U.S. confirms politicians targeted in Salt Typhoon telecom breach

The U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Agency (CISA) have released a short joint statement on their continued investigation into China-linked Salt Typhoon’s breach of large telecommunications and broadband providers. The agencies revealed that the attack was a ‘significant cyber espionage campaign.’

The statement confirmed that the threat actors stole customer call records data, compromised the private communications of individuals involved in government or political activity, and copied certain information subject to U.S. law enforcement requests pursuant to court orders.

Be the first to know of emerging threats.

Sign up to get our analysts' insights on emerging cyberattacks, vulnerabilities, and more sent straight to your inbox.

Opt in

The joint statement did not reveal how the campaign was carried out, nor when it started. However, media outlets are reporting that Salt Typhoon had access to target organization’s networks for several months or longer, allowing the group to collect vast amounts of internet traffic from internet service providers that serve businesses and millions of Americans.

Source: Bleeping Computer

Analysis

As detailed in Field Effect’s recently released analysis, Unsecured lines: Analyzing China’s cyberattack on U.S. telecoms, China’s breach of U.S. telecoms and broadband providers poses a significant national security concern to the U.S. for many reasons. As confirmed by the FBI and CISA, China had access to a capability that allowed it to surreptitiously intercept private communications of political figures. This likely resulted in China obtaining valuable insight into the recent U.S. election and plans for policies the candidates would implement if elected.

China was also able to obtain metadata associated with the communication habits of millions of Americans. This may provide the ability to identify individuals of interest to the Chinese government, such as dissidents, those working on behalf of the U.S. government, in important industries and institutions, or similar.

Finally, this campaign may also represent a threat to other countries. If a supply chain compromise or zero-day vulnerability was used to facilitate the attack, chances are other ISPs and TSPs used those same vulnerable devices. This would allow China to repeat the same sort of attack elsewhere.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat actors like Salt Typhoon. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Given this recent malicious activity, broadband providers and telecoms should implement strict security measures, including enabling multi-factor authentication, logging, traffic monitoring, and providing employees with anti-phishing training.

Related Articles

• Unsecured lines: Analyzing China’s cyberattack on U.S. telecoms
• U.S. telecoms breached by China-linked hackers
• Volt Typhoon infiltrates networks of US critical infrastructure