WSJ: T-Mobile hacked by cyber-espionage group linked to Chinese Intelligence agency

According to the Wall Street Journal, T-Mobile’s network was hacked in a damaging Chinese cyber-espionage operation that successfully gained entry into multiple U.S. and international telecommunications companies.

Hackers linked to a Chinese intelligence agency were able to breach T-Mobile as part of monthslong campaign to spy on the cellphone communications of high-value intelligence targets. It is unclear what information, if any, was taken about T-Mobile customers’ calls and communications records.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman said. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”

The compromise of T-Mobile expands the list of known victims of a cyber-espionage campaign by Chinese hackers—dubbed Salt Typhoon—that some U.S. officials consider to be historic and catastrophic in scope and severity. The WSJ had reported in October that AT&T, Verizon and Lumen Technologies were among the telecom companies that suffered an intrusion.  The widespread compromise is considered a potentially catastrophic security breach. It appeared to be geared toward intelligence collection, people familiar with the matter said.

China’s multipronged spying operations have drawn warnings in the U.S. about their economic implications. Photo: Andy Wong/Associated Press

…………………………………………………………………………………………………………………………………………………………………………..

Salt Typhoon used sophisticated methods to infiltrate American telecom infrastructure through vulnerabilities including Cisco Systems routers, and investigators suspect the hackers relied on artificial intelligence or machine learning to further their espionage operations , people familiar with the matter said. The attackers penetrated at least some of that infrastructure over eight months or more.

In the broader hacking campaign, attackers were able to access cellphone lines used by an array of senior national security and policy officials across the U.S. government, in addition to politicians. The access allowed them to scoop up call logs, unencrypted texts and some audio from targets, in what investigators believe may have significant national-security ramifications.

Additionally, the hackers were able to access information from systems maintained by the carriers to comply with U.S. surveillance requests, raising further counterintelligence concerns. Investigators are still endeavoring to fully understand and have said the attack was carried out by the Salt Typhoon group. At Lumen, which doesn’t provide wireless service, the attackers didn’t steal any customer data or access its wiretap capabilities, according to people familiar with the matter.

Further investigation has revealed that the hackers sought access to data managed under U.S. law enforcement programs, including those governed by the Foreign Intelligence Surveillance Act (FISA).  This act authorizes American intelligence agencies to monitor suspected foreign agents’ communications. By targeting these programs, Chinese hackers may have aimed to infiltrate sensitive government communications channels, gaining insights into U.S. surveillance efforts.

Some foreign telecommunications firms were also compromised in the hacks, including in countries that maintain close intelligence-sharing partnerships with the U.S., people familiar with the matter said.  Earlier this week, the Biden administration acknowledged in a public statement some details about the nature of the “broad and significant” hack that were previously reported by the WSJ.

Chinese government-linked hackers had compromised networks at multiple telecommunications companies “to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,” the statement from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) said.  “We expect our understanding of these compromises to grow as the investigation continues,” they added.

References:

https://www.wsj.com/politics/national-security/t-mobile-hacked-in-massive-chinese-breach-of-telecom-networks-4b2d7f92

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

https://www.newsweek.com/fbi-chinese-cyber-espionage-multiple-telecom-networks-1985617

China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”

FBI and MI5 Chiefs Issue Joint Warning: Chinese Cyber Espionage on Tech & Telecom Firms

Cybersecurity threats in telecoms require protection of network infrastructure and availability

FT: A global satellite blackout is a real threat; how to counter a cyber-attack?

Demythifying Cyber security: IEEE ComSocSCV April 19th Meeting Summary

StrandConsult Analysis: European Commission second 5G Cybersecurity Toolbox report

Cisco to lay off more than 4,000 as it shifts focus to AI and Cybersecurity

 

Frontier Communications recovering from unknown cyberattack!

Frontier Communications provides fiber optic based gigabit Internet access to millions of consumers and businesses across 25 states.  Frontier Communications said on Thursday that it’s ‘experiencing technical issues with our internal support platforms.’  ​Frontier’s mobile apps are also down, with the same warning message being displayed after launching the application. A company representative did not respond to questions about the situation.

The Texas-based telecommunications company reported a cyberattack to the Securities and Exchange Commission (SEC) on Thursday.  Frontier said it detected unauthorized access to its IT systems on April 14th and began instituting “containment measures” that included “shutting down certain of the Company’s systems.” The shutdowns caused operational disruption that the company said “could be considered material.”

“Based on the Company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information,” the company said in the SEC filing.

“As of the date of this filing, the Company believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations.  Based on the company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information,” the company said.

Investigations into the incident are ongoing and they have hired cybersecurity experts to help with the incident. Law enforcement agencies have been notified.

Despite saying that the shutdowns could be considered material, Frontier later wrote that it “does not believe the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

According to Leichtman Research Group, Frontier is the seventh largest broadband Internet supplier in the US, with almost 3 million customers. The company’s copper and fiber network stretches across large portions of the East and West Coasts.

Light Reading reported on Thursday of warnings from Frontier. “We’re experiencing technical issues with our internal support platforms,” said a message on the company’s website homepage. “Our residential and business networks are not affected by this issue. In the meantime, please call for assistance.”

……………………………………………………………………………………………………………………………

Last week, AT&T reported that more than 51 million people were affected by a recently-disclosed data breach that included troves of customer information including Social Security numbers, AT&T account numbers and AT&T passcodes.

EchoStar’s Dish Network last year reported a “cybersecurity incident” that impacted its ability to install services, take payments and provide customer care for several weeks.

Fierce reported this week about an intentional cable cut in AT&T’s network that interrupted services at Sacramento Airport.

……………………………………………………………………………………………………………………..

The Federal Communications Commission (FCC) updated its data breach rules for the first time in 16 years in December, expanding regulations on how telecommunication companies report cybersecurity incidents.  FCC Chairwoman Jessica Rosenworcel argued that the rules the agency created more than 15 years ago are no longer compatible with a modern world where telecommunication carriers have access to a “treasure trove of data about who we are, where we have traveled, and who we have talked to.”

References:

https://therecord.media/telecom-giant-frontier-cyberattack-sec

https://www.sec.gov/ix?doc=/Archives/edgar/data/20520/000119312524100764/d784189d8k.htm

https://www.bleepingcomputer.com/news/security/frontier-communications-shuts-down-systems-after-cyberattack/

https://www.lightreading.com/security/frontier-we-were-probably-hacked

China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”

On Sunday, FBI Director Christopher Wray said Beijing’s efforts to covertly plant offensive malware inside U.S. critical infrastructure networks [1.] is now at “a scale greater than we’d seen before,” an issue he has deemed a defining national security threat.  He said that China backed Volt Typhoon was pre-positioning malware that could be triggered at any moment to disrupt U.S. critical infrastructure.  “It’s the tip of the iceberg…it’s one of many such efforts by the Chinese,” he said on the sidelines of the security conference.

Wray had earlier told conference delegates, that China was increasingly inserting “offensive weapons within our critical infrastructure poised to attack whenever Beijing decides the time is right.”  The FBI chief said the U.S. is particularly focused on the threat of pre-positioning, which some European officials have described as the cyber equivalent of pointing a ballistic missile at critical infrastructure.  “Those attacks are now being amplified by artificial intelligence tools.  The word ‘force multiplier’ is not really enough,” Wray added.

Note 1. The FBI Director declined to elaborate on what other critical infrastructure had been targeted, stressing that the Bureau had “a lot of work under way.”

Image Credits: imaginima / Getty Images

Machine learning translation has helped Chinese security operatives to more plausibly recruit assets, steal secrets and rapidly process more of the information they are collecting, the Wray said.   “They already have built economic espionage and theft of personal and corporate data as a kind of a bedrock of their economic strategy and are eagerly pursuing AI advancements to try to accelerate that process,” Wray added.

FBI Director Christopher Wray PHOTO: KEVIN DIETSCH/GETTY IMAGES

……………………………………………………………………………………………………………………………

Western intelligence officials say China’s scale and sophistication of cyberattacks has accelerated over the past decade. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, planting malware inside U.S. computer systems responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a conflict.

In California, Wray met with counterparts from the Five Eyes intelligence community—which encompasses the U.S., Australia, New Zealand, Canada and the U.K.—to share respective strategies for cyber defense.  He has also traveled to Malaysia and India to discuss China’s hacking campaign with authorities in both countries.

“I am seeing more from Europe,” he said. “We’re laser focused on this as a real threat and we’re working with a lot of partners to try to identify it, anticipate it and disrupt it.”

The Netherlands’ spy agencies said earlier this month that Chinese hackers had used malware to gain access to a Dutch military network last year. The agency, considered to have one of Europe’s top cyber capabilities, said it made the rare disclosure to show the scale of the threat and reduce the stigma of being targeted so allied governments can better pool knowledge.

A report released this month by agencies including the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency said Volt Typhoon hackers had maintained access in some U.S. networks for five or more years, and while it targeted only U.S. infrastructure directly, the infiltration was likely to have affected “Five Eyes” allies.

Author’s Note:

This author is very disappointed that the U.S.. Five Eyes and European agencies chartered with combating cybercrime  have done so little to prevent cyber attacks on “critical infrastructure,” especially since Volt Typhoon has been doing so for at least five years according to the referenced January 2024 report.
Recall all the rah-rah talk 11 or 12 years ago about “Smart Grid,” which was supposed to make U.S. electrical grid infrastructure super-secure, resilient, and able to quickly recover from power failures and cyber attacks! Here we are in 2024, where none of that has happened, despite many IEEE, IEC, NTIA, and ETSI Smart Grid initiatives, specifications, and standards.  Hence, our critical infrastructure is at risk of cyber attacks by Volt Typhoon and other bad actors.
There’s even talk of US electric utilities buying and installing China made power transformers that have a back door as per this article.

……………………………………………………………………………………………………………………………

Volt Typhoonthe China-sponsored hacking group, has been targeting U.S. critical infrastructure, including satellite and emergency management services and electric utilities, according to a new report from the industrial cybersecurity firm Dragos.  That report outlines how the notorious hacking group is positioning themselves to have disruptive or destructive impacts on critical infrastructure in the U.S.

Robert M. Lee, founder and CEO of Dragos, warned during a media briefing that Volt Typhoon is not an opportunistic group, but is instead targeting specific sites that assist U.S. adversaries “trying to hurt or cripple U.S. infrastructure.  It’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure,” Lee added.

The report comes shortly after the National Security Agency, FBI, and Cybersecurity and Infrastructure Security Agency, revealed that Volt Typhoon has been in some critical infrastructure networks for at least five years. That alert warned of Volt Typhoon operations that targeted the aviation, railways, mass transit, highway, maritime, pipeline, and water and sewage sectors.

……………………………………………………………………………………………………………………………………………………………………………………………………………………………………

The NSA, CISA and FBI said in a joint advisory report that Volt Typhoon has been burrowing into the networks of aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations — none of which were named — in a bid to pre-position themselves for destructive cyberattacks, published on February 7th.  The release of the advisory, which was co-signed by cybersecurity agencies in the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking during a U.S. House of Representatives committee hearing on cyber threats posed by China, Wray described Volt Typhoon as “the defining threat of our generation” and said the group’s aim is to “disrupt our military’s ability to mobilize” in the early stages of an anticipated conflict over Taiwan, which China claims as its territory.

According to Wednesday’s technical advisory, Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. The China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they have maintained access for “at least five years.”

This access enabled the state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures,” the advisory warned. In some cases, Volt Typhoon hackers had the capability to access camera surveillance systems at critical infrastructure facilities — though it’s not clear if they did.

Volt Typhoon also used living-off-the-land techniques, whereby attackers use legitimate tools and features already present in the target system, to maintain long-term, undiscovered persistence. The hackers also conducted “extensive pre-compromise reconnaissance” in a bid to avoid detection. “For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the advisory said.

Earlier this year, the FBI and U.S. Department of Justice announced that they had disrupted the “KV Botnet” run by Volt Typhoon that had compromised hundreds of U.S.-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the hijacked routers and sever their connection to the Chinese state-sponsored hackers.

According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching U.S. critical infrastructure since at least mid-2021.

……………………………………………………………………………………………………………………………………………………………………………………………………………………………..

References:

https://www.wsj.com/politics/national-security/u-s-disables-chinese-hacking-operation-that-targeted-critical-infrastructure-184bb407

Volt Typhoon targeted emergency management services, per report

https://www.wsj.com/politics/national-security/fbi-director-says-china-cyberattacks-on-u-s-infrastructure-now-at-unprecedented-scale-c8de5983

China-backed Volt Typhoon hackers have lurked inside US critical infrastructure for ‘at least five years’

https://www.wsj.com/articles/wave-of-stealthy-china-cyberattacks-hits-u-s-private-networks-google-says-2f98eaed

US disrupts China-backed hacking operation amid warning of threat to American infrastructure

https://www.controlglobal.com/home/blog/11293192/information-technology