A China hack has ensnared thousands of contacts. Hackers have scooped up call logs, unencrypted texts and lots of audio – completely piercing America’s communications infrastructure
Chinese hackers have burrowed into the U.S. telecommunications infrastructure for over eight months (or more)
6 November 2024 — This access allowed them to scoop up call logs, unencrypted texts and some audio from potentially thousands of Americans and others with whom they interacted. The emerging picture of the intrusion’s reach helps confirm the intelligence community’s concerns about the potentially dire national security consequences of the attack, the investigators said.
Hackers burrowed deep into U.S. telecommunications infrastructure over eight months or more. With each layer of network infrastructure they unlocked, the Beijing-linked group studied how America’s communications wiring works without detection, carrying out targeted thefts, people familiar with the breach said.
The newly uncovered espionage campaign is the latest in a long string of successes for China’s government hackers, as Western governments accuse Beijing of spying at an unprecedented scale.
But as U.S. officials and security experts piece together what the hackers – part of a group nicknamed Salt Typhoon by investigators – were able to achieve, they have assembled clues that fuel concerns that China’s mastery of cyber-espionage is dangerously advanced.
The hackers appeared to have had the ability to access the phone data of virtually any American who is a customer of a compromised carrier – a group that includes AT&T and Verizon – but limited their targets to several dozen select, high-value political and national-security figures, some of the people familiar with the investigation said.
The hackers also appear to have infiltrated communications providers outside the U.S., including at least one country that closely shares intelligence with the U.S., though it isn’t yet clear where or how extensively. Investigators expect more victims to be identified as the probe continues.
Investigators don’t yet know how China planned to use the information it allegedly stole. U.S. intelligence officials have warned for over a decade that Beijing has amassed an enormous trove of information on Americans in order to identify undercover spies, understand and anticipate decisions by political leaders, and potentially build dossiers on ordinary citizens for future use.
Though political figures are among those spied upon, officials don’t suspect the Chinese were seeking to use the access to disrupt or otherwise interfere in the recent presidential election. There aim is probably to use the information later on, as needed. Vice President-elect JD Vance was notified that he had been a target of the hacking group.
U.S. security officials have said they are most concerned because it shows China is applying artificial intelligence to their stolen data to glean additional insights and create elaborate social maps of millions of Americans.
Investigators said it was a vulnerability that no one imagined or anticipated, and it was one of the most serious breaches they had ever seen.
In a statement, a spokesman for the National Security Council said U.S. agencies across the federal government were “collaborating to aggressively mitigate this threat” and were “surging support to affected entities and determining the full scope and impact on Americans, companies and the government.”
Breaking in
At Lumen Technologies, a carrier and government contractor whose network makes up a core piece of the global internet, hackers stole credentials to give themselves access to parts of the management layer of the company’s infrastructure in late summer. That access helped them quietly collect information about how network routers were configured and perform other reconnaissance for more than a month before they were caught.
In the broader attack on U.S. telecom networks, officials believe that the hackers also targeted systems that carriers use to comply with court-authorized surveillance requests. At Lumen, which doesn’t provide wireless service, the attackers didn’t steal any customer data or access its wiretap capabilities, according to people familiar with the matter. Lumen, which has contracts with the Pentagon and other U.S. agencies, was notified of the intrusion by a company that specializes in threat intelligence, the people said.
While the hackers appear to have used multiple vectors for their attacks on other telecom companies, they were able to gain some access in part by compromising routers from Cisco Systems and other equipment makers, some of the people said.
The hackers have also attempted to re-enter patched systems after being ejected from them by exploiting additional powerful vulnerabilities, some of which weren’t previously known to cybersecurity analysts. That bold behavior confounded some U.S. officials because it appeared the hackers were essentially scraping to stay inside systems long after their cover was blown, taunting investigators and continuing to collect data.
In one breakthrough, investigators have determined that the hackers were working on behalf of a Chinese intelligence agency, likely the Ministry of State Security, which is responsible for foreign intelligence collection. They have identified a specific Chinese contractor they believe carried out the attack, the people familiar with the inquiry said. The MSS often relies on contractors to carry out hacking missions.
A spokesman for the Chinese Embassy in Washington has previously denied the country’s involvement in the hack and accused U.S. spy agencies and cybersecurity firms of “secretly collaborating to piece together false evidence.”
What they took
The hackers were able to capture at least some voice audio from some compromised victims, including people affiliated with both Trump and Harris campaigns, investigators have learned. It is unclear whether they recorded actual calls, voice memos or something else.
In addition to surveillance on specific Americans, targeting of court-authorized wiretap systems has prompted fears Beijing was able to observe ongoing U.S. inquiries into Chinese spies and others.
The group behind the Salt Typhoon attacks has previously compromised some telecommunications infrastructure in Southeast Asia, according to cybersecurity researchers.
The Slovakia-based cybersecurity firm ESET has long referred to the Salt Typhoon hacking group as FamousSparrow and says it has previously broken into government agencies and hotel networks worldwide, including in France, the U.K., Israel, Saudi Arabia, Taiwan and Brazil, among other countries.
Note to readers: they were one of more than 10 advanced hacking teams caught exploiting a series of flaws in Microsoft’s Exchange email software in 2021, according to ESET. As we reported two years ago, it was one easy method to hack into U.S. law firms, undetected.
The 2021 Exchange hack rendered an estimated tens of thousands of businesses and government networks vulnerable to intrusion. The Biden administration blamed China’s Ministry of State Security for those hacks, a callout that was joined by the U.K. and the European Union.
