The Breach Report
Posts
China-linked Salt Typhoon hacks Verizon, AT&T in intelligence gathering operation

China-linked Salt Typhoon hacks Verizon, AT&T in intelligence gathering operation

FBI warns China is hacking western governments "at an unprecedented scale"

Rob Waters
October 16, 2024 • ⏱️ Reading Time: 8 minutes

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

United States wiretap systems breached by China-linked hacking group “Salt Typhoon”

Another day, another ominous hack by a Chinese hacking group against critical infrastructure and United States businesses. You’d be forgiven for having Chinese hacking news fatigue, but they remain a force to be reckoned with and seemingly grab headlines every month.

An exclusive report by The Wall Street Journal revealed that a cyberattack tied to the People’s Republic of China's government breached the networks of multiple U.S. broadband providers. The targets included Verizon, AT&T, and Lumen Technologies.

The hacking group, known as “Salt Typhoon” - a name given to it by Microsoft—is also known as UNC2286 (Mandiant), GhostEmperor (Kaspersky Labs), and FamousSparrow (ESET).

Learn how cybersecurity researchers name Threat Actor Groups

For more information on how cybersecurity researchers track and name advanced persistent threat groups (APT) and threat actor groups, refer to the following resources:

DebUNCing Attribution: How Mandiant Tracks Uncategorized Threat Actors

How Microsoft names threat actors

Palo Alto Networks Unit 42 - Threat Group Naming Update

The breach by Salt Typhoon is problematic because the group exploited backdoors within each U.S. broadband provider intended for use by U.S. intelligence agencies for foreign intelligence surveillance. According to The Wall Street Journal, the U.S. wiretap systems hack could be one of the most damaging China-backed cyber espionage hacks ever.

According to reports, the hackers were within the foreign intelligence surveillance systems for “months, maybe longer” and obtained highly sensitive intelligence and law enforcement data.

According to the report, the hackers accessed the same network infrastructure that U.S. broadband providers use to comply with legal requests for domestic information related to criminal and national security investigations.

U.S. agencies such as the FBI are still investigating the incident to confirm the extent of the hack and how much data may have been accessed or exfiltrated.

More generic internet traffic of U.S. citizens was likely monitored, but according to reports, it would be too challenging to abstract value from it.

This incident validates the concerns of many privacy and security advocates, including Apple, who famously denied providing a “secure backdoor” to its iOS mobile operating system for use by the U.S. government.

Who is Salt Typhoon?

Microsoft has tracked Salt Typhoon since 2020, while ESET has tracked the group under the name FamousSparrow since 2019. The disparity is that different cybersecurity researchers and vendors see different cyber activity. While they can reach a consensus over a distinctive group signature for tactics, techniques, and procedures (TTPs), it doesn’t require perfect alignment in activity and history.

Microsoft has primarily linked the group to cyber espionage campaigns. According to Microsoft's report from August 2024, the group specializes in espionage, data theft, and packet capture.

Salt Typhoon targets organizations and entities primarily in North America and Southeast Asia. Cybersecurity firm ESET has attributed the group to global hacks targeting hotel and government agencies.

China has denied allegations that they are responsible for Salt Typhoon or other China-linked sophisticated hacking groups.

Liu Pengyu, a spokesman at the Chinese Embassy in Washington D.C., said, “China firmly opposes and combats cyberattacks and cyber theft in all forms,” according to The Wall Street Journal.

Latest Cybersecurity News

What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.

New from our blog:

New from our favorite blogs and journalists:

National Public Data, the hacked data broker that lost millions of Social Security numbers and more, files for bankruptcy (TechCrunch)
European cyber insurance startup Stoïk secures $27M (TechCrunch)
Meet the Chinese ‘Typhoon’ hackers preparing for war (TechCrunch)
Invisible text that AI chatbots understand and humans can’t? Yep, it’s a thing (ArsTechnica)
Apple study exposes deep cracks in LLMs’ “reasoning” capabilities (ArsTechnica)
5th Circuit rules ISP should have terminated Internet users accused of piracy (ArsTechnica)
How Meta Brings in Millions Off of Political Violence (Gizmodo)
Hacked Robot Vacuums Across the U.S. Started Yelling Slurs (Gizmodo)
Hacktivists Claim Responsibility for Taking Down the Internet Archive (Gizmodo)
DOJ Reveals Its Plan for Breaking Up Google’s Search Monopoly (Gizmodo)
This AI Pioneer Thinks AI Is Dumber Than a Cat (The Wall Street Journal)
California’s AI Safety Bill Is Dead, but the Regulation Debate Lives On (The Wall Street Journal)
23andMe Board Resigns in New Blow to DNA-Testing Company (The Wall Street Journal)
The Future of the US Internet is Enforced Interoperability (Quinn Chasan)

Cybersecurity Job Openings

Are you looking for a new job or trying to get started in cybersecurity? We’ll post notable new openings across the industry here.

Today’s Cyber Wall of Shame

I agree; please, somebody, anyone, empty my student loan balances, please.

can't they take down my student loan servicer or something instead
— morgan sung (@morgan_sung)
7:17 PM • Oct 10, 2024

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.

Reply

or to participate.