Every major disclosure about Salt Typhoon’s campaign against U.S. telecommunications has circled back to one detail: the operation didn’t just observe traffic crossing carrier networks, it reached the CALEA-mandated systems carriers use for court-authorized intercept requests. Public reporting has described persistent access to that infrastructure — sometimes for months — using credentials that looked entirely legitimate.
That’s the headline. But underneath it sits a more useful question for anyone who runs or defends a voice network: you don’t need to compromise an intercept system to intercept a call. You just need the network to believe you’re someone you’re not. SIP, the signaling protocol behind most voice infrastructure, was built on trust between endpoints — and trust can be talked into routing a call somewhere it was never meant to go.
This series has tracked Salt Typhoon’s tactics through SSH behavioral detection, web management interface exploitation, and the authentication infrastructure carriers depend on — all visible through passive network metadata, no decryption, no device agents, no log access required. Here, the campaign moves one layer up — onto the call itself.
Mapping the Dial Plan - Before Anyone Dials
Long before anything gets hijacked, it usually gets mapped. SIP networks are reconnaissance-friendly almost by design — a server will reveal, just by how it responds, whether an extension exists, no credentials required. Attackers exploit that with automated tools that sweep extension ranges or flood a server with capability queries, quietly cataloguing what’s reachable and worth attacking next.
To a single device, one of these probes looks like an unremarkable request. Only across a wider vantage point — watching one source cycle through targets far faster than any person would — does the reconnaissance become obvious. That’s a pattern NetworkLens watches continuously across signaling traffic at carrier scale: low-and-slow behavior that’s effectively invisible to anything watching one PBX or trunk in isolation.
When Reconnaissance Turns Into a Borrowed Identity
Once an attacker knows what exists, the next move is access — on a voice network, that means convincing the system you’re a device or identity it already trusts. Salt Typhoon’s broader pattern has favored something quieter than brute force: valid, stolen logins that don’t trip alarms because, technically, they aren’t wrong.
The tell isn’t the login. It’s what happens around it: a voice identity that has registered from one place for months suddenly shows up somewhere it’s never been, on a path response traffic has never travelled before. None of that requires breaking anything — it just requires the network’s idea of “normal” to shift quietly, in a way nobody’s watching for. That’s the kind of shift that’s easy to miss and expensive to ignore.
The Call That Goes Somewhere Else
This is where the lawful-intercept story and the signaling-layer story meet. Once an attacker can register as someone else, or insert themselves into the path a call’s setup information is meant to travel, they don’t need to breach an intercept system to get a comparable result — they can simply get the network to deliver the call, or the part of it that matters, to them instead. On infrastructure that doesn’t strongly verify identity between signaling endpoints, that redirection can happen without ever touching a stored credential.
It’s a quiet technique by design: register, intercept, deregister, leave almost nothing behind. But “almost nothing” isn’t “nothing.” A call’s signaling exchange leaves a trail of where it was routed and what its setup pointed to — and when that trail diverges from a voice identity’s own history, NetworkLens flags it before the call fully connects. No decrypted audio. No access to anyone’s intercept infrastructure. Just the signaling plane, watched continuously, at wire speed.
On a SIP network, the most dangerous caller doesn’t sound like an attacker. It sounds like a dial tone.
A Different Motive, the Same Blind Spot
Not every actor working this signaling plane is after intelligence. International toll fraud runs on almost the same weakness: an identity with no business calling somewhere suddenly calling there, fast and at volume. The damage compounds in hours, not weeks — industry estimates put global toll fraud losses in the billions annually, and one compromised trunk can generate real exposure overnight.
Different attacker, different motive, same vantage point. Carrier-wide signaling visibility doesn’t just catch a patient nation-state actor moving carefully through one network, it catches a financially-motivated one moving fast across many, because both leave the same trail: an identity behaving in a way its own history says it shouldn’t.
None of this requires decrypting media, deploying agents on PBX infrastructure, or pulling logs off devices an attacker may already control. NetworkLens’s streaming network sensors capture signaling metadata directly off the wire — identity behavior, registration patterns, and call-path integrity for every session setup — correlated against the same flow and TLS visibility used throughout this series and fed into AI-driven threat hunting workflows.
What NetworkLens Sees on the Signaling Plane
That breadth is the differentiator that matters at telecom scale. A single enterprise PBX only ever sees its own traffic. A carrier sees the whole signaling plane — every trunk, every peering point, every distributed attempt that looks harmless in isolation and obvious in aggregate.
Salt Typhoon’s campaign has made one thing clear: the most consequential compromises aren’t always the loudest. A quietly hijacked voice identity looks, to almost every other system on the network, like an ordinary phone call. NetworkLens was built to see the difference.