Chinese hackers used a ‘range of sophisticated methods’ to breach US telecom providers, insider says
Salt Typhoon deployed various methods to break into telecommunications firms that went far beyond a singular run-of-the-mill credential-stealing attempt, according to a person familiar.
A Chinese state-backed espionage group that penetrated the systems of America’s major telecommunications providers and infrastructure that facilitates court-authorized wiretap requests used a variety of techniques and procedures to achieve their infiltration, according to a person with knowledge of the hack.
The group, dubbed Salt Typhoon by the cybersecurity community, deployed a “range of sophisticated methods” to break into the telecom companies’ systems and conduct a prolonged espionage campaign that’s ensnared dozens of telecommunications and internet providers inside and outside the U.S., said the person, who spoke on the condition of anonymity because they were not permitted to publicly relay their understanding of the events.
The person declined to elaborate on the specific techniques used by the group that allowed them to obtain credentials needed for accessing the communications networks because the investigation into the matter is still ongoing.
Verizon, AT&T, Lumen, T-Mobile and several others are believed to have been ensnared in the intrusions. The White House on Friday hosted telecommunications sector executives to brief them on the incident. Some 80 providers are believed to have been targeted, Politico reported Friday.
“While there were some commonalities and some common threads, they were not locked into a single playbook here,” the person said. “This is not some fly-by-night phishing campaign that was wildly successful.”
The details of the breach underscore Salt Typhoon’s huge scale of cyber activities and helps explain how the group, as part of its espionage operation, surreptitiously obtained sensitive call and text records from select but high-impact targets, among them individuals associated with President-elect Donald Trump.
The intrusions, which are thought to have been carried out for months, have made Salt Typhoon a well-storied cybersecurity topic since the Wall Street Journal first brought the hacking group to light in October.
Hacking groups can obtain login credentials through a variety of ways. Operatives may spin up fabricated, plausible-sounding emails that can trick recipients into handing over sensitive account information. Other data may be obtained through sales on dark web forums and similar unpatrolled areas of the internet that often serve as marketplaces for stolen credentials, personal information and other illicit materials.
Many of the breached systems were not properly equipped with logging mechanisms to monitor device activity, Nextgov/FCW previously reported, slowing investigators’ attempts to piece together the digital sequencing that allowed the campaign to be carried out.
It remains unclear whether other surveillance systems, such as those governed by the Foreign Intelligence Surveillance Act, were penetrated in the hacks. Data from those networks could provide Beijing with insights into U.S. overseas intelligence targets.
An influential government-backed cybersecurity review board is poised to formally probe the intrusions at some point in the future, the Department of Homeland Security confirmed in late October.