Chinese Hacking Group Breaches Major U.S. Broadband Providers

October 7, 2024

A major cyberattack on multiple U.S. broadband providers has been reported, with Verizon, AT&T, and Lumen Technologies among those affected. The breach is believed to have been carried out by a Chinese hacking group known as Salt Typhoon. The objective of the attack seems to be intelligence gathering, as the hackers may have gained access to systems used by the U.S. federal government for court-authorized network wiretapping requests. The exact timing of the intrusion remains uncertain, but sources familiar with the matter suggest that the hackers could have had access to these critical network infrastructures for several months.

Salt Typhoon, identified by Microsoft, is also being tracked under different names by other cybersecurity companies. These include Earth Estries by Trend Micro, FamousSparrow by ESET, Ghost Emperor by Kaspersky, and UNC2286 by Mandiant, which is now part of Google Cloud. The U.S. government is currently investigating the breach alongside private sector security experts.

The Wall Street Journal reports that the hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers. The impact of the attack, including the amount and type of data observed and exfiltrated, is still being assessed.

Besides the U.S., Salt Typhoon may have targeted similar entities in other countries. The group has been active since at least 2019 and typically focuses on government entities and telecommunications companies, particularly in Southeast Asia. However, they have also attacked hotels, engineering companies, and law firms in numerous countries including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

The group usually gains initial access to target networks by exploiting vulnerabilities, such as the ProxyLogon vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). In past attacks attributed to Salt Typhoon/Ghost Emperor, the threat actor used a custom backdoor called SparrowDoor, customized versions of the Mimikatz tool for extracting authentication data, and a Windows kernel-mode rootkit Demodex. The method of initial access for the recent attack is still under investigation.

Despite the ongoing investigation, AT&T and Lumen declined to comment on the alleged breach, and Verizon has not yet responded. Chinese APT hacking groups have been increasingly targeting U.S. and European networking devices and ISPs in cyberespionage attacks. This is a significant concern for both government and private sector entities, highlighting the need for robust cybersecurity measures.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.