WSJ: T-Mobile hacked by cyber-espionage group linked to Chinese Intelligence agency
According to the Wall Street Journal, T-Mobile’s network was hacked in a damaging Chinese cyber-espionage operation that successfully gained entry into multiple U.S. and international telecommunications companies.
Hackers linked to a Chinese intelligence agency were able to breach T-Mobile as part of monthslong campaign to spy on the cellphone communications of high-value intelligence targets. It is unclear what information, if any, was taken about T-Mobile customers’ calls and communications records.
“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman said. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”
China’s multipronged spying operations have drawn warnings in the U.S. about their economic implications. Photo: Andy Wong/Associated Press
…………………………………………………………………………………………………………………………………………………………………………..
Salt Typhoon used sophisticated methods to infiltrate American telecom infrastructure through vulnerabilities including Cisco Systems routers, and investigators suspect the hackers relied on artificial intelligence or machine learning to further their espionage operations , people familiar with the matter said. The attackers penetrated at least some of that infrastructure over eight months or more.
In the broader hacking campaign, attackers were able to access cellphone lines used by an array of senior national security and policy officials across the U.S. government, in addition to politicians. The access allowed them to scoop up call logs, unencrypted texts and some audio from targets, in what investigators believe may have significant national-security ramifications.
Additionally, the hackers were able to access information from systems maintained by the carriers to comply with U.S. surveillance requests, raising further counterintelligence concerns. Investigators are still endeavoring to fully understand and have said the attack was carried out by the Salt Typhoon group. At Lumen, which doesn’t provide wireless service, the attackers didn’t steal any customer data or access its wiretap capabilities, according to people familiar with the matter.
Further investigation has revealed that the hackers sought access to data managed under U.S. law enforcement programs, including those governed by the Foreign Intelligence Surveillance Act (FISA). This act authorizes American intelligence agencies to monitor suspected foreign agents’ communications. By targeting these programs, Chinese hackers may have aimed to infiltrate sensitive government communications channels, gaining insights into U.S. surveillance efforts.
Some foreign telecommunications firms were also compromised in the hacks, including in countries that maintain close intelligence-sharing partnerships with the U.S., people familiar with the matter said. Earlier this week, the Biden administration acknowledged in a public statement some details about the nature of the “broad and significant” hack that were previously reported by the WSJ.
Chinese government-linked hackers had compromised networks at multiple telecommunications companies “to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,” the statement from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) said. “We expect our understanding of these compromises to grow as the investigation continues,” they added.
References:
https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b
https://www.newsweek.com/fbi-chinese-cyber-espionage-multiple-telecom-networks-1985617
China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”
FBI and MI5 Chiefs Issue Joint Warning: Chinese Cyber Espionage on Tech & Telecom Firms
Cybersecurity threats in telecoms require protection of network infrastructure and availability
FT: A global satellite blackout is a real threat; how to counter a cyber-attack?
Demythifying Cyber security: IEEE ComSocSCV April 19th Meeting Summary
StrandConsult Analysis: European Commission second 5G Cybersecurity Toolbox report
Cisco to lay off more than 4,000 as it shifts focus to AI and Cybersecurity
“Due to our security controls, network structure and diligent monitoring and response we have seen no significant impacts to T-Mobile systems or data,” T-Mobile told BleepingComputer after the publishing of this story.
“We have no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced.”
https://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/
NY Times update: Emerging Details of Chinese Hack Leave U.S. Officials Increasingly Concerned
Leaders of the big telecommunications companies were summoned to the White House to discuss strategies for overhauling the security of the nation’s telecommunications networks amid growing alarm at the scope of a Chinese hack. The meeting in the Situation Room came after weeks in which officials grew increasingly alarmed by what they had uncovered about the hack.
They now believe the hackers from a group called “Salt Typhoon,” closely linked to China’s Ministry of State Security, were lurking undetected inside the networks of the biggest American telecommunications firms for more than a year.
