Salt Typhoon hacked telcos in dozens of countries

​Chinese state hackers, known as Salt Typhoon, have breached telecommunications companies in dozens of countries, President Biden’s deputy national security adviser Anne Neuberger said today.

During a Wednesday press briefing, the White House official told reporters that these breaches include a total of eight telecom firms in the United States, with only four previously known.

While these attacks have been underway for “likely one to two years, “at this time, we don’t believe any classified communications have been compromised,” Neuberger added, as the Journal first reported.

“The Chinese compromised private companies exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world.”

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing. We’re still trying to understand that, along with those partners,” a senior CISA official said in a Tuesday press call.

On Tuesday, CISA and FBI officials advised Americans to switch to encrypted messaging apps to minimize Chinese hackers’ chances of intercepting their communications.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” they said. “Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

However, T-Mobile’s Chief Security Officer, who said last week that the company’s systems were breached from a connected wireline provider’s network, claims T-Mobile no longer sees any attacker activity within its network.

Also tracked as FamousSparrow, Earth Estries, Ghost Emperor, and UNC2286, this state-backed hacking group has been breaching government entities and telecom companies across Southeast Asia since at least 2019.

The Salt Typhoon telecom hacks

CISA and the FBI confirmed the hacks in late October, following reports that Salt Typhoon had breached the networks of multiple telcos, including T-Mobile, Verizon, AT&T, and Lumen Technologies.

The federal agencies later revealed the threat actors compromised the “private communications” of a “limited number” of U.S. government officials, accessed the U.S. government’s wiretapping platform, and stole law enforcement request data and customer call records.

While the timing of the telecom network breaches is unclear, a Wall Street Journal report says that Chinese hackers had access for “months or longer.” This reportedly allowed them to steal substantial internet traffic from internet service providers serving American businesses and millions of customers.

On Tuesday, ​CISA released guidance to help system administrators and engineers managing communications infrastructure to harden their systems against Salt Typhoon attacks.

Released with the FBI, the NSA, and international partners, this joint advisory includes tips on hardening network security to shrink the attack surface targeted by the Chinese state hackers, including unpatched devices, vulnerable services exposed to online access, and generally less-secured environments.