Cyber breaches escalate tensions between US and China

US soldier arrested over alleged involvement

A recent wave of data breaches targeting US government agencies and telecommunications companies has intensified diplomatic tensions between the United States and China.

While US authorities have attributed the attacks to Chinese government-linked hackers, Beijing has dismissed the allegations as "baseless" and lacking evidence.

The latest breach, announced on Monday, compromised the US Department of the Treasury, raising concerns about the national security.

The US Treasury Department told lawmakers that hackers infiltrated its systems in early December, compromising its third-party cybersecurity service provider, BeyondTrust.

The attackers gained access to a key the vendor used to secure a cloud-based technical support service. They were able to use this to bypass security measures, access employee workstations and extract unclassified documents.

The breach follows revelations in October that hackers targeted mobile devices belonging to former President Donald Trump and his running mate J.D. Vance, as well as individuals associated with Vice President Kamala Harris's campaign.

US authorities believe several Chinese hacking groups, each linked to the Chinese government, are responsible for these attacks. These groups operate under various aliases, such as Salt Typhoon, Volt Typhoon and Zirconium (also known as Judgment Panda), assigned to them by cybersecurity firms.

FBI Director Christopher Wray described the Salt Typhoon operation – which breached major US telcos like AT&T and Verizon – as China's "most significant cyber-espionage campaign in history."

Another hacking group, Volt Typhoon, has been accused of targeting critical infrastructure with the intent of potential disruption.

Politicians call for response

The scope of the data stolen in recent months is significant. Hackers have accessed sensitive government documents, employee workstations and even a database of phone numbers subject to law enforcement wiretaps.

This information could be used to identify and target foreign spies, providing a significant advantage to Chinese intelligence services.

Furthermore, the breaches of major telecoms companies potentially exposed the personal data of millions of Americans, raising serious privacy concerns.

Lawmakers from both parties have called for a stronger response. The US government has taken steps to counter these threats, including warning China Telecom’s US subsidiary of potential national security risks, and imposing sanctions on Chinese entities and individuals linked to previous hacking operations.

Chinese cyber operations have also breached institutions in the UK, including the Electoral Commission, and legislative bodies in New Zealand.

The Chinese government has consistently denied any involvement in these cyberattacks, dismissing the accusations as politically motivated.

"The US needs to stop using cybersecurity to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats," a Chinese embassy spokesman told the BBC.

US soldier arrested in AT&T, Verizon extortions

The US federal authorities last week arrested a 20-year-old US Army soldier, Cameron John Wagenius, for his suspected involvement in the Salt Typhoon breach.

Wagenius is suspected of being a cybercriminal known as Kiberphant0m.

The arrest followed allegations that Wagenius was involved in the sale and dissemination of sensitive customer call records stolen from telecommunications giants AT&T and Verizon earlier this year.

Wagenius, a communications specialist recently stationed in South Korea, was apprehended near Fort Hood, Texas, on 20th December, after being indicted on two counts of unlawful transfer of confidential phone records.

The two-page indictment [pdf] omits specifics regarding the victims or the nature of the hacking activities. However, media reports provide a clearer picture of his alleged undertakings.

According to KrebsOnSecurity, Kiberphant0m boasted on Telegram of breaching at least 15 telecoms firms. The breaches reportedly enabled the sale of stolen data, including government and emergency responder communications.

Wagenius' alleged involvement appears connected to a broader network of cybercriminals, including Canadian hacker Connor Riley Moucka, known as Judische. Moucka, 25, was arrested in October 2024 at his home in Kitchener, Ontario, Canada. He is accused of stealing data from dozens of companies via the cloud service Snowflake.

Moucka faces extradition to the US, though Canada's Department of Justice has not provided updates on his status.

Moucka has reportedly revealed that he outsourced the sale of stolen data to other cybercriminals, including Kiberphant0m.

In posts on BreachForums, Kiberphant0m claimed responsibility for hacking and extorting telecommunications firms. He even threatened to release sensitive call logs belonging to prominent political figures such as President-elect Donald Trump and Vice President Kamala Harris.

A Texas magistrate has ordered Wagenius to be transferred to Seattle, where the federal prosecutors managing the case are based.