Details of the work of the Chinese state-sponsored threat group Salt Typhoon, first discovered late last month targeting U.S. internet service providers (ISPs), are becoming clearer.
According to a report this week in the Wall Street Journal, the advanced persistent threat (APT) attackers breached the networks of such major broadband providers as AT&T and Verizon possibly by compromising systems used by law enforcement agencies for lawful wiretapping and other activities.
Citing unnamed sources, the news outlet said Salt Typhoon – also known as GhostEmperor and FamousSparrow – also infiltrated Lumen Technologies’ networks and targeted some organizations outside of the United States, according to the WSJ and Washington Post.
The goal of the threat group, which is believed to be part of the Chinese government’s foreign spy service – the Ministry of State Security – appears to be to gather information, possibly about Chinese nationals that the U.S. government may be targeting for surveillance. The hackers for months may have had access to the “network infrastructures used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk,” sources told the WSJ.
They also accessed other internet traffic running the through the ISPs’ networks. U.S. agencies, including the Department of Homeland Security (DHS), the FBI, and CISA, are investigating the attack, and while sources told the Washington Post that the full scale of the campaign is not yet known, the government is treating this as a national security threat. President Biden has been briefed about the breach.
Spokespeople for AT&T, Verizon, and Lumen declined to comment to the WSJ.
A National Security Threat
An unnamed former U.S. intelligence official to the Post that getting access to information from the wiretap systems would give China a “golden opportunity” to hobble U.S. initiative to collect information about China’s activities, adding that “it enables them to understand exactly who the U.S. government is interested in and to either undermine the government’s intelligence collection efforts or to feed the United States disinformation.”
U.S. intelligence agencies for several years have been vocal about the national security threats presented by China and the government-backed cyberespionage groups trying to infiltrate the IT environments of government agencies and critical infrastructure operations. A 2023 report by the Office of the Director of National Intelligence called China “the broadest, most active, and persistent cyber espionage threat to the U.S. Government and private-sector networks.”
Reports about Salt Typhoon arose late last month, with the WSJ and Post writing about its targeting of broadband networks. It appears to be part of a larger effort by other China-backed bad actors – such as Volt Typhoon – to establish persistence in these networks. Earlier this year, the agencies noted Volt Typhoon’s compromising of networks and systems in critical infrastructure industries, such as communications, transportation, water, and energy.
Typhoons a Growing Problem
Volt Typhoon hackers essentially were infiltrating the networks and lying in wait – sometimes for years – to move laterally into operational technology (OT) systems and disrupt operations in the event of a conflict between the United States and China.
Last month, U.S. law enforcement agencies and private cybersecurity companies disrupted a massive botnet created by another China-linked group called Flax Typhoon. Over four years, the hackers compromised more than 20,000 internet of things (IoT) and other devices, including small office and home office (SOHO) routers, firewalls, and network-attached storage (NAS) systems to create the botnet that targeted critical infrastructure operations at organizations like media companies, universities, and government agencies.
Securing Networks is No Easy Chore
With Salt Typhoon, it’s difficult to say without more information how the attackers were able to infiltrate such sensitive systems, though “it's likely a combination of exploiting a lack of cyber hygiene and an inability to understand highly complex environments,” John Terrill, CISO of Phosphorus Cybersecurity, told MSSP Alert. “The more interesting question is what were they looking for in these surveillance systems.”
The systems thought to be targeted by Salt Typhoon are used to by federal agencies with the ISPs’ cooperation to glean information as part of investigations related to criminal and national security, according to the WSJ. It’s unclear if systems that are used for foreign intelligence surveillance also were compromised in the breach.
Terrill said that an advantage that defenders normally have is the ability to understand their environment better than the attacks, though “given the sheer size of telecom networks, I would venture a guess that tackling that is an uphill battle.”
Dan Schiappa, chief product and services officer for cybersecurity firm Arctic Wolf, called the breaching of the U.S. communications infrastructure the Chinese government’s “most blatant sign of cyber-espionage in modern history, and compromising the largest telecom businesses in the country proves that there’s no upper limit for Beijing-tied APT threats.”
The job of protecting the country from such attacks lies with both the public and private sectors.
“Businesses need to be cognizant of the potential for espionage, theft, or destruction that these groups pose, but thwarting operations like Volt Typhoon and Salt Typhoon will require our elected officials to reassess and reallocate resources toward our national cybersecurity strategy,” Schiappa said.