Satellite‑communications provider Viasat Inc. has quietly joined Verizon, AT&T, and Lumen as the latest victim of the Chinese state‑aligned “Salt Typhoon” espionage operation, federal investigators told Bloomberg earlier this week.
What Happened
The breach, uncovered in early 2025 but only now publicly confirmed, allowed attackers to siphon off roughly 100 million call‑detail and location records belonging to 1.3 million mobile users, many of them in greater Washington D.C.
Single Entry Point Exposes Satellite Communications Infrastructure
The breach of Viasat, discovered earlier this year, adds a concerning dimension to the Salt Typhoon campaign. Viasat’s satellite constellation connects devices worldwide, from in-flight internet for commercial aviation, personal smartphones, and critical communications support “across air, land, and sea,” for governments across the globe.
“Viasat and its independent third-party cybersecurity partner investigated a report of unauthorized access through a compromised device”
the company stated.
Scale of Wireless Communications Compromise Unprecedented
Brett Leatherman, the newly appointed head of the FBI’s cyber division, revealed staggering figures about the campaign’s impact: approximately 100 million records belonging to 1.3 million users were compromised, with a concentration of targets in the Washington, DC area. The operation enabled attackers to gain access to tools used by U.S. law enforcement for monitoring and surveillance activities, as well as to collect call records and compromise communications of government officials and political figures.
“They can take this data and put it together and come up with a better intelligence picture, which is what the CCP wants”
Leatherman said in his first interview since assuming the role.
Wireless Infrastructure: The Invisible Attack Vector
The Viasat breach highlights a critical vulnerability in modern telecommunications infrastructure: the proliferation of wireless-enabled devices and systems that operate outside traditional network security perimeters. With Viasat managing approximately 257,000 home internet subscribers and competing with SpaceX’s Starlink and EchoStar’s Boost Mobile for direct-to-cellular mobile services, the potential for wireless-based infiltration extends across multiple attack surfaces.
This incident follows Viasat’s previous compromise in February 2022, when a cyberattack struck approximately one hour before Russia invaded Ukraine. That attack, later attributed to Russian state actors by the U.S., UK, and European allies, primarily targeted Ukrainian military communications but affected thousands of customers across Europe.
The Wireless Blind Spot in Critical Infrastructure
For CISOs and security teams protecting critical infrastructure, the Viasat breach serves as a stark reminder that traditional network monitoring and security controls often fail to address the wireless spectrum.
The sophistication of the Salt Typhoon campaign, which Microsoft Corp. first identified and named, demonstrates that nation-state actors are increasingly targeting the wireless communications infrastructure that underpins modern telecommunications. For the Government, the campaign’s ability to remain undetected while collecting vast amounts of sensitive data, including communications from then-presidential candidate Donald Trump and members of both political campaigns, illustrates the critical need for comprehensive wireless airspace monitoring.
International Implications and Ongoing Threats
The FBI’s investigation has revealed an international dimension to the Salt Typhoon activity, with Leatherman confirming extensive engagement with Five Eyes partners and European allies. While the threat actors appear to have gone dormant since the initial revelations, Leatherman warned: “Just because we don’t see it every day, doesn’t mean it’s not there.”
Critical Lessons for Wireless Security
The Viasat breach underscores several critical security considerations:
- Device-Level Vulnerabilities: Salt Typhoon’s access through “a compromised device” highlights how unidentified assets or even a single, rogue personal device can serve as a catastrophic entry point for organizations.
- Satellite and Wireless Infrastructure Targeted: Nation-state actors are specifically targeting companies that provide critical wireless communications infrastructure, recognizing these as high-value targets for intelligence collection.
- Persistent Threat Presence: The historical nature of much of the discovered activity suggests long-term, undetected presence within wireless communications networks.
- Supply Chain Risks: With Viasat providing services to the government, military, and commercial aviation sectors, the breach represents a significant supply chain risk to multiple critical industries.
The Imperative for Comprehensive Wireless Monitoring
As FBI Director Kash Patel prioritizes countering the Chinese Communist Party, the Viasat breach serves as a critical reminder that protecting America’s communications infrastructure requires comprehensive visibility into all potential attack vectors, and securing the physical network perimeter is no longer sufficient. Sophisticated state-backed threat actors, such as Salt Typhoon, can pose a risk of leveraging rogue satellite constellations to intercept and exfiltrate sensitive information from wirelessly enabled devices.
It’s not just cellular; wireless satellite connectivity providers are emerging for every protocol.
Chinese-based Bluelink Satcom has started production of its Bluetooth communication satellite constellation. Once fully deployed, previously isolated Bluetooth devices worldwide will be able to communicate 24/7 with the fleet of Bluelink antennas orbiting in Low Earth Orbit (LEO).
US-based Satellite company Hubble Network has already deployed several of its Bluetooth-enabled satellites into orbit. The company announced it achieved a successful 600-kilometer distance Bluetooth connection between a standard Bluetooth chip and one of its satellites last year.
While neither of these companies has reported any major breaches or cybersecurity vulnerabilities, some wireless satellite providers have.
Earlier this year, Iridium Communications reported four major CVEs in their Iridium Certus 700 maritime communications L-band terminals. The vulnerabilities could allow an attacker to upload malicious firmware to unpatched devices, compromise other devices within the network, or extract information such as SSH hash strings.
Governments and CISOs should take note of the emerging wireless risk posed by the proliferation of satellite constellations that provide constant, global wireless connectivity to devices over previously local wireless protocols (like Bluetooth or LoRaWAN). The rollout for these constellations varies. However, what is underway is the single most significant change in how organizations will manage wireless device vulnerabilities within a facility’s airspace. Depending on how a company provisions that connectivity, Bluetooth or LoRa devices, which users could typically only access from inside a facility, are now potentially accessible by a rogue satellite at all times.
What Organizations Should Do Now
| Immediate Step | Purpose |
| Deploy continuous RF‑airspace monitoring inside headquarters, SCIFs, and mobile command posts. Bastille sensors provide 24/7 detection of rogue cellular, Wi-Fi, and Bluetooth-LE emissions, with localization to within 3m in typical office environments. | Reveal unauthorized wirelessly transmitting devices before data exfiltration. |
| Run cell‑site “hygiene sweeps” ahead of VIP travel and major events using portable RF sensor kits. | Prevent location tracking and voice interception. |
| Adopt end‑to‑end encrypted voice & messaging apps and turn off legacy 2G/3G fall‑back on mobile devices. | Remove clear‑text interception opportunities. |
