A U.S. senator has now contacted Mandiant to determine whether Verizon Communications and AT&T have fully removed the cyber espionage group known as Salt Typhoon from their networks. Maria Cantwell sent letters to both telecom providers requesting documentation on their response efforts. In reply, each company confirmed that Mandiant had been brought in to conduct a comprehensive assessment and verify the incident’s containment. Mandiant is now being asked to produce documents detailing its findings and actions related to the breach.
Cantwell, a Washington Democrat and ranking member of the Senate Commerce, Science, and Transportation Committee, wrote this week to Sandra Joyce, executive vice president at Mandiant Intelligence and Government Affairs, requesting that Mandiant provide relevant documents in its possession that are responsive to her concerns. “Notwithstanding AT&T’s and Verizon’s December 2024 statements, recent reports indicate broad, ongoing doubts among cybersecurity experts that Salt Typhoon has been fully eradicated from our telecommunications networks.”
According to a June 2025 memo from the Department of Homeland Security, Salt Typhoon ‘extensively compromised’ a state’s Army National Guard network last year, collecting its ‘network configuration and its data traffic with its counterparts’ networks in every other US state,’ including ‘these networks’ administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units.’
“Given the ongoing concerns about the security of our critical networks, on June 12, 2025, I sent letters to AT&T CEO John Stankey and Verizon CEO Hans Vestberg requesting documents and information regarding the extent to which vulnerabilities remain in their networks as a result of Salt Typhoon and the risks this may pose to the 265 million Americans who use their services— including the first responders who rely on AT&T’s FirstNet network,” Cantwell said in her letter. “The narrow set of documents I sought would help confirm the basis for the companies’ public assertions that the Salt Typhoon threat has been contained—information that I believe the Committee deserves in order to properly conduct its oversight.”
She added that both AT&T and Verizon confirmed the existence of relevant assessments conducted by Mandiant that are responsive to her letter, but they have thus far refused to make these key reports available without any compelling reason to keep them hidden from Congress. “This response only heightens my concerns about AT&T’s and Verizon’s current security posture, as they are either unwilling or unable to provide specific documentation that would corroborate their claims that their networks are secure.”
Cantwell recognized that Mandiant is a widely respected digital forensics and incident response provider with an extensive history of cooperating with congressional oversight requests in the aftermath of major cybersecurity incidents.
She requested that Mandiant provide specific documents by August 6, 2025. These include all reports, assessments, and analyses conducted for AT&T and Verizon in response to the Salt Typhoon attacks; a list of any recommendations that have not yet been fully implemented by either company; and all records detailing the costs and expenses associated with Mandiant’s work for both telecom providers in connection with the incident.
“One cyber CEO and former CIA officer recently warned, ‘zero chance we’ve seen the last of Salt Typhoon,’ while another expert stated ‘critical infrastructure, whether it’s telecommunications, defense or public health, is increasingly vulnerable to advanced, persistent threat actors like Salt Typhoon,’” Cantwell said.
Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition (OTCC), warned in written testimony this week that while the U.S. government has acknowledged the nation’s infrastructure is at risk, it has not taken sufficient steps to address growing vulnerabilities or prioritize response and resilience—particularly in light of attacks like Volt Typhoon and Salt Typhoon. Testifying before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, Bolton emphasized the stakes: “While securing IT is important, it is the OT systems that, if attacked, turn off our lights, bring hospitals to a standstill, and disrupt essential services. Congress must be a partner in bringing light to this unresolved issue.”
Another witness at the same hearing noted that intrusions done initially for intelligence-collection purposes can morph into a disruptive or destructive operation simply by introducing malicious code or commands aimed at that purpose — meaning that an attacker may initially intend only to steal data from a system but then change course to damage or disrupt it as well, or to hand off access to the system to another actor who has the intention to disrupt or destroy.
“It can be difficult to discern the end goal of an intrusion until it’s too late to stop it,” according to Kim Zetter, a cybersecurity journalist. “I say this because a lot has been written recently about the Salt Typhoon and Volt Typhoon ongoing breaches of telecoms and critical infrastructure, and attributed to China. These compromises don’t appear now to be aimed at disruption or damage, but could morph into such operations if China were to decide to use their presence in these systems for that purpose.”
