Two of the most consequential intrusion campaigns of the past eighteen months have almost nothing in common on paper. One is a multi-year Chinese state espionage operation that lived inside American telecom infrastructure. The other is a loosely organized, English-speaking criminal collective that mostly just calls help desks and asks nicely. Put them side by side, though, and the lesson is identical: neither group needed to defeat a firewall. They needed someone to believe they were who they claimed to be.Salt Typhoon: Three years inside the wiretap system.By August 2025, the FBI's own count put it plainly: a Chinese state-linked group known as Salt Typhoon had compromised more than 200 organizations across 80 countries (Nextgov/FCW). The group, assessed to operate under China's Ministry of State Security, had been inside major U.S. telecom carriers — AT&T, Verizon, Lumen, and others — since at least 2019, in some documented cases maintaining undetected access for roughly three years before discovery.\What it went after is the part that should unsettle anyone who assumes lawful surveillance infrastructure is, by definition, well-guarded: Salt Typhoon specifically targeted the "lawful intercept" systems telecom providers are required to build under the 1994 Communications Assistance for Law Enforcement Act — the same systems law enforcement uses for legally authorized wiretaps (Nextgov/FCW). A backdoor built to serve court orders became a backdoor serving a foreign intelligence service instead. Senator Mark Warner did not mince words about the scale of the breach, calling it "the worst telecom hack in our nation's history" (State of Surveillance).\The campaign kept evolving well past its initial discovery. In December 2025, intrusions were detected inside email systems used by staff on several U.S. House committees — China policy, foreign affairs, intelligence, and the armed forces among them — and later attributed to Salt Typhoon (Wikipedia). Nathaniel Jones, Darktrace's VP of security and AI strategy, explained why congressional staff systems make such an efficient target even without breaching a lawmaker's own account directly: "the targeting of congressional staffers is notable, but it also makes strategic sense" (BankInfoSecurity). Staff networks routinely handle sensitive policy deliberation without the security assumptions built into classified systems — softer targets carrying real intelligence value.\The institutional response has been, charitably, uneven. The Treasury Department sanctioned a company it linked directly to the campaign in January 2025, and the FBI posted a $10 million bounty for information on individuals associated with the group. But by February 2026, Senator Maria Cantwell was still demanding that AT&T and Verizon's CEOs testify, after months of what she described as the companies’ refusing to provide documentation backing their claims that the networks were now secure (Senate Commerce Committee). \A telecom hunt guide jointly published by the FBI and allied agencies in August 2025 drew rare, specific praise from Marc Rogers, a veteran telecommunications security expert, who called it "useful, actionable" guidance on a threat network that had been struggling to evict for a year or more (Nextgov/FCW).Scattered Spider: The same outcome, achieved with a phone call.Salt Typhoon needed years, custom rootkits, and nation-state resourcing. The collective tracked as Scattered Spider — also known as UNC3944 or Octo Tempest — has spent the same period proving that none of that is strictly necessary if you're good enough at talking to people.\The group's core technique has barely changed since it first drew attention breaching Las Vegas casinos in 2023: call an organization's IT help desk, convincingly impersonate an employee or executive, and talk a support agent through resetting MFA credentials or enrolling a new authentication device. \CrowdStrike's incident response data on the group's 2025 activity found the pattern held almost universally: "the adversary used help desk voice-based phishing in almost all observed 2025 incidents" (CrowdStrike). No exploit code. No malware at the point of entry. Just a confident voice and a support workflow built around the assumption that anyone who can answer a few identity questions correctly is who they say they are.\The group's 2025 target list reads like a tour through whichever sector currently has outsourced, time-pressured help desk operations: UK retailers Marks & Spencer, Co-op, and Harrods in May; major U.S. retailers shortly after; the insurance sector, including a confirmed June 2025 breach at Aflac where attackers posed as the company's CFO to convince support staff to reset MFA on a privileged account (Kelser); and, by late June, the aviation sector, using identical tactics against Microsoft Entra ID and single sign-on infrastructure. \The FBI's public guidance described the group's method without ambiguity, warning that "these actors impersonate employees or contractors to deceive IT help desks into granting access" (FBI alert, via Kelser). Once inside, the same group frequently deployed DragonForce ransomware — the social-engineering breach and the ransomware payload increasingly operated as two stages of one business, not two separate threat actors.\Trend Micro's Forward Threat Research team, watching the group's tactics evolve into 2026, made the structural point that should worry anyone still budgeting security spend primarily around malware detection: "these attackers do not need advanced malware to break into critical environments" (ITPro). \Rebranding is part of the playbook, too — the same loosely affiliated network has operated under names including Scattered LAPSUS$ Hunters, the identity claimed for the Jaguar Land Rover ransomware attack discussed elsewhere in this series, suggesting the line between "ransomware crew" and "social engineering collective" is now more a matter of which tool happened to be convenient that week than a meaningful organizational boundary.Why "zero trust" doesn't automatically fix thisHere's the uncomfortable part for anyone who has spent the last several years implementing zero-trust architecture as the default answer to identity-based attacks: Zero trust, as most organizations have actually deployed it, assumes the verification step itself is trustworthy. Scattered Spider's entire business model is built on proving that assumption wrong. The architecture can flawlessly enforce least-privilege access, micro-segmentation, and continuous verification — and still fail completely if the human on the other end of a help desk call can be talked into resetting the credential that all of that verification depends on. Standard zero-trust assumption: Identity claim → MFA verification → Access granted ▲ │ (this step is treated as trustworthy) What Scattered Spider actually attacks: Identity claim → Help desk call, social engineering → MFA reset/re-enrollment → Access granted ▲ │ (the "verification" itself is the thing being compromised)\This is why the practical fixes that are actually working in 2026 focus less on adding more verification steps and more on making the verification channel itself resistant to impersonation:Move account-recovery and MFA-reset workflows to phishing-resistant authentication — specifically FIDO2 security keys or passkeys — rather than knowledge-based questions, a confident caller can talk around.Require out-of-band, known-good-channel verification for any sensitive change, meaning a callback to a number already on file, not a number the caller provides, before resetting credentials for privileged accounts.Apply just-in-time, time-boxed privileged access so that even a successful social-engineering compromise of a standing account doesn't hand over standing administrative reach.Train help desk and support staff specifically on this threat pattern, not generic phishing awareness — the pretext, the urgency, the confident insistence on bypassing "slow" verification steps are all recognizable if staff know to look for them.\Salt Typhoon and Scattered Spider sit at opposite ends of the resourcing spectrum — one backed by a state intelligence service with multi-year patience, the other a loose criminal network working the phones. What they share is the actual insight worth taking from this period of cybersecurity history: the perimeter that matters most in 2026 was never the network edge. It's the moment someone, or something, has to decide whether to trust a claim of identity. Get that moment wrong, and it no longer matters how good the rest of the architecture is.\