China flag on micro chip showing Chinese hackers breached US telecoms

Chinese Hackers Penetrated Major US Telecoms, May Have Breached Federal Surveillance System

More details are emerging about the group of Chinese hackers called “Salt Typhoon” and their recent campaign against US internet service providers. An inside official source has told the Wall Street Journal that the group compromised US telecoms and that its primary objective seems to have been obtaining access to a federal wiretapping system used for lawfully ordered surveillance of suspected criminals.

The Chinese hackers may have had illicit access to this system for months before being discovered and rousted. The access was apparently gained by compromising Verizon and AT&T, but the source also said that internet service provider Lumen was also breached. The full impact of the breach remains unknown, but Salt Typhoon appeared to be focused on learning what federal agencies had on Chinese surveillance targets.

Major campaign by Chinese hackers still under investigation, in “early stages”

The full scope of Salt Typhoon’s campaign remains unknown, with the official sources saying that the investigation remains in its early stages. But the focus on US telecoms appears to have been breaking into this federal wiretapping system and collecting information on Chinese surveillance subjects.

There has yet to be any official comment on the Chinese hackers, but the source said that President Biden has been briefed on the matter. Thus far just the two US telecoms and the one ISP have been named, but the source says that given the scope and length of the campaign it is likely that it involved other communications companies as well.

While the “lawful intercept” wiretapping system was the special focus of the Chinese hackers, the source believes there is no reason why they would not have helped themselves to more general internet traffic of interest while they maintained access. But it is still unknown exactly what the hackers accessed, or if the attacks against the US telecoms were focused on gathering intel on domestic or foreign surveillance subjects.

The source reports that the impacted US telecoms have set up internal “war rooms” to deal with the issue and are being assisted by FBI staff and security personnel from both Microsoft and Google’s Mandiant. Researchers with the security arm of Lumen Technologies have previously reported that the Chinese hackers exploited previously unknown zero-days, possibly targeted at routers from a variety of manufacturers, to pull off the campaign.

US telecoms battered by negative cybersecurity news

All of the three major US telcoms have had their security issues over the last few years, suffering breaches that exposed substantial amounts of customer records. Ironically T-Mobile has fared the worst of the bunch with losing records to criminals, but has not yet been mentioned in connection with the Chinese hackers. Verizon may now face renewed heat on its security posture after reports that it was breached via Cisco routers, possibly some that were unpatched for known vulnerabilities.

China has likely been using the internet to try to hack the US for much longer, but the first known major operation by Chinese hackers was in 2010. That incident also targeted US telecoms and the attackers were ultimately able to breach Google, going after a database of information about federal surveillance targets. In that case, China was thought to be seeking insight into what Gmail accounts of its agents were being monitored.

Chinese hackers quickly became such a persistent issue that the Obama administration reached a cybersecurity accord with the country in 2015, with each pledging not to interfere with each other. That agreement focused more on the theft of intellectual property from private companies, however. In 2018 the US first formally accused China of breaking the deal, noting that the quality and quantity of attacks had dropped dramatically for a time but eventually crept back to their former level during the Trump administration.

Microsoft has said that the Salt Typhoon campaign is separate from the other “Typhoon” groups and their assorted attacks on critical infrastructure, but there is likely a general plan for all of these state-backed teams if not direct coordination between them. Volt Typhoon has been the most impactful thus far, at least that the public has been made aware of. A report from Microsoft early this year accused that group of breaching some US telecoms on its own as well as assorted critical infrastructure companies.

China, as always, has denied participation in any of these attacks. It claims that the accusations are made up as a way of smearing its reputation and also screening attacks by US state-backed groups on its own systems. China is in an unusual position as regards the war of words over these cyber attacks, as it usually shies away from getting specific about successful US breaches to avoid appearing weak to its domestic population.