China Penetrated US Telecom Providers to Snoop on Wiretapping Systems

Salt Typhoon, an advanced persistent threat (APT) group linked to China, may have accessed US government surveillance systems when it breached major telecommunications companies. The scope of the breach includes AT&T, Lumen Technologies, and Verizon Communications. The threat actor targeted US wiretap systems, The Wall Street Journal reports. 

This incident -- not the first cyberattack linked to the Chinese government -- raises questions about the potential motivations, the vulnerability of backdoors, and ongoing attacks on critical infrastructure. InformationWeek spoke to three cybersecurity leaders to gain some insight.   

Potential Motivations  

Earlier this year, FBI Director Christopher Wray warned of the ongoing threat the Chinese government poses to US critical infrastructure. This Salt Typhoon breach is a compromise in the communications industry, one of 16 critical infrastructure sectors defined by the Cybersecurity Infrastructure and Security Agency (CISA),  

“This is another example where it is clear that the Chinese have been able to burrow into our critical infrastructure,” says John Ackerly, CEO and cofounder of data security company Virtru.  

What could the Chinese government potentially gain from access to US wiretap systems? The exact motives are not known, but the breach could be a part of an intelligence gathering campaign.  

Related:2024 Cyber Resilience Strategy Report: CISOs Battle Attacks, Disasters, AI ... and Dust

“It would make sense that the Chinese would be trying to go after our surveillance capabilities because we're starting to … put a spotlight on potential Chinese assets,” says John Terrill, CISO at Phosphorus Cybersecurity, an xIOT cybersecurity solutions company.  

Linda Sun, who worked with New York Gov. Kathy Hochul and former New York Gov. Andrew Cuomo, was arrested and charged with acting as an agent of the Chinese government, AP News reports. The arrest is one of several in recent years as the US Department of Justice aims to uncover agents acting on behalf of China, according to AP News.  

Access to US wiretap systems may offer insight into which Chinese assets are at risk of being discovered by US authorities.  

Access to communications systems could be advantageous in other ways, particularly if geopolitical tensions regarding Taiwan boil over into kinetic conflict.  

“[China’s] first focus is going to be to disrupt the potential players in the game, and we [the US] are a significant player in that event,” says Kevin Kirkwood, CISO at cybersecurity company Exabeam.  

He emphasizes how important it is for the impacted telecommunications companies to seek out any lingering access the hackers may have.  

Related:Juliet Okafor Highlights Ways to Maintain Cyber Resiliency

“China plays a long game,” he tells InformationWeek. “If I were … the attacker … I would find some small, insignificant system or set of systems that I could then leave something behind that I could trigger at a later date.”  

Backdoors in the Spotlight 

The compromise of these major telecommunications providers raises questions about legally required backdoors, which can be traced back to the Communications Assistance for Law Enforcement Act (CALEA) passed in 1994. CALEA requires telecommunications companies to provide law enforcement with the ability to conduct electronic surveillance.  

“Backdoors are not just able to be used by good guys. Those same doors are open to bad guys as well,” says Ackerly.  

This breach adds fuel to the fire of the ongoing debate over backdoors. On one side, law enforcement argues for their necessity. On the other side, the security community decries the inherent risk of abuse by threat actors.  

In this Salt Typhoon breach, the exact motivations and subsequent damage are not yet known. But Terrill points out that much of what the public knows about government surveillance capabilities dates back to the information leaked by Edward Snowden in 2013.  

Related:What NIST’s Post-Quantum Cryptography Standards Bring to the Table

“I would have to venture a guess that the surveillance capabilities we have now are one or two generations, at least, more advanced than what we had at that time,” he says. “So, if we're thinking about how bad it would have been to compromise the systems that we knew about from 15 years ago, it's probably worse than that.” 

As we wait to learn more from the investigation of this incident, it is likely that the backdoor debate will continue.  

Critical Infrastructure and Telecommunications Companies 

The government’s reliance on telecommunications companies to operate wiretap systems is an example of how critical infrastructure hinges on the collaboration of public and private spheres.  

“This is a wakeup call,” says Terrill. “What are we doing to protect these kinds of systems? Should they be centralized in that way?” 

All three companies involved in this incident have experienced cyberattacks and breaches before. For example, AT&T will pay the US Federal Communications Commission (FCC) a $13 million fine regarding a 2023 breach that impacted 9 million customers. A 2023 breach of Verizon impacted 63,000 of its employees, according to SecurityWeek. Lumen Technologies was hit with a ransomware attack last year, according to Cybersecurity Dive.  

But this latest breach involving wiretap data has potential national security implications. These companies may face government pressure to improve their cybersecurity capabilities and prevent something like this from happening again.  

“They've got an uphill battle trying to deal with this. They've been tasked by the government to provide some of the most powerful surveillance capabilities ever conceived by man, and protecting those is really, really complicated,” says Terrill.  

Ackerly argues that this incident creates an opportunity for disruption. “This is going to spawn innovation at the networking layer and at the data layer where there just needs to be a fundamentally new approach,” he says.  

Whether a new approach will be adopted and how the conversation on backdoors will evolve remains to be seen, but nation state attacks on critical infrastructure are not going to stop.  

“We're seeing more and more intelligence operations that are being … rooted out and foiled, cast into the public sphere in a way that we've not seen before,” says Terrill. “The idea that this stuff is going on in plain sight and not in the shadows is … a new paradigm.”