China-linked APT group Salt Typhoon (FamousSparrow and GhostEmperor) breached US broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.
See: https://redskyalliance.org/xindustry/hotels-under-attack
According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence. “A cyberattack tied to the Chinese government penetrated the networks of a swath of US broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” reported the WSJ.[1]
“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful US requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”
The Salt Typhoon group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors. The investigation into US broadband provider breaches is ongoing, and government experts are assessing its scope. Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.
This attack is the latest incident linked to China’s expansive espionage strategies. US officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe such security breaches could enable disruptive attacks during future conflicts.
The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the attack's origins and whether threat actors compromised Cisco routers.
This week, the Wall Street Journal first reported that experts are investigating security breaches to determine if the attackers gained access to Cisco Systems routers, core network components of the ISP infrastructures. A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.
“Hackers linked to the Chinese government have broken into a handful of US internet service providers in recent months in pursuit of sensitive information, according to people familiar with the matter,” the Wall Street Journal reported.
“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that US investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing’s massive digital army of cyber-spies has had breaking into valuable computer networks in the U.S. and around the globe.”
China has long targeted global internet service providers and recent attacks have been aligned with past operations linked to Beijing. Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrating critical US infrastructure, suggesting that they are now targeting the core of America’s digital networks.
The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called Volt Typhoon. Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the APT40 group, which specializes in intelligence collection. The US and its allies publicly called out this group for hacking activities in July 2024.
See: https://redskyalliance.org/intel-reports/cyber-intel-report-19-july-2024
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://securityaffairs.com/169460/apt/salt-typhoon-hacked-us-broadband-providers.html
Comments