They have learned that the Chinese hackers got a nearly complete list of phone numbers the Justice Department monitors in its “lawful intercept” system, which places wiretaps on people suspected of committing crimes or spying, usually after a warrant is issued.
https://www.nytimes.com/2024/11/22/us/politics/chinese-hack-telecom-white-house.html
Microsoft credited with spotting sophisticated Chinese hack that hit telecoms including T-Mobile
U.S. officials say a sophisticated Chinese hack that breached the networks of telecommunication giants may not have been spotted without help from Microsoft.
A New York Times report details the growing concern around a breach engineered over the past year that allowed a group linked to Chinese intelligence to read text messages and listen to phone calls of national security officials and U.S. politicians.
U.S. senator and former telecom exec Mark Warner called it “the most serious telecom hack in our history,” according to the NYT.
Telecom companies — including Bellevue, Wash.-based T-Mobile — may still not know about the hack if it weren’t for Microsoft security researchers spotting unusual activity earlier this year, the NYT noted. That set off a secret investigation this summer into an attack known as “Salt Typhoon.”
The CEOs of AT&T and Verizon attended a White House meeting Friday to discuss the attack. The NYT reported that T-Mobile CEO Mike Sievert, who “initially doubted that the company had been compromised by the Chinese,” sent a deputy to the meeting.
The Wall Street Journal reported last week that T-Mobile was hacked as part of the Salt Typhoon attack.
“Due to our security controls, network structure and diligent monitoring and response we have seen no significant impacts to T-Mobile systems or data,” T-Mobile said in a statement to GeekWire. “We see no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced.”
https://www.geekwire.com/2024/microsoft-credited-with-spotting-sophisticated-chinese-hack-that-hit-telecoms-including-t-mobile/
FCC Chair Jessica Rosenworce suggested ‘telecom carriers’ raise their network security methods and procedures:
“The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses.
“While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
Rosenworcel’s cunning plan is to make CSPs submit some kind of annual certification to the FCC, proving their cybersecurity measures are up to scratch. The clear inference from the attack itself and all the subsequent attempts to shut the stable door after the horse has bolted is that those efforts currently fall short of the mark. But, understandably, none of the specific deficiencies have been publicly detailed. Consequently we don’t yet know which boxes would need to be ticked in order to get the FCC clean bill of health.
The press release refers to a recent WSJ report based on an unpublished briefing from US national security adviser Anne Neuberger, in which she detailed the scale of the Salt Typhoon attack. “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” she was quoted as saying.
https://www.telecoms.com/security/as-us-finally-details-chinese-salt-typhoon-attack-fcc-chair-proposes-new-rules-for-telcos
Chinese government hackers have compromised telecommunications infrastructure across the globe as part of a massive espionage campaign that has affected dozens of countries, a top U.S. security official said Wednesday.
Speaking during a press briefing Wednesday, Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, said the so-called Salt Typhoon campaign is ongoing and that at least eight telecommunications firms in the U.S. had been breached.
“The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” Neuberger said.
The remarks are the most specific public acknowledgment yet by the U.S. government concerning the vast scope and severity of the hacking campaign, which investigators have traced to a Chinese intelligence agency. The Journal previously identified Verizon, AT&T, T-Mobile and Lumen Technologies among the victims.
Additionally, a “large number of Americans” had their cellphone metadata accessed in the intrusions, a senior administration official said. The official declined to say how many Americans, but said it wasn’t believed that all Americans had cell metadata—such as the time stamps of calls and the phone numbers involved—compromised.
The metadata grabs appeared to be “regional” in focus, and were likely a means to identify phone lines of valuable senior government officials, which the hackers then targeted to steal unencrypted text messages and listen in on some phone calls, the official said.
President-elect Donald Trump, Vice President-elect JD Vance, senior congressional staffers and an array of U.S. security officials were among scores of individuals to have their calls and texts directly targeted, an intelligence-collection coup that likely ensnared their private communications with thousands of Americans, the Journal has reported.
The senior administration official said the global tally of countries victimized was currently believed to be in the “low, couple dozen” but didn’t give a precise figure. The global campaign of hacking activity dates back at least a year or two, the official said.
