Containerization & Sandboxing , Cyberwarfare / Nation-State Attacks , Endpoint Security

Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos

Verizon, AT&T and Lumen's Systems for Lawful Broadband Wiretaps Reportedly Breached
Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos
"China's hacking program is larger than that of every other major nation, combined," said FBI Director Christopher Wray. (Image: Shutterstock)

The U.S. government is reportedly probing suspected breaches tied to Chinese nation-state hackers infiltrating broadband providers' infrastructure used to comply with court-authorized wiretaps of their subscribers' networking traffic.

See Also: Panel | Cyberattacks Are Increasing — And Cyber Insurance Rates Are Skyrocketing

The Wall Street Journal first reported news of the national security probe, saying Verizon Communications, AT&T and Lumen Technologies are among the broadband providers breached as part of an apparent espionage operation run by a Beijing-tied advanced persistent threat group that Microsoft has codenamed Salt Typhoon.

The Cybersecurity and Infrastructure Security Agency and FBI are among the agencies reportedly probing the campaign. The attacks have not been officially attributed by the U.S. government.

The focus of the intrusions may be to identify "Chinese targets of American surveillance," both by infiltrating "lawful intercept" systems as well as intercepting more general traffic, The Washington Post reported. Among the victims, it said, Verizon has created a "war room" that includes representatives from the FBI, Microsoft and Google's Mandiant security division.

"This has all the hallmarks of an espionage campaign - one with potentially deep access to the most important communication companies in the country," Brandon Wales, former executive director at the DHS's CISA and now a vice president at cybersecurity firm SentinelOne, told The Washington Post. "The impacts are potentially staggering."

The Wall Street Journal reported on Sept. 26 - before any names of potentially breached telecommunications firms came to light - that at least some of the intrusions might have traced to hackers reconfiguring victims' Cisco routers.

Salt Typhoon has been tied to China's foreign intelligence service, the Ministry of State Security, which has long targeted U.S. systems for intelligence-gathering purposes. "Typhoon indicates origin or attribution to China," according to Microsoft's latest approach to codenaming.

The campaign is "another reminder that lawful access systems [i.e., backdoors] can become major sources of personal and national insecurity," said Ron Deibert, director of the University of Toronto's Citizen Lab, which investigates digital threats to human rights.

"Remember this the next time a government demands encryption backdoors," said John Scott-Railton, a senior researcher at Citizen Lab.

U.S. Securities and Exchange Commission rules require publicly traded firms to report all "material" cybersecurity incidents to investors - via a Form 8-K - within four days of determining it's material, except under certain circumstances. Exceptions exist if law enforcement or intelligence agencies request a delay on national security or public safety grounds.

The first known such delay occurred after a May intrusion of AT&T's account at data warehousing platform Snowflake appeared to result in the theft of logs of call and text interactions pertaining to nearly every one of the telecommunications giant's 110 million wireless customers. AT&T delayed making any public breach notification until July, at the FBI's request (see: AT&T Details Massive Breach of Customers' Call and Text Logs).

Salt Typhoon, also known as GhostEmperor and FamousSparrow, has been active since August 2019, cybersecurity firm Eset reported in 2021. At that time, Eset reported seeing the group "targeting hotels, governments and private companies worldwide," including through the Microsoft Exchange server vulnerabilities known as ProxyLogon, starting in March 2021.

Experts say Chinese government hacking operations targeting the United States and its allies, including by compromising hardware as well as email servers, continue to operate at an industrial scale. One Western intelligence official told the BBC earlier this year that China's intelligence and security agencies are staffed by about 600,000 individuals - more than any other country.

"The cyberthreat posed by the Chinese government is massive," FBI Director Christopher Wray said at a February conference in Germany. "China's hacking program is larger than that of every other major nation, combined."

Multiple leaks have also revealed how China employs an army of private contractors to facilitate state-sanctioned hack attacks, including for intelligence-gathering purposes.

More campaigns continue to come to light. Last month, Lumen Technologies' threat intelligence group Black Lotus Labs detailed a botnet linked to Chinese espionage group Flax Typhoon - aka Red Juliett and Ethereal Panda - that used a modified version of the Mirai internet-of-things malware to compromise routers, modems, IP cameras, NAS servers and digital video recorders. While the number of exploited devices controlled by the botnet continues to fluctuate, at its peak in July 2023 the botnet controlled more than 60,000 devices, the researchers said (see: Chinese Hackers Build Massive Botnet Targeting US Devices).

The previous month, warnings appeared over attackers exploiting a zero-day flaw in California-based Versa Networks' Versa Director software - used by a number of internet service providers, managed service providers and IT firms, to deploy, configure and monitor network infrastructure across locations, including via software-defined wide area networks. Black Lotus Labs said it had "moderate confidence" that the Beijing cyberespionage group Volt Typhoon, aka Bronze Silhouette, was behind the attacks (see: Chinese Nation-State Attackers Tied to Versa Zero-Day Hit).

Volt Typhoon has been tied to many other campaigns as well, including the targeting of outdated routers found in homes and small businesses, used as staging points for launching further attacks (see: How Long Will FBI's 'Volt Typhoon' Router Interdiction Stick?).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.