Unsecured lines: Analyzing China’s cyberattack on U.S. telecoms

In October 2024, the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) jointly advised that Chinese state-sponsored cyber actors had breached several large U.S.-based telecommunication service providers (TSPs). The agencies did not offer further details besides indicating that they notified the affected companies, rendered assistance, and shared information with other potential victims.

This revelation came just weeks after it was revealed that the China-linked threat actor, Salt Typhoon, breached multiple U.S.-based internet service providers (ISPs), including Verizon, AT&T, and Lumen Technologies. It is believed that Salt Typhoon gained access to the interception systems used to accommodate warranted investigation requests by law enforcement agencies.

Given that various media outlets named several U.S. politicians targeted by these campaigns yet U.S. authorities released no further information, Field Effect analysts endeavoured to provide insight into this attack, including how it may have happened and its potential impact on cybersecurity.

China's history of targeting MSPs

This isn’t the first time Chinese state-affiliated groups have been implicated in targeting high-value service providers to gain sensitive information. While not quite ISPs or TSPs, China has been linked to multiple cyberattacks on managed service providers (MSPs), exploiting these organizations as entry points to access the networks of their clients.

MSPs provide IT services and support to many businesses, making them attractive targets for cyber espionage groups seeking widespread access to multiple networks through a single breach.

One of the most notable campaigns attributed to China is Operation Cloud Hopper, which was reportedly orchestrated by a Chinese state-sponsored group known as APT10 or Stone Panda. This campaign, active from at least 2016, targeted MSPs worldwide, allowing the attackers to infiltrate the networks of clients across industries such as finance, healthcare, and defense. The primary goal was to gather sensitive information, including intellectual property, trade secrets, and confidential business data, which could give China a competitive edge in key sectors.

The scope of these attacks prompted coordinated responses from governments, including public indictments by the U.S. Department of Justice against alleged members of APT10 in 2018. Nations worldwide have since warned MSPs about the heightened risk of state-sponsored actors, particularly those linked to China, encouraging companies to strengthen their cybersecurity practices to prevent and detect such intrusions.

These cyber operations underscore the strategic focus on MSPs as high-value targets. Their access to diverse client environments makes them the perfect vector for large-scale espionage efforts. The subsequent targeting of ISPs and TSPs would be a natural evolution of the MSP campaign and another set of targets for large-scale espionage.

Types of data that ISPs and TSPs retain

Globally, ISPs and TSPs retain data about their service and its users for their own operations, to meet law enforcement requirements, and for various other reasons. In theory, a threat actor who successfully compromises an ISP or TSP could gain access to the following types of information:

Call detail records (CDRs)

Under the USA PATRIOT Act and other statutes, companies must store metadata on calls, such as the numbers involved, time, duration, and possibly the location data of mobile devices. However, the actual content of the calls does not need to be stored. The duration for retaining this data can vary, but it's often held for about 18 months to two years.

Stored communications

Telecommunications providers must retain the content of communications if required by a court order, as per the Stored Communications Act (SCA). However, without specific legal orders, content such as the body of text messages or recorded calls typically isn’t retained due to privacy concerns.

Internet data

ISPs generally aren’t required by law to retain detailed web browsing history or internet usage data. However, specific regulations under the Communications Assistance for Law Enforcement Act (CALEA) require telecom companies to enable interception capabilities for law enforcement with a lawful court order.

Subscriber and billing information

Telecommunications companies are obligated to keep records related to user accounts, such as names, addresses, payment methods, and other account information, which can be shared with law enforcement when legally compelled.

What can China do with this data?

ISPs and TSPs would primarily retain metadata reflecting regular phone calls and text messages of its users, providing little intelligence value on the surface. However, there are several possible ways China can exploit the type of information mentioned above, depending on the level of access they had into the affected ISP/TSP.

The biggest concern is whether China could use this access for its own directed intelligence operations and, if so, at what scale. Such access could effectively give China access to phone conversations, text messages, and possibly other services, which would likely contain a plethora of sensitive information.

This access could also be leveraged to identify and monitor location information, as well as to build a profile of an individual and those with whom they communicate. The intelligence implications of this are significant.

In addition to political targets that were reportedly already targeted, this capability could also be used on individuals within the U.S. defense and other industries, potentially allowing China to obtain sensitive information. China is known to track and monitor individuals or groups it perceives to be dissidents, and this access could contribute to its efforts in that regard.

The bottom line is if China has (or had) this capability, it constitutes a significant national security threat to the United States.

How did this happen?

Given the limited information from U.S. authorities, we can't definitively know how the breach happened. We do know, however, the attack vectors typically used in incidents of this scale, as well as tactics, techniques, and procedures associated with Chinese state-sponsored threat actors.

Be the first to know of emerging threats like these.

Sign up to get our analysts' insights on new or evolving cyberattacks, vulnerabilities, and more sent straight to your inbox.

Opt-in

Based on this information, the most likely attack vector was a supply chain breach, the exploitation of a zero-day vulnerability, or a plain old spear phishing campaign.

Supply chain attack

China has been linked to multiple cyberattacks targeting supply chains, often with the aim of espionage or gaining a strategic advantage. A well-known example is an attack conducted in 2017, in which a Chinese threat actor compromised CCleaner software to infect its users with malware. Over two million users were compromised, including Google, Microsoft, and Intel employees.

Another significant case was the 2017 ShadowPad incident, where Chinese hackers allegedly backdoored software from NetSarang, a South Korean IT company. This software was widely used by large organizations, and the backdoor allowed attackers to monitor and control infected systems.

Security firms attributed this attack to a Chinese cyber espionage group, signaling a trend toward exploiting trusted third-party software to reach high-value targets in supply chains.

Exploitation of a zero-day vulnerability

China-linked cyber groups often use zero-day vulnerabilities to target entities in sectors critical to national interests, including technology, defense, and healthcare.

The U.S. National Security Agency (NSA) and CISA have issued warnings that Chinese state actors are prioritizing zero-day vulnerabilities in their efforts to access U.S. and allied networks, particularly as they pursue intelligence on emerging technologies and trade secrets.

In 2021, APT41 exploited zero-day vulnerabilities in Microsoft Exchange servers to compromise numerous organizations globally. This enabled attackers to gain remote control over targeted networks, allowing them to steal sensitive data and maintain persistent access.

Spear phishing

China-linked threat actors often leverage spear phishing emails with malicious attachments or links, which, once opened, deploy malware to establish persistence and allow lateral movement across networks.

Insider threat

While we can’t rule this out, we believe this scenario is unlikely since the breach reportedly occurred in multiple ISPs and TSPs. This would require China to recruit individuals in each of these companies to carry out or facilitate the attack. Each approach to individuals would elevate the risk of the campaign being exposed.

Why aren’t the FBI and CISA releasing more information?

Understandably, the U.S. authorities’ hesitation in releasing further details could be perceived as an indicator that the breach has had a massive impact and that they are unsure how to release details without causing panic.

However, it’s important to remember that these investigations are complex, and given the possible outcomes—sanctions or indictments against China and Chinese citizens—authorities would rather take their time and get things right.

Additionally, since it hasn’t yet been stated how the breach was discovered, the U.S. may have been tipped off by a human intelligence asset. If this is the case, the U.S. will have to be careful not to release any details that only this individual would know, or they risk burning the source’s cover.

What was the campaign’s objective?

Based on publicly available information and what is known about Chinese intelligence requirements, the primary goal of this campaign was to obtain sensitive information from individuals associated with the U.S. federal election.

Other objectives could include obtaining access to sensitive economic trade information and military technology. China has previously been implicated in cyber espionage efforts targeting sensitive U.S. military technologies, including stealth aircraft like the F-22 and F-35. These activities involved Chinese hackers allegedly stealing technical details and design plans, which reportedly aided the development of China’s own J-20 stealth fighter.

Conclusion

The event poses a significant national security concern to the U.S. for many reasons.

Worst case scenario, China has or had access to a capability allowing it to intercept a target’s communications surreptitiously. The information China could have obtained by leveraging this capability is only limited by one’s imagination.

It is also possible that China obtained metadata associated with the communication habits of millions of Americans which may provide it with the ability to identify individuals of interest to the Chinese government like dissidents, those working on behalf of the U.S. government, in important industries and institutions, or similar.

This campaign may also represent a threat to other countries. If a supply chain compromise or zero-day vulnerability was used to facilitate the attack, chances are other ISPs and TSPs used those same vulnerable devices. This would allow China to repeat the same sort of attack elsewhere.

Outlook

The fallout of this attack will likely be the first significant cyber issue the incoming administration will have to deal with. U.S. cybersecurity agencies will no doubt look to identify the root cause and provide guidance, and perhaps legislation, that will help mitigate similar attacks from happening in the future.

It’s entirely possible that the U.S. will lay sanctions on China or indict Chinese citizens found to be responsible for the attack, which will further strain U.S.-China relations.

Countries engage in cyber espionage primarily to protect their national security, gain economic advantage, and maintain geopolitical influence. This "arms race" is an accepted part of international relations; most governments expect and prepare for it, thus, it’s unlikely to stop soon.

If you have any questions or comments regarding this analysis, please contact us.