- The Breach Report
- Posts
- T-Mobile hacked in Chinese cyber-espionage operation
T-Mobile hacked in Chinese cyber-espionage operation
Salt Typhoon hackers breached T-Mobile network for months in massive telecom intelligence gathering operation
Rob Waters
November 16, 2024 • ⏱️ Reading Time: 6 minutes
In partnership with
Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.
Learn AI in 5 minutes a day.
The Rundown is the world’s most trusted AI newsletter, with over 700,000+ readers staying up-to-date with the latest AI news, understanding why it matters, and learning how to apply it in their work.
Their expert research team spends all day learning what’s new in AI, then distills the most important developments into one free email every morning.
Salt Typhoon hack part of major U.S. telecom infrastructure spying operation
The Wall Street Journal and Reuters have confirmed that T-Mobile’s network was part of a major intrusion and hacking operation by Salt Typhoon, an advanced persistent threat group with ties to a Chinese intelligence agency. Previous reports in October confirmed that Salt Typhoon had breached AT&T, Verizon, and Lumen Technologies. Investigators believe hackers aimed at a host of well-connected Americans, including the presidential candidates—reflecting the scope and potential severity of the hack.
As a quick refresher, Microsoft has dubbed the APT group “Salt Typhoon,” but it is also known as UNC2286 (Mandiant), GhostEmperor (Kaspersky Labs), and FamousSparrow (ESET).
Experts claim hack is “catastrophic in scope and severity”
Although it is unclear what information Salt Typhoon extracted, if any, the breach of every major U.S. telecom provider is massively damaging. Salt Typhoon managed to breach and access systems maintained by the carriers to comply with U.S. surveillance requests.
At this time, T-Mobile has stated that no customer data has been impacted.
“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” the spokesperson said.
However, federal investigators, cybersecurity experts, and T-Mobile personnel are conducting an investigation to confirm the extent of the breach. As with any cybersecurity incident, the breadth of the hack will take time to verify with forensic analysis.
Counterintelligence concerns over Salt Typhoon hacks
Using the U.S.’s surveillance infrastructure against its citizens raises serious counterintelligence concerns.
According to the Wall Street Journal, other unnamed international carriers with close ties to the U.S. were also breached as part of the operation.
The hacks are so damaging that the U.S. Consumer Financial Protection Bureau (CFPB) has urged its employees to minimize or eliminate conducting business matters over a cellular phone. The directive states, “Do NOT conduct CFPB work using mobile voice calls or text messages.”
Instead, it recommends conducting business matters on platforms like Microsoft Teams or Cisco WebEx to minimize risk.
The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency also stressed the severity of the attack.
“Chinese government-linked hackers compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”
How Salt Typhoon Hacked T-Mobile, AT&T, Verizon, and Lumen Technologies
Details are still emerging, but according to the Journal report, it is believed Salt Typhoon leveraged vulnerabilities from Cisco routers and used artificial intelligence and machine learning to penetrate the U.S. telecom providers further.
Salt Typhoon is believed to have been active for at least eight months within AT&T, Verizon, T-Mobile, and Lumen Technologies.
Senior national security and policy officials across the U.S. were targeted, and the access allowed them to extract call logs, unencrypted texts, and some audio from targets.
This is in addition to other extensive spear phishing and cyberattacks against the Biden, Harris, and Trump Presidential Campaigns by Iran since 2020, as we previously reported.
T-Mobile doesn’t seem to learn from their mistakes. Here’s evidence of no rate-limiting on its internal systems from a separate, unrelated hack back in 2021:
The person who claims to have compromised T-Mobile says the company misconfigured a gateway GPRS support node that was apparently used for testing. It was exposed to the internet. That allowed the person to eventually pivot to the LAN. Proof screenshot supplied.
— Jeremy Kirk (@[email protected]) (@Jeremy_Kirk)
5:46 AM • Aug 16, 2021
And if you don’t think that is bad… another unrelated T-Mobile breach in 2023 allowed hackers to steal the personal data of 37 million customers.
But wait, there’s more!
Hackers breached T-Mobile’s network again in 2023, having access to hundreds of its customers for over a month.
If you’re on T-Mobile, it may be time to switch to another carrier. They’re all compromised at this point, but wow.
Until next time…
Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog
P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.
Reply