T-Mobile hacked in Chinese cyber-espionage operation

Salt Typhoon hackers breached T-Mobile network for months in massive telecom intelligence gathering operation

In partnership with

Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.

Start learning AI in 2025

Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.

It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Salt Typhoon hack part of major U.S. telecom infrastructure spying operation

The Wall Street Journal and Reuters have confirmed that T-Mobile’s network was part of a major intrusion and hacking operation by Salt Typhoon, an advanced persistent threat group with ties to a Chinese intelligence agency. Previous reports in October confirmed that Salt Typhoon had breached AT&T, Verizon, and Lumen Technologies. Investigators believe hackers aimed at a host of well-connected Americans, including the presidential candidates—reflecting the scope and potential severity of the hack.

As a quick refresher, Microsoft has dubbed the APT group “Salt Typhoon,” but it is also known as UNC2286 (Mandiant), GhostEmperor (Kaspersky Labs), and FamousSparrow (ESET).

Experts claim hack is “catastrophic in scope and severity”

Although it is unclear what information Salt Typhoon extracted, if any, the breach of every major U.S. telecom provider is massively damaging. Salt Typhoon managed to breach and access systems maintained by the carriers to comply with U.S. surveillance requests.

At this time, T-Mobile has stated that no customer data has been impacted.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” the spokesperson said.

However, federal investigators, cybersecurity experts, and T-Mobile personnel are conducting an investigation to confirm the extent of the breach. As with any cybersecurity incident, the breadth of the hack will take time to verify with forensic analysis.

Counterintelligence concerns over Salt Typhoon hacks

Using the U.S.’s surveillance infrastructure against its citizens raises serious counterintelligence concerns.

According to the Wall Street Journal, other unnamed international carriers with close ties to the U.S. were also breached as part of the operation.

The hacks are so damaging that the U.S. Consumer Financial Protection Bureau (CFPB) has urged its employees to minimize or eliminate conducting business matters over a cellular phone. The directive states, “Do NOT conduct CFPB work using mobile voice calls or text messages.”

Instead, it recommends conducting business matters on platforms like Microsoft Teams or Cisco WebEx to minimize risk.

The Federal Bureau of Investigation and Cybersecurity and Infrastructure Security Agency also stressed the severity of the attack.

“Chinese government-linked hackers compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders.”

How Salt Typhoon Hacked T-Mobile, AT&T, Verizon, and Lumen Technologies

Details are still emerging, but according to the Journal report, it is believed Salt Typhoon leveraged vulnerabilities from Cisco routers and used artificial intelligence and machine learning to penetrate the U.S. telecom providers further.

Salt Typhoon is believed to have been active for at least eight months within AT&T, Verizon, T-Mobile, and Lumen Technologies.

Senior national security and policy officials across the U.S. were targeted, and the access allowed them to extract call logs, unencrypted texts, and some audio from targets.

This is in addition to other extensive spear phishing and cyberattacks against the Biden, Harris, and Trump Presidential Campaigns by Iran since 2020, as we previously reported.

Today’s Cyber Social Wall of Shame

T-Mobile doesn’t seem to learn from their mistakes. Here’s evidence of no rate-limiting on its internal systems from a separate, unrelated hack back in 2021:

And if you don’t think that is bad… another unrelated T-Mobile breach in 2023 allowed hackers to steal the personal data of 37 million customers.

But wait, there’s more!

Hackers breached T-Mobile’s network again in 2023, having access to hundreds of its customers for over a month.

If you’re on T-Mobile, it may be time to switch to another carrier. They’re all compromised at this point, but wow.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog


P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.

Reply

or to participate.