Salt Typhoon Breach On U.S. Telecom Networks
In a significant breach of national security, Chinese state-sponsored hackers, identified as "Salt Typhoon," have infiltrated major U.S. telecommunications networks, compromising sensitive communications and data. This cyber-espionage campaign has raised alarms about the vulnerability of critical infrastructure and the potential for foreign surveillance on American soil.
Scope and Impact of the Breach
By mid-November, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) formally announced that Salt Typhoon, had deeply infiltrated major U.S. telecommunications providers. This breach, persisting for over a year, facilitated the extraction of sensitive information and the surveillance of prominent individuals, including President-elect Donald Trump and members of his campaign team. The hackers also accessed data tied to Justice Department wiretaps under lawful surveillance. High-profile companies like Verizon and AT&T were among the primary targets, alongside several other domestic and international telecom operators. Investigations into this breach have been ongoing since spring 2024.
The hackers succeeded in retrieving the actual audio files of calls and content from texts from a much smaller number of victims. The FBI has contacted victims in this group, many of whom work in government or politics, but officials said it is up to telecom companies to notify customers included in the first, larger group.
The White House has confirmed that at least eight U.S. telecommunications companies have been compromised by the China-affiliated hacking group known as Salt Typhoon. This marks the first official acknowledgment of the number of affected providers. In response, a new cyber defense task force has been mobilized, bringing together the National Security Agency (NSA), the Pentagon, and the Cybersecurity and Infrastructure Security Agency (CISA) to tackle the breach and enhance defensive measures.
According to Forbes
“Greene [CISA’s Jeff Greene] reportedly suggested “that Americans should use encrypted apps for all their communications,” (1,2). That means stop sending texts iPhone to Android, albeit iMessages and Google Messages are fully encrypted while on those platforms.
Greene added that “our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it's on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”
“We don’t have any illusion that once we kick off these actors they’re not going to come back,” Greene said.”
The official alert to US citizens from the FBI, NSA & CISA was issued on Tuesday, and can be read here.
U.S. officials are advising the public to use encrypted messaging applications for calls and texts to protect sensitive information from potential interception. Jeff Greene, Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized the importance of encryption, stating that even if adversaries intercept data, encryption renders it unreadable. This guidance marks a significant shift, as agencies like the FBI have previously expressed concerns about encryption hindering law enforcement access. However, the current threat landscape has led to a reevaluation, with officials now recommending encrypted services such as Signal and WhatsApp to ensure communication privacy and security.
Despite these efforts, the Chinese hackers remain embedded within the networks of the affected telecom providers. This persistent access continues to expose a significant portion of the American public to potential surveillance and eavesdropping.
Government Response and Recommendations
In response to the breach, U.S. officials have urged the public to adopt encrypted communication methods. Jeff Greene, a senior official at CISA, emphasized the importance of encryption, advising against using plaintext communications. This marks a notable shift from previous government stances, highlighting the severity of the current threat.
The White House has convened a special response group, meeting daily to address the breach and assist affected telecom companies in expelling the intruders. However, as of early December 2024, the hackers remain embedded within the networks, leaving many Americans vulnerable to ongoing surveillance.
CISA’s Recommendations
The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to mitigate these threats. Recommendations include:
Implementing multi-factor authentication
Minimize privileged account access.
Enhancing detection of suspicious login behaviors.
Always keep your systems patched and updated
Unfortunately, these recommendations are nothing new and should be considered the absolute most basic of cyber security recommendations.
Salt Typhoon
Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, is a Chinese state-sponsored advanced persistent threat (APT) group active since at least 2020. Affiliated with China's Ministry of State Security (MSS), Salt Typhoon specializes in cyber-espionage, targeting critical infrastructure, government agencies, and telecommunications sectors globally.
Notable Cyber Attacks:
2023–2024 Telecommunications Breaches: Salt Typhoon infiltrated major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile, compromising sensitive communications and data. The group accessed private texts, call records, and, in some instances, live call audio, affecting high-profile individuals such as President-elect Donald Trump and his campaign officials.
2023 Attacks on Government Agencies: The group conducted prolonged attacks against government service providers and telecom firms, compromising databases and cloud servers. They also targeted consulting firms and NGOs associated with the U.S. federal government and military.
Operational Tactics:
Salt Typhoon employs sophisticated techniques to maintain persistent access to targeted networks. They exploit vulnerabilities in public-facing systems, such as routers and firewalls, and use compromised credentials to escalate privileges and move laterally within networks. Their focus is often on long-term access for intelligence gathering rather than immediate disruption.
Estimated Size:
While the exact size of Salt Typhoon remains undisclosed, the scale and complexity of their operations suggest a well-resourced and organized group, likely supported by state-level resources.
Salt Typhoon's activities underscore the persistent threat posed by state-sponsored cyber-espionage groups, highlighting the critical need for robust cybersecurity measures to protect sensitive information and infrastructure.
Telecom Industry's Role and Challenges
The Salt Typhoon cyberattack has spotlighted significant vulnerabilities in the U.S. telecommunications industry, raising concerns about its ability to defend against state-sponsored cyber threats. These networks form the backbone of modern communication, supporting personal, business, and government operations. Yet, the breach revealed that even major providers, including industry leaders like Verizon and AT&T, were unable to prevent sophisticated intrusions, leaving sensitive communications exposed. This incident underscores the urgent need for a proactive, industry-wide overhaul of cybersecurity practices.
One major challenge is the lack of transparency and coordination between telecom providers and government agencies. Lawmakers and cybersecurity experts have pointed out that some telecom companies resisted sharing the results of independent security audits with federal authorities. This lack of cooperation hinders efforts to identify vulnerabilities and implement targeted solutions, leaving critical infrastructure exposed. The breach also revealed that many telecom companies continue to use outdated systems, which are particularly susceptible to the advanced tactics used by groups like Salt Typhoon. Modernizing these systems is costly and logistically complex, but necessary to mitigate future risks.
Additionally, the breach highlights broader supply chain vulnerabilities and the interconnected nature of global telecom infrastructure. State-sponsored groups can exploit weaknesses at various points, from hardware and software to personnel. To counter these threats, the industry must adopt stronger encryption practices, enhance its monitoring capabilities, and build a closer partnership with federal cybersecurity agencies. Without such reforms, U.S. telecom providers will remain at risk, potentially compromising the security and privacy of millions of Americans while eroding public trust in these critical systems.