Chinese Hackers Still Trying to Break Into Telecoms Across Globe

A Chinese hacking group has continued to target phone and wireless providers around the world, compromising devices tied to seven telecommunications companies since February, according to a recent bulletin sent by cybersecurity firm Recorded Future Inc. to its clients.

The hacking group, widely referred to as Salt Typhoon, has breached network devices at locations on the internet owned by the seven companies, including American telecom and media firm Comcast Corp., South Africa's MTN Group Ltd., and South Korea's LG Uplus Corp. The report shows that the compromised devices likely belong to the seven companies' clients, but does not say that the telecommunications firms were breached.

In November, US officials accused Salt Typhoon of a "broad and significant cyber-espionage campaign" that had breached telecommunications companies and targeted the phones of prominent politicians, including then-presidential candidate Donald Trump. The hackers have previously compromised seemingly innocuous hardware such as routers, switches, and other so-called edge devices, and used that access to launch other, more compromising attacks.

The equipment tends to run on infrastructure owned by telecommunications companies, even while those firms' clients are often the hackers' real targets, said Pete Renals of cybersecurity firm Palo Alto Networks Inc. Comcast said the hacked equipment belongs to a client, that it investigated and that its own network wasn't impacted. LG Uplus also said the breached device was owned by a client and the issue wasn't related to its internal systems.

MTN said it hadn’t detected any cyberattack by Salt Typhoon. A representative of the Chinese Embassy in Washington emphasized in a statement the difficulty of determining the origins of hacks, saying that despite issuing sanctions, the US government has "been unable to produce conclusive and reliable evidence" that the Chinese government was behind the breaches blamed on Salt Typhoon.

Read More: Chinese Hacked US Telecom a