The most dangerous intrusions don’t look like attacks. They look like administrators doing their jobs.
Salt Typhoon, the Chinese state-sponsored threat actor now publicly attributed to a sweeping compromise of U.S. telecommunications infrastructure, didn’t detonate ransomware or crash systems. They logged in — quietly, repeatedly, and often with legitimate credentials — and stayed for months. What they left behind wasn’t noise. It was silence.
Traditional security tools struggled precisely because nothing appeared broken. Firewalls stayed green. Logs showed authorized SSH sessions. Applications ran normally. The intrusion lived entirely within the bounds of what the network considered routine.
“The most dangerous intrusions don’t look like attacks. They look like administrators doing their jobs.” That’s the problem NetworkLens was built to solve.
The Anatomy of a Credentialed Intrusion
Salt Typhoon’s playbook, as reconstructed across multiple public investigations and government advisories, followed a consistent pattern. Attackers obtained or stole administrative credentials — sometimes through prior phishing operations, sometimes through purchasing access, sometimes through lateral movement from earlier footholds. Once inside, they used SSH to navigate directly to the most sensitive parts of the network: core routers, MPLS switching infrastructure, and the network management systems that sit above it all.
They didn’t need to exploit vulnerabilities after that first step. SSH gave them native, trusted access to the same command interfaces that legitimate network engineers use every day. They added their own SSH keys for persistence. They moved laterally between devices. They maintained access quietly across long timeframes, all while appearing — to every monitoring system watching for signatures or anomalies in application-layer logs — completely authorized.
Why This Matters For Telecom Operators
SSH access to core routing infrastructure isn’t just a foothold. It’s a vantage point into the entire network — routing tables, peering relationships, traffic flows, and customer data. For a carrier-grade network, unauthorized SSH persistence at this layer represents a category of risk that goes well beyond a single compromised host.
What Network Metadata Actually Sees
Here’s where the detection picture changes fundamentally. SSH sessions, by design, encrypt everything after the initial handshake. You cannot read the commands. You cannot inspect what was transferred. What you can observe — in real time, at scale, without decryption — is the behavioral signature of the connection itself. And that signature is far more revealing than most security teams realize.
What Network Metadata Actually Sees
Client Identity
The exact SSH client and server version strings are visible in plaintext before the encrypted channel opens. Legitimate network management tools have consistent, predictable version strings. Attackers using custom tooling, offensive frameworks, or modified clients leave a distinct fingerprint — one that doesn’t match what your authorized teams actually use.
Cryptographic Choices
Every SSH session negotiates its encryption, MAC, and key exchange algorithms in the open. The specific combination of ciphers chosen — and the direction they’re chosen in — is a behavioral signature. Purpose-built attack tools often negotiate differently than commercial SSH clients. That difference is detectable.
HASSH Fingerprinting
NetworkLens generates HASSH and HASSH-Server fingerprints for every SSH session. These hash representations of the client and server negotiation parameters are stable identifiers — the same tool produces the same fingerprint consistently, enabling correlation across sessions, time windows, and network segments even when source addresses rotate.
Flow Behavior
Timing, packet volume, and session duration patterns from SSH flows carry behavioral context that logs never record. A session that arrives at an unusual hour from an unexpected source Autonomous System, and terminates to a core routing device, looks different than normal operator activity — even before any cryptographic analysis begins.
None of this requires decrypting a single packet. It all lives in the connection metadata that flows through the network regardless of payload confidentiality.
The Question Defenders Need to Ask
The shift that NetworkLens enables is a shift in the question itself. Instead of asking “did this session carry malicious content?” — a question that encrypted SSH makes unanswerable — defenders can ask: does this SSH session behave like it belongs here?
Did the client software match what your authorized SSH jump hosts actually run? Did the cryptographic negotiation resemble your standard hardened configurations? Has this HASSH fingerprint appeared elsewhere on the network — particularly on devices where it shouldn’t be? Does the source Autonomous System match the geography of your network operations team?
These questions have answers. They don’t require decryption. They don’t require endpoint agents on every device. And in a carrier-grade network where some of the most sensitive infrastructure runs on hardware that simply cannot support traditional endpoint telemetry, they may be the only questions you can meaningfully ask.
The Intelligence Gap Salt Typhoon Exposed
The lasting lesson from Salt Typhoon isn’t that nation-state actors are too sophisticated to detect. It’s that detection requires a different category of intelligence than most telecom operators were collecting.
Packet capture doesn’t scale. Endpoint agents don’t reach every device. Log aggregation tells you what systems reported — not what actually traversed the wire. And signature-based detection, almost by definition, misses attackers who use legitimate tools in legitimate ways.
What does scale — what does reach every device, what does capture behavioral truth regardless of payload — is network metadata. Rich, structured, context-aware metadata generated continuously from the traffic itself.
That’s what NetworkLens delivers. And for the SSH-based persistence that defined this campaign, it’s exactly the intelligence layer that was missing.
See how the NetworkLens SSH dataset and broader intelligence portfolio integrate with your threat hunting and AI analytics workflows.