Chinese hackers breached US broadband providers, report

Attackers may have exfiltrated a significant amount of sensitive data, experts fear

A cybersecurity breach has exposed the sensitive infrastructure of several prominent US broadband providers, raising serious concerns about national security.

According to a report by the Wall Street Journal, a Chinese hacking group known as Salt Typhoon has compromised networks operated by Verizon, AT&T and Lumen Technologies.

The hackers appear to have targeted systems used by the US federal government for court-authorised network wiretapping requests.

While the exact timing of the intrusion remains unclear, investigators believe the hackers may have had access to sensitive information for several months. The breach could have allowed the attackers to monitor communications data, potentially compromising US national security secrets.

Salt Typhoon, which is believed to be backed by the Chinese government, has been active since at least 2019.

Microsoft refers to this China-based group as Salt Typhoon, while other cybersecurity companies track it under different names, including FamousSparrow (ESET), Earth Estries (Trend Micro), UNC2286 (Mandiant) and Ghost Emperor (Kaspersky).

Salt Typhoon has a history of targeting government organisations, telecommunications firms, and other critical infrastructure. Hackers typically gain initial access to their targets by exploiting security vulnerabilities, such as the ProxyLogon bugs in Microsoft Exchange Server (CVE-2021-26857, CVE-2021-26855, CVE-2021-27065 and CVE-2021-26858).

While the impact of the attack on the US broadband providers is still being assessed, experts fear that the hackers may have exfiltrated a significant amount of sensitive data.

US telecom companies possess vast amounts of caller and user data, which law enforcement agencies can request access to through warrants as part of criminal and national security investigations.

Some of these investigations are likely of significant interest to Beijing. In recent years, the US government has charged Chinese agents with allegedly harassing Chinese nationals within the US and hacking political dissidents and American companies.

Cybersecurity experts from Microsoft and Google-owned Mandiant are assisting in the investigation of the hacking activity.

According to the WSJ, one area of focus is whether the hackers gained access to Cisco routers responsible for routing internet traffic.

A Cisco spokesperson told the publication that the company is investigating the situation but has found no evidence so far to suggest that its networking equipment was involved in the breach.

The Salt Typhoon breach is just the latest example of Chinese hacking groups targeting US networks.

In recent months, other Chinese-linked campaigns, such as Volt Typhoon and Flax Typhoon, have also been identified as threats.

Last month, Black Lotus Labs, in collaboration with law enforcement, disrupted a large-scale Chinese botnet known as "Raptor Train," which had compromised over 260,000 SOHO routers and IP cameras with malware.

Last year, Microsoft said a state-backed threat group covertly accessed email accounts at around 25 organisations worldwide, including government agencies in the US and Western Europe. The company attributed the attacks to Storm-0558, a threat actor based in China.

China has consistently denied accusations from Western governments and technology companies that it uses hackers to infiltrate foreign government and business computer networks.

"China firmly opposes and combats cyberattacks and cyber theft in all forms," Liu Pengyu, a spokesman at the Chinese Embassy in Washington, told the WSJ.