US officials and cybersecurity experts have been warning that the full extent of the “Salt Typhoon” hacking campaign has yet to be mapped out, and fresh news from the Wall Street Journal indicates that even more US telecom companies have been breached.
The WSJ report cites insider sources in naming Charter Communications, Consolidated Communications and Windstream among the breached parties. The sources also state that the Salt Typhoon campaign may have started in late 2023, months earlier than public statements from the FBI and CISA have previously indicated.
Salt Typhoon may have been active since fall 2023, list of compromises continues to grow
To date, the Salt Typhoon campaign was thought to have begun sometime in 2024. The investigating agencies have not been specific about a start date, but public information about breached US telecom companies first became available in October 2024. Sources are now saying that the hacking campaign may have begun in fall 2023, just as the Biden administration was focusing on warning critical infrastructure companies about the national security threat from China’s state-backed APT teams.
The new US telecom companies on the Salt Typhoon breach list join AT&T, Verizon, T-Mobile, and Lumen Technologies, all previously confirmed to have been compromised to at least some degree by the Chinese hackers. Charter Communications is the country’s largest provider of cable television, and is in the telephony business as a major internet service provider and the fifth-largest provider of residential landlines. Consolidated Communications is one of the larger fiber providers in the country with a wide range of business and home internet and phone services. Windstream focuses primarily on business internet services but also provides residential service to about eight million people across 21 states.
Known vulnerabilities in Cisco routers have already been named as a common target for Salt Typhoon, but the WSJ report also indicates that the hackers widely make use of Fortinent equipment vulnerabilities in penetrating US telecom companies. In one of the breaches, involving an unspecified company (independently reported as being AT&T), the attackers were able to access a high-level network management account that was not protected by additional MFA measures. This opened up access to over 100,000 individual routers that were used to hide information being exfiltrated back to China.
Full picture of compromise of US telecom companies still unclear
It remains unclear if more US telecom companies will end up being revealed to have been compromised, and the full picture of damage is still not entirely clear with the ones that have been confirmed. Lumen and T-Mobile have said that Salt Typhoon never made it to sensitive customer information during their breaches, and that the attack has been contained. Verizon has similarly downplayed the impact, saying that the hackers only accessed the data of a small number of “high-profile” politicians and support staff. Other reports have suggested that Salt Typhoon’s interest was primarily in “Washington and Virginia,” suggesting a singular focus on government personnel and defense contractors.
The group was confirmed to have accessed a “lawful intercept” channel, a tool maintained by US telecom companies to allow court-ordered surveillance of criminal suspects to take place. There are also at least several different “Typhoon” groups out of China working independently, but at the same general purpose of compromising critical infrastructure and spying on the US government. Volt Typhoon was linked to a mass campaign against critical infrastructure companies in early 2024, one that likely dates back to at least 2021. That series of attacks also targeted vulnerabilities in Cisco routers.
For its part, China has denied all charges made about these groups and claims it is a disinformation campaign by the US government. It has also said that Volt Typhoon is a false flag operation run by the CIA. But US government agencies are not responding as if the threat is fake. Internal memos have demonstrated that personnel have been instructed to shift to using secure encrypted collaboration platforms at work, such as Microsoft Teams, and to only communicate via encrypted messaging apps such as Signal on their personal devices.
The FCC is also working to put new cybersecurity requirements on US telecom companies, who had largely been operating under voluntary and suggested standards to date. Proposed new regulations would require the industry to undergo annual certification of cybersecurity risk management plans. The agency has also issued an opinion that existing national security laws compel industry firms to adequately protect their own networks from hackers, and that they could face legal consequences if they fail.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, notes that the continuing uncertainty about Salt Typhoon means that any potentially impacted industries, particularly US telecom companies, must immediately implement advice issued by government agencies: “Possible targets of these Chinese attackers need to immediately follow the steps outlined by the FBI and NSA to help harden their systems against attack. Actually, any organization would be advised to follow the steps. Patching and upgrading apps and devices, limiting the types of connections and privileged accounts, and only using strong encryption, are just some of the steps organizations can take to harden their systems against attack.”
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, offers some specific advice on ways to counter the known approaches of China’s state-backed hacking teams: “The Chinese have been hacking into US organizations for decades and taking every secret and bit of intellectual property they wanted to get their hands on. This is just the latest iteration. The US Dept. of Treasury recently sanctioned a Chinese publicly traded company for being involved in these latest attacks. The way you keep Chinese attackers out is the same as it has been for decades: aggressively mitigate social engineering and patch your software and firmware. Social engineering and phishing are involved in 70% – 90% of successful attacks, and vulnerabilities in software and firmware are involved in 33% of successful attacks. These two root hacking causes account for 90% – 99% of the risk in most organizations. It’s not enough to do training once a year or once a quarter. It needs to be at least once a month along with monthly to weekly simulated phishing exercises. We have the data to show that organizations that do effective security awareness training are far less likely to be successfully compromised.”

