Salt Typhoon - The Chinese Telecom Hack

Uploaded on 2025-01-20 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-China, FREE TO VIEW

Brought to you by CYRIN

Cybersecurity 2025 began with the dramatic breaking news of the Chinese Telecom Hack. Although what has been called the Salt Typhoon attack made headlines around the globe, the issue in fact has a complicated history that has been gaining momentum for some time.

In December 2024, Federal cyber officials held a news briefing stating that Chinese hackers had launched large-scale attacks on several major United States telecom firms including AT&T, Verizon and T-Mobile. The FBI began investigating the “Salt Typhoon” attack in late spring, so the issue had been building for some time. The breach of the cellular data of thousands (possibly millions) of Americans was first revealed in November and was far from a small scale attack. In addition, early reports indicate that no one really knows how long the attackers have been in the systems and the scope of what they have been doing. According to Cybersecurity Dive, Federal officials said at the media briefing in early December that the attacks were “widespread and actively evolving and that officials still don’t know the full extent of damages caused by the global espionage campaign or what remains at risk.”

Unfortunately, there are no official reports indicating how or if the attacks were successful or in what way; if malware was installed; or what information the hackers were seeking and for what purpose. Cybersecurity Dive reports that authorities have confirmed that the group poses a “persistent threat,” and speculated again that “malicious activity is ongoing.” In terms of future risk, Jeff Greene from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted that it’s not yet known if the hackers have been completely ejected from the networks, and “we still don’t know the scope of what they’re doing.” In November the FBI and CISA issued a joint statement into the ongoing investigation into the hack orchestrated by the People’s Republic of China (PRC) hack and revealed that it was “broad and significant.”

Although CISA, the FBI, the National Security Agency and cyber authorities in Australia, Canada and New Zealand are still in the information gathering stage, and as of this writing have not released any official or definitive information, there has been hardening guidance designed to help telecom providers moving forward as details reveal themselves.

This sophisticated hack has raised the alarm as one of the largest in US history. In addition, the United States, Australia, Canada and New Zealand claim it is part of an intelligence operation conducted by “PRC affiliated threat actors.” Salt Typhoon has also attacked state entities in Southeast Asia since August of 2024. All in all, Salt Typhoon is considered “one of the most aggressive Chinese state hacker groups.”

Cybersecurity doesn’t always make the primetime nightly news, but due to the severity of the event, all the major television networks picked up the story. Homeland Security Secretary Alejandro Mayorkas admitted that the hack is a “very, very serious matter,” and “a very sophisticated hack” that was no doubt escalating for some time, with implications for intelligence being particularly alarming.

This breach targeted close to home. According to their representatives the FBI informed the presidential campaigns of Donald Trump and Kamala Harris in October that they were targeted as well as the office of Senate Majority Leader Chuck Schumer, D-N.Y.

As reported by PBS, Chinese hackers had infiltrated at least eight communications firms in the United States and over the last one to two years - quote - "dozens" of telecommunications companies across Asia and Europe, and the hack was ongoing, according to Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger.

Why Does This Matter?

The eight targeted US telecommunications firms are not the only ones struggling to defend their networks. Advanced Persistent Threats (APTs) possibly linked to Salt Typhoon have compromised telecommunications firms in the Asia-Pacific (APAC) and the Middle East and North Africa (MENA) regions as well. In 2022, a Chinese APT group called Daggerfly and Evasive Panda hacked systems at a telecommunications organization in Africa. Experts speculate that telecommunications networks are strategic targets for malicious actors, in part, as they can kickstart a geopolitical strategy. China’s infiltration of worldwide networks may be part of such a strategy to destabilize and gather sensitive information about a country’s citizens.

Dark Reading speculates that the Salt Typhoon attacks may lead to one positive outcome: encouraging citizens and governments to use encryption more widely. It’s certainly true that telecommunications providers – private and state-owned – require more robust security. “The global attacks on telecommunications technology demonstrate that even nations with well-considered, strict privacy laws are not safe havens,” says Gregory Nojeim, senior counsel and director of the security and surveillance project at the Center for Democracy and Technology, a digital-rights group.

Next Steps

Clearly, the large scale and sophisticated Salt Typhoon attack is of critical and ongoing concern to US officials; this is further complicated by the ongoing tensions between Washington and Beijing over cyber-espionage and other high-stakes national security issues.

The United States continues to be in conversation with House and Senate intelligence committees, and cybersecurity teams. Cybersecurity experts from Microsoft and Google-owned firm Mandiant are also assisting the investigation into the hack. People probing the attacks have been impressed by the skill, persistence and ability of Salt Typhoon hackers to embed in computer networks.

CYRIN Can Help

Training or lack of has consequences. According to some estimates, organizations can significantly reduce the cost of a breach by an average of $232,867 through cybersecurity training for their employees.

CYRIN can help on several fronts. For the education market, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

For industry we continue to work with our partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: Ralf Liebhold

Watch CYRIN: The Next-Generation Cyber Range

Learn More About How CYRIN Online Training Can Benefit You

You Might Also Read: 

Is Zero Trust The Future Of Cybersecurity?:  

If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

« Tackling Cyber Threats In The Public Sector
TikTok Reprieved By Trump »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ControlCase

ControlCase

ControlCase provide solutions that address all aspects of IT-GRCM (Governance, Risk Management and Compliance Management).

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

World Congress on Industrial Control Systems Security (WCICSS)

World Congress on Industrial Control Systems Security (WCICSS)

The World Congress on Industrial Control Systems Security (WCICSS) is focused on emerging trends in protection of industrial control systems.

Deepwatch

Deepwatch

The Deepwatch Platform helps organizations reduce risk through early and precise threat detection and remediation.

Envelop Risk

Envelop Risk

Envelop Risk is a global specialty cyber insurance firm, combining decades of insurance industry expertise with sophisticated cyber and artificial intelligence-based analytics.

Trust Stamp

Trust Stamp

Trust Stamp provide Identity and Trust as a Service to answer two fundamental questions: “Who are you?” and “Do I trust you?"

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

Aristi Technologies

Aristi Technologies

Aristi provides cybersecurity risk and compliance services to help manage your unique cyber risks, safeguarding your systems and data and complying with government and industry standards.

CornerStone

CornerStone

CornerStone is an award winning, independent risk, cyber and security consulting firm providing a range of Risk Management, Security Design and Implementation Management Services.

Sourcepass

Sourcepass

Sourcepass is an IT consulting company that focuses on providing expert IT services, cloud computing solutions, cybersecurity services, website, and application development.

Cymune

Cymune

At Cymune we help businesses to fight against cybercrime, protect patented data and diminish security risks.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

Vanta

Vanta

Vanta helps companies scale security practices and automate compliance for the industry’s most sought after standards - SOC 2, ISO 27001, HIPAA, GDPR, and other security and privacy frameworks.

EmberOT

EmberOT

EmberOT is at the forefront of operational technology (OT) security, offering cutting-edge solutions designed to protect critical infrastructure within energy, utilities, and manufacturing sectors.

Cypheria

Cypheria

Cypheria harness the expertise of elite military units and combine it with extensive digital combat experience to deliver unparalleled security solutions for organizations.

OmniIndex

OmniIndex

OmniIndex PostgresBC is the only commercial solution allowing you to keep your most sensitive and critical data encrypted while analyzing it. Structured and unstructured.