A recent confirmed T-Mobile hack has been attributed to Salt Typhoon, the Chinese cyber espionage team that also breached Verizon and AT&T earlier in the year. That means the hackers were able to penetrate all three of the country’s major mobile carriers in 2024, in addition to at least one domestic internet service provider (Lumen Technologies) and a number of carriers in other countries.
Wide-ranging Chinese cyber espionage campaign sought access to high-value targets
The T-Mobile hack has been confirmed by the company, though it is not yet sharing any details about it with the public. But with the involvement of Salt Typhoon confirmed, it is almost certainly characteristic of other breaches in this cyber espionage campaign that mostly leveraged the network to access accounts of high-profile figures and find entry points to government agencies and private companies of interest.
T-Mobile has only said that it has not identified any loss of customer data or “significant impact” to its systems from the incident. That would be a marked change from the prior breaches of the other big carriers, in which the cyber espionage team had access to some worrying materials. Salt Typhoon managed to access voice messages, call records and unencrypted text messages from members of the US government and candidates in the presidential race, and also broke into a private system used by law enforcement for legally authorized wiretapping of suspected criminals.
There is also not yet any specific information on how the T-Mobile hack unfolded, though the Chinese hackers targeted known vulnerabilities in Cisco and other routers to penetrate the other carriers.
CISA and the FBI have issued a joint statement calling the cyber espionage campaign, which has been ongoing for about eight months now, “broad and significant.” The hackers have reportedly had access to mobile and internet data for months at a time during these penetrations, though the exact window of the T-Mobile hack has not yet been made available. The agencies have opened a joint investigation into the campaign and are providing technical assistance to victims as well as potential government and private industry targets.
The agencies have warned that more breaches like the T-Mobile hack are likely to be reported in the near future, as this investigation continues. The Chinese hackers showed an interest in the recent election, targeting the private messages of Donald Trump and JD Vance among others, but are ranging far beyond that. This includes attacks on both government and industry in other nations such as Taiwan, Germany, Malaysia and the Philippines. The group also appears to be one of China’s more advanced state-backed teams and is not afraid to deploy innovative approaches and zero-days to further the cyber espionage campaign. The attackers also seek prolonged access to victims, in some cases peppering them with multiple backdoors.
Full details on T-Mobile hack not yet available
When the news of AT&T and Verizon’s breaches appeared, it initially appeared to be a relative win for the cybersecurity-challenged T-Mobile. The company has now seen nine substantial breaches in the last five years, though the cyber espionage attack may prove to be less damaging than the ones that hit their rivals.
A consent decree forged between T-Mobile and the FCC in early October stipulated that the company must shell out to make substantial cybersecurity improvements, including zero-trust architecture and improved internal MFA systems. It also faces required inventories of critical assets and the implementation of stronger data minimization policies. But all of this took place either during or after the Salt Typhoon breach window.
The company’s cybersecurity woes started with the 2019 T-Mobile hack that exposed the account information of some of its prepaid customers. The company rolled on to experience multiple major breaches involving millions of records in 2021, 2022 and 2023. One of the most concerning elements of these ongoing failures is that a variety of hackers, both state-backed cyber espionage teams and common criminals, keep getting in through a variety of methods that range from social engineering employees over the phone to brute-forcing of its testing environment. Certain of the T-Mobile hacks also exposed Social Security and driver’s license numbers, while others allowed the attackers to swap customer SIMs and take over phone numbers.
Dr. Marc Manzano, general manager, cybersecurity at SandboxAQ, notes that these endemic attacks are even more troubling considering that the world’s most advanced hackers have a very strong interest in mobile carriers and ISPs as an entry point that grants them tremendous downstream possibilities: “The recent breach at T-Mobile highlights a concerning trend: telecommunications companies are increasingly targeted by sophisticated cyberattacks, underscoring the critical need for a comprehensive overhaul of cybersecurity measures within the industry. These networks form the backbone of global communication, and thus enhancing their security posture is essential to protect sensitive data and maintain operational integrity.”
Jim Routh, former CISO at Aetna, American Express, and CVS etc. and currently Chief Trust Officer at Saviynt, adds that while the hackers showed a clear interest in Chinese government targets they also had ample opportunity to scoop up data on everyday Americans: “The best way to describe this cyber attack information is “unnerving.” No one is pleased with the idea that the Chinese government has access to information about us from our cell phones, one of the more intimate devices used in our daily life. The practical reality is that this incident does little to change the risk of a significant impact to US consumers. Chinese cyber criminals have extensive access to personal information on US citizens prior to this incident from previous systemic attacks. It is also not necessarily significant for global enterprises other than threat actors sponsored with access to information from the Chinese government may be better equipped with consumer information related to their on-going online surveillance activities.”
Tom Kellermann, SVP of Cyber Strategy at Contrast Security, believes that the initial reports on the T-Mobile likely understate the issue and that the public should brace for results similar to those seen in the breaches of its two contemporaries: “The Chinese hacker will use T-Mobile to island hop into a myriad of government agencies and critical infrastructures. The national security implications are profound. This is the third telecom provider compromised by the PLA in the last 12 months. The systematic campaign of infiltration will take months to root out.”
