In February 2025, Cisco Talos published the most detailed technical account yet of how Salt Typhoon operated inside major U.S. telecommunications networks — some for over three years without detection. The findings were striking not for their complexity, but for their discipline.
The group’s primary method of access across AT&T, Verizon, Lumen Technologies, T-Mobile, and others wasn’t a novel zero-day exploit or sophisticated malware payload. It was valid credentials. Salt Typhoon logged in. And once inside, they focused immediately on making sure they could stay logged in — by going after the systems that control authentication itself.
According to Cisco Talos, the attackers were observed capturing live SNMP, TACACS+, and RADIUS traffic flowing across compromised devices, including the secret keys exchanged between network devices and authentication servers. They also exfiltrated device configurations via TFTP and FTP — configurations that frequently contained SNMP community strings and locally stored passwords using cryptographically weak encryption, trivially reversible offline.
The intent, as Cisco Talos noted, was straightforward: “to enumerate additional credential details for follow-on use.” With authentication infrastructure compromised, lateral movement became a matter of using credentials that looked completely legitimate — hopping from device to device, and in at least one confirmed instance, pivoting from one carrier’s infrastructure directly into another’s.
The Scale of The Breach
By December 2024, U.S. government investigators confirmed at least eight major telecom providers had been compromised, with the campaign affecting carriers across dozens of countries. In some cases, Salt Typhoon maintained persistent access for more than three years — undetected.
What made the campaign especially difficult to detect was a deliberate strategy of blending in. Salt Typhoon favored living-off-the-land techniques — using built-in network utilities rather than novel malware — and routed their activity through already-compromised infrastructure to avoid triggering geographic or behavioral anomaly alerts. The network traffic looked like legitimate management activity, because in many respects it was: valid credentials, familiar protocols, trusted source addresses.
The logs on compromised devices couldn’t tell the full story. The network could.
What NetworkLens™ Sees That Logs Don't
Authentication infrastructure has characteristic traffic patterns in a healthy network: consistent timing rhythms tied to device authentication cycles, predictable source-destination pairs reflecting established management topologies, and volumes that correlate with shift changes and provisioning activity.
When those patterns deviate — unexpected source addresses initiating authentication sessions, unusual transaction volumes at non-standard hours, or management traffic originating from unfamiliar locations — NetworkLens captures those signals at carrier scale through its Flow and TLS datasets. The behavioral baseline is the detection surface.
The TLS dataset adds particular depth. Modern deployments increasingly wrap authentication channels in encrypted transport, but the handshake metadata is visible. NetworkLens captures certificate attributes, cipher suite negotiation, server name indicators, and cryptographic fingerprints — including JA4 and JA4S — for every TLS session. When adversaries establish unauthorized connections to authentication servers, those sessions frequently present characteristics that deviate from the established profile of legitimate management traffic.
The Out-Of-Band Advantage
Salt Typhoon modified TACACS+ server configurations and SNMP community strings on compromised devices — changes that could suppress or alter local logging. NetworkLens operates passively from the network itself. An attacker who controls a device cannot manipulate the metadata of the traffic flowing to it.
SNMP: The Overlooked Attack Surface
Cisco Talos confirmed that Salt Typhoon specifically captured SNMP traffic — including Read/Write community strings — as a credential harvesting mechanism. SNMP is ubiquitous in carrier environments and often receives less scrutiny than more visible management protocols, making it an attractive target.
NetworkLens captures structured metadata from both SNMPv2c and SNMPv3 transactions: operation types, objects being queried, community strings, authentication parameters, and response patterns. Unexpected community strings, SNMP requests targeting sensitive device management objects from unauthorized sources, or unusual query volumes are precisely the signals that NetworkLens surfaces — signals that wouldn’t appear in endpoint logs if the device itself had already been compromised.
Connecting The Dots
Salt Typhoon’s authentication infrastructure targeting didn’t occur in isolation. It preceded and accompanied the SSH activity covered in Part 1 and the management interface exploitation covered in Part 2. The Talos report confirmed the attackers were also creating GRE tunnels, modifying ACLs, and spinning up unauthorized SSH servers on non-standard ports — a composite picture that no single dataset captures alone.
NetworkLens was built to surface exactly this kind of correlated intelligence. When an anomalous RADIUS pattern coincides with a TLS session fingerprint mismatch on a management interface, followed by SSH connections from a new source address at an unusual hour, the composite picture is far more indicative of adversary activity than any signal in isolation — and far more actionable for the AI-driven detection pipelines that modern carrier security teams rely on.
The Salt Typhoon campaign is a case study in why network-level intelligence is not a supplement to log-based monitoring. It is the layer of visibility that remains honest when everything else has been touched.