Pierluigi Paganini
October 06, 2024
China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.
According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence.
“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” reported the WSJ.
“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”
The Salt Typhoon group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors.
The investigation into the breaches of the U.S. broadband providers is still ongoing, government experts are assessing its scope.
Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.
This attack is the latest incident linked to China’s expansive espionage strategies.
U.S. officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe that security breaches like this could enable disruptive attacks during potential future conflicts.
The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the origins of the attack and whether threat actors compromised Cisco routers.
This week Wall Street Journal first reported that experts are investigating the security breaches to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.
A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.
“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal reported.
“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing’s massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.”
China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.
Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.
The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called Volt Typhoon. Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the APT40 group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Salt Typhoon)
