Since 2019, a team of hackers linked to China has tracked more than 100 CIA spies operating in some 20 countries around the world. Mobile network outages in the United States, which affected Verizon and T-Mobile, are linked to this operation.
For years, the Chinese cyberespionage team Salt Typhoon has carried out high-profile attacks against telecommunications, government, military, and other critical infrastructure in more than 80 countries. The United States has called it a national security crisis.
The group has penetrated hundreds of major telecommunications providers, exploiting router vulnerabilities to gain persistent network access and exfiltrate data, including phone call logs, text messages, and even audio recordings of senior U.S. government officials, campaign staffers, and security and military officials, including those from the FBI, CIA, NSA, and DIA.
Chinese hackers tracked approximately 100 CIA operatives worldwide, 24/7, for more than five consecutive years. They also cracked certain codes used in the internal email systems of CIA station chiefs located at major U.S. embassies abroad.
The Chinese attacks targeted “lawful interception” systems, exposing data from wiretap requests related to law enforcement surveillance, particularly within key U.S. broadband infrastructure and internet access providers.
The team also compromised military, transportation, and National Guard infrastructure networks, as well as critical configuration files for public institutions.
In 2022, hackers began infiltrating major US telecommunications providers, exploiting vulnerabilities and weak authentication protocols. The breaches remained undetected for two years. Throughout 2023, Salt Typhoon maintained persistent and stealthy access, collecting call detail records, text metadata, and potentially intercepting unencrypted communications from millions of users in the United States, Canada, and Europe.
The first reports of cyberattacks compromising US telecommunications systems emerged in September of last year. Washington confirmed that the campaign had likely been ongoing for more than a year. Initial investigations linked several affected countries in Europe and the Indo-Pacific region.
The following month, the United States, the world’s largest cyber spy and owner of the internet, confirmed that Salt Typhoon had penetrated nine major telecommunications companies, including Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream, and that it specifically targeted internet service provider routers and systems used for legal wiretapping.
The hackers gained access to sensitive metadata (call logs, text message information, IP addresses) and, in some cases, audio recordings of senior U.S. government officials.
In April of this year, the FBI announced a $10 million reward for information on members of the Salt Typhoon group. A call was made for global cooperation to prevent such attacks. The Salt Typhoon campaign is considered the most serious telecommunications security breach in US history.
In some attacks, hackers used captured administrative credentials, rather than resorting to “zero-day” attacks (**), gaining initial access and then moving across networks using routers and switches.
Network device configuration files were hacked to reveal additional identifying information, particularly SNMP community strings.
Computer applications such as JumbledPath have enabled the capture of secret data packets from compromised telecommunications environments. However, one of the hackers’ greatest exploits has not been made public: the intrusion into the CIA’s internal messaging systems and the tracking of around 100 spies, mapping their movements and analyzing these interactions and their impact on strategic changes at the regional and global levels. This tracking has had concrete effects in certain theaters of operations such as Ukraine, the Democratic Republic of the Congo, and the Middle East.
(**) “Zero-day” cyberattacks exploit vulnerabilities unknown to the vendor before they detect the intrusion. The term “zero-day” refers to the attack occurring from the moment the hacker discovers the security hole.
Exactly what this news will set off amongst the chuds, good bit