The worst telecommunications hack in US history: Chinese cyber group ‘Salt Typhoon’ intrusions likely started years ago

There are an estimated 128,000 telecommunications companies in the U.S. that serve hundreds of millions of subscribers. U.S. intelligence sources and officials indicate Chinese government-sponsored hackers have been secretly lurking around the decrepit routers and switches that connect this massive network for more than four years.

Senate Intelligence Committee Chairman Mark Warner has called it, “the worst telecommunications hack in our nation’s history,” one that dwarfs the impact of the Colonial Pipeline, OPM and SolarWinds attacks.

The threat has been active since 2020 and the Salt Typhoon group has gone by three other names including, Ghost Emperor, Famous Sparrow, and UNC2286. The different names exist because the cybersecurity firms all gave the threat a different name, but in reality, they are all the same threat.

The latest breach has compromised major U.S. telecom providers AT&T, Verizon, T-Mobile, and at least five others, granting access to live phone calls, sensitive communications, and law enforcement surveillance data.

“This makes previous cyberattacks look like child’s play,” Warner said in an urgent statement before the Thanksgiving holiday, emphasizing the gravity of the breach and its implications for national security.

The Salt Typhoon breach: What we know

First disclosed in October, Salt Typhoon represents a sophisticated cyber espionage campaign targeting decades-old vulnerabilities in the backbone of America’s communications infrastructure.

The attackers were able to:

• Monitor Live Phone Calls: Gain access to cellphone and data networks, enabling real-time eavesdropping.
• Harvest Sensitive Data: Collect private communications, including those of individuals involved in government or political activities.
• Compromise Law Enforcement Systems: Access systems that log U.S. law enforcement requests for criminal wiretaps, potentially tipping off Chinese intelligence about American investigative targets.

Highlighting the scope of the damage and the challenge of eliminating the threat, Warner described the network infiltration as so pervasive that purging the hackers entirely could require replacing “literally thousands and thousands and thousands of pieces of equipment across the country.”

A critical cybersecurity crisis

Federal agencies, including the FBI, CISA and NSA, responded Tuesday with an urgent advisory detailing steps for telecom providers to secure their systems.

Recommendations include patching vulnerabilities, hardening network devices, and implementing strict monitoring practices.

The agencies and their international partners also published a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, that provides telecommunications companies with best practices to protect against Salt Typhoon, which has also compromised networks of numerous major global telecommunications providers.

“The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses. This guide will help telecommunications and other organizations detect and prevent compromises by the PRC and other cyber actors,” said Jeff Greene, executive assistant director for cybersecurity at CISA.

Greene also said, “Along with our U.S. and international partners, we urge software manufacturers to incorporate Secure by Design principles into their development life cycle to strengthen the security posture of their customers and put their principles into practice.”

But despite these efforts, officials warn that the compromised networks remain at risk, underscoring the need for a massive overhaul of telecom infrastructure.

“This isn’t just a breach of a company or a system — it’s a breach of our national security,” Warner stressed, urging Americans to recognize the seriousness of the espionage campaign.

Three groups of targets were revealed at a congressional briefing earlier this week including:

1. An unnamed number of victims, mostly in the D.C. region, whose call records were stolen from telecom companies.
2. Private communications of 100-150 political or government-linked individuals believed to have been monitored in real time.
3. The Chinese hackers also accessed and copied U.S. court orders, which the FBI official said were attained through the Communications Assistance for Law Enforcement statute program.

What can telecom customers do?

Based on disclosures from U.S. authorities, individual customers can take steps to protect their data and devices from further exploitation. Federal agencies recommend the following actions:

1. Update Devices Regularly: Ensure all personal devices, including smartphones and home routers, are updated with the latest firmware and security patches to mitigate known vulnerabilities.
2. Secure Your Home Network: Change default usernames and passwords on routers. Use strong, unique passwords and enable WPA3 encryption for Wi-Fi networks and disable unused features such as remote management or Universal Plug and Play (UPnP).
3. Use Multi-Factor Authentication (MFA): Enable MFA for critical accounts, such as email, banking, and social media. Consider using a hardware-based MFA solution for added security.
4. Monitor Your Network: Regularly check home networks for unknown or suspicious devices using router management tools or apps.
5. Adopt Strong Encryption: Use a reputable virtual private network (VPN) when browsing on public Wi-Fi. Ensure websites use HTTPS for secure data transmission.
6. Stay Informed: Follow updates from trusted sources, such as CISA or telecom providers, on emerging threats and best practices.

CISA Director Jen Easterly announced that the Cyber Safety Review Board will meet on Friday to assess the ongoing Salt Typhoon breach.

Following a classified Senate briefing this week, Easterly emphasized the need for understanding the breach’s scope and scale, as agencies remain focused on incident response. “We want to map out the problem and key actions to fortify our networks,” she said.

Despite the urgency in shutting the door on Salt Typhoon, Easterly indicated the recommendations likely wouldn’t come out until the spring or summer of 2025.

Get breaking news and daily headlines delivered to your email inbox by signing up here.

© 2024 WTOP. All Rights Reserved. This website is not intended for users located within the European Economic Area.