Verizon and AT&T Hacked By People's Republic of China (PRC) Affiliate Salt Typhoon

AT&T and Verizon have confirmed that their systems have fully recovered and are operating securely following breaches by threat actor Salt Typhoon, a Chinese-linked cyberespionage group.

According to U.S. government sources, at least nine telecom providers have been targeted by Salt Typhoon. While the full extent of the attacks on AT&T and Verizon remains undisclosed, the operations appeared highly targeted with the theft of telephone audio intercepts and vast amounts of call record data. Hackers gained extensive access to networks, enabling them to geolocate millions of individuals and intercept phone calls at will.

In separate statements to Reuters and Bloomberg, the telecom giants clarified that they are working with law enforcement to mitigate the impact of these espionage-related threats

Salt Typhoon is an advanced persistent threat (APT) group believed to be associated with the People's Republic of China (PRC) and has been active since 2019. The group primarily targets entities in the United States, Southeast Asia, and various African nations, with a focus on information theft and espionage. Also known by aliases such as FamousSparrow, GhostEmperor, Earth Estries, and UNC2286.

In October, the FBI and CISA jointly verified cyberattacks on American telecom infrastructure. Verizon was then identifies as a primary target, with high-profile individuals like Donald Trump and Senator JD Vance potentially in the crosshairs.

Earlier, The Wall Street Journal (WSJ) revealed that state-backed hackers attempted to breach broadband networks in September to gain covert access to infrastructure and data. It was later reported by WSJ that Federal investigations identified Verizon, AT&T, and Lumen as specific targets of Salt Typhoon.

Bloomberg reported that these attacks might have allowed hackers to spy on U.S. surveillance efforts against Chinese operations, including FBI investigations. AT&T acknowledged that hackers sought foreign intelligence data, while Verizon disclosed that a small number of high-profile government and political customers were targeted.

In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued enhanced mobile communication safety guidelines for senior officials, politicians, and other high-value individuals. The guidelines urged officials to adopt end-to-end encrypted apps for mobile communications. Reports indicate that Salt Typhoon’s targets included individuals affiliated with the presidential campaigns of Democrat Kamala Harris and Republican Donald Trump.

This is not the first time AT&T has faced significant cyber threats in 2024. Earlier this year, the company reported a breach exposing data for over seven million active accounts and 65 million former subscribers. Later, additional customer data, including call and message records, was stolen from a third-party cloud platform.

During a Dec. 11 hearing, Sen. Ben Ray Luján (D-NM) referred to Salt Typhoon as "the largest telecommunications hack in our nation's history." Sen. Ted Cruz (R-TX) emphasized the need to address vulnerabilities in U.S. communications networks.

The scale and impact of the reported Chinese hacking efforts have raised significant concerns about the security of U.S. telecommunications infrastructure. Both government agencies and private companies face mounting pressure to reassure the public and resolve these issues effectively.

Naming Variants for Salt Typhoon

• GhostEmperor: Designated by Kaspersky Lab.

• FamousSparrow: Identified by ESET.

• Salt Typhoon: Termed by Microsoft.

• UNC2286: Named by Mandiant (now part of Google Cloud).

Methodology

Salt Typhoon employs advanced techniques, including a Windows kernel-mode rootkit known as Demodex (a name given by Kaspersky Lab), to gain remote control of targeted servers. The group uses sophisticated anti-forensic and anti-analysis measures to evade detection.

Targets

Salt Typhoon's campaigns have targeted a wide array of entities, including U.S. Internet service providers. ESET also reports the group has breached hotels and government agencies globally.

Notable Campaigns

2024 Breach of U.S. Internet Service Provider Networks

In September 2024, The Wall Street Journal revealed that Salt Typhoon had hacked U.S. broadband networks, focusing on core network components like Cisco routers. The group reportedly exfiltrated data by reconfiguring routers, affecting major providers such as AT&T, Verizon, Lumen Technologies, and T-Mobile.

In October 2024, The Washington Post reported that Salt Typhoon exploited networks used for court-authorized wiretapping by law enforcement. U.S. officials attributed the breach to the MSS’s cyber operations division, known internally as Salt Typhoon. The Chinese Embassy in Washington, D.C., denied these allegations.

Notable details from the breach include:

• Accessing telecommunications networks involved in law enforcement wiretapping.

• Attempts to target staff phones from the Kamala Harris 2024 presidential campaign and those associated with Donald Trump and JD Vance.

The U.S. federal government formed a multi-agency task force to address these incidents. Salt Typhoon's activities reportedly affected at least nine telecommunications firms in the U.S. and compromised networks in dozens of other countries.