Pierluigi Paganini
November 14, 2024
The FBI and CISA continues to investigate a large-scale cyber-espionage campaign by China-linked threat actors targeting U.S. telecoms, compromising networks to steal call records and access private communications, mainly of government and political figures.
The US agencies confirmed that Chinese threat actors have compromised the private communications of a “limited number” of government officials following the compromise of multiple U.S. broadband providers. The cyber spies stole information belonging to targeted individuals that was subject to U.S. law enforcement requests pursuant to court orders.
“The US government’s continued investigation into the People’s Republic of China (PRC) targeting of commercial telecommunications infrastructure has revealed a broad and significant cyber espionage campaign.” reads the joint statement issued by CISA and FBI.
“Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues.”
In September, the Wall Street Journal reported that China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.
The security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence.
“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” reported the WSJ.
“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”
The Salt Typhoon group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors.
The investigation into the breaches of the U.S. broadband providers is still ongoing, government experts are assessing its scope.
Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.
This attack is the latest incident linked to China’s expansive espionage strategies.
U.S. officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe that security breaches like this could enable disruptive attacks during potential future conflicts.
The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the origins of the attack and whether threat actors compromised Cisco routers.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China-linked threat actors)