Investigators are still working to understand the full parameters of the continuing intrusions. Neuberger, on the press briefing, said that it wasn’t believed that classified communications were accessed in the breaches.
“We do not believe any have fully removed the Chinese actors from these networks,” Neuberger said, adding that there remained a risk of ongoing compromises of U.S. calls until the companies fully address “cybersecurity gaps.”
In addition to compromising private unencrypted calls and texts, the hackers were able to access information from systems maintained by the carriers to comply with U.S. surveillance requests, raising further counterintelligence concerns.
Wednesday’s briefing was the second in as many days from Biden administration officials, many of whom have been repeatedly stunned by the extent of the Salt Typhoon hack as investigators unearth more details. The U.S. Senate also received a closed-door briefing Wednesday from senior officials about the hack.
On Tuesday, officials conceded they don’t know when the hackers might be purged from telecommunications infrastructure and urged people to use encrypted apps to protect their phone calls and texts.
“It would be impossible for us to predict a time frame on when we’ll have full evictions,” Jeff Greene, a senior official at the Cybersecurity and Infrastructure Security Agency, said.
https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca
Salt Typhoon, began cyber-attacks in 2022. Its purpose, according to U.S. officials, was to give Chinese operatives persistent access to telecommunications networks across the U.S. by compromising devices like routers and switches run by companies like AT&T, Verizon, Lumen and others.
This attack comes on the heels of reports that the FBI and Cybersecurity and Infrastructure Security Agency were assisting telephone companies with countering other China-connected compromises of their networks. The earlier hacking was part of an attack targeting people in the Washington area in government or political roles, including candidates for the 2024 presidential election.
But Salt Typhoon is not just targeting Americans. Research from security vendor Trend Micro shows that attacks by Salt Typhoon compromised other critical infrastructure around the world in recent years. U.S. officials have confirmed these findings as well – and their level of concern is noteworthy.
Chinese officials have denied the allegations that they’re behind this operation, as they have in response to allegations about previous cyberattacks.
As a cybersecurity researcher, I find this attack is indeed breathtaking in its scope and severity. But it’s not surprising that such an incident took place. Many organizations of all sizes still fail to follow good cybersecurity practices, have limited resources, or operate IT infrastructures that are too complex to effectively monitor, manage and secure.
How bad is it?
Salt Typhoon exploited technical vulnerabilities in some of the cybersecurity products like firewalls used to protect large organizations. Once inside the network, the attackers used more conventional tools and knowledge to expand their reach, gather information, stay hidden and deploy malware for later use.
According to the FBI, Salt Typhoon allowed Chinese officials to obtain a large amount of records showing where, when and who specific individuals were communicating with. In some cases, they noted that Salt Typhoon gave access to the contents of phone calls and text messages as well.
Salt Typhoon also compromised the private portals, or backdoors, that telephone companies provide to law enforcement to request court-ordered monitoring of phone numbers pursuant to investigations. This is also the same portal that is used by U.S. intelligence to surveil foreign targets inside the United States.
As a result, Salt Typhoon attackers may have obtained information about which Chinese spies and informants counterintelligence agencies were monitoring – knowledge that can help those targets try to evade such surveillance.
On Dec. 3, the Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI, along with their counterparts in Australia, New Zealand and Canada, released guidance to the public on how to address the Salt Typhoon attack. Their Enhanced Visibility and Hardening Guidance for Communications Infrastructure guide essentially reiterates best cybersecurity practices for organizations that could help mitigate the impact of Salt Typhoon or future copycat attacks.
It does, however, include recommendations to protect specific telecommunication equipment for some of the Cisco products that were targeted in this attack.
As of this writing, U.S. officials and affected companies have not been able to fully ascertain the scope, depth and severity of the attack – or remove the attackers from compromised systems – even though this attack has been ongoing for months.
https://umbc.edu/stories/what-is-salt-typhoon-a-security-expert-explains-the-chinese-hackers-and-their-attack-on-us-telecommunications-networks/