 3 logs with GPS and timestamps provide the evidence chain that IT security teams and law enforcement require.
The Salt Typhoon lesson for field engineers
Salt Typhoon demonstrated that telecom infrastructure is a primary target for state-sponsored threat actors. The $56.77 billion market projection reflects the industryβs recognition that traditional perimeter security is insufficient.
For field engineers, the implication is direct: the same Layer 3 decoding, RF monitoring, and signaling analysis tools used for network optimization are now cybersecurity tools. The skill set overlaps almost completely. The difference is the question being asked β not βis this cell performing well?β but βshould this cell be here at all?β
What operators should verify now
- Audit 2G fallback paths: Identify all scenarios where a subscriber can be forced from 4G/5G to 2G, and assess whether each path is necessary
- Monitor null cipher usage: Any session using EEA0 (4G) or A5/0 (2G) should generate an alert
- Validate cell plans against field measurements: Conduct periodic field surveys to confirm that observed cells match planned infrastructure
- Instrument signaling for anomaly detection: Deploy or enable signaling monitoring that can detect abnormal NAS/RRC patterns at scale
- Cross-reference with threat intelligence: Correlate field observations with known IMSI catcher signatures and APT TTPs
The numbers that matter
| Metric | Value | Source |
|---|---|---|
| US operators compromised by Salt Typhoon | 9 | FBI / White House (Dec 2024) |
| Telecom cybersecurity market (2029) | $56.77B | Mordor Intelligence |
| Market CAGR | 12.2% | Mordor Intelligence |
| French consumers targeted by spoofing | 43% | ARCEP / Banque de France |
| Salt Typhoon persistence duration | 1-2 years | NSA / CISA estimates |
| 2G networks with no mutual authentication | 100% | 3GPP (by design) |
The convergence is complete. Network performance and network security are measured with the same instruments, at the same protocol layers, by the same engineers. The only variable is intent.
Telecom cybersecurity is no longer a SOC-only discipline. When a nation-state actor can persist inside carrier signaling infrastructure for years undetected, the field engineer with a Layer 3 decoder becomes the last line of verification β the one person who can confirm whether the cell a subscriber is connected to is real, authorized, and secure.
Founder of HiCellTek. 15+ years in telecom, operator side, vendor side, field side. Building the field tool RF engineers deserve.
Request a personalized demo of HiCellTek β 2G/3G/4G/5G network diagnostics on Android.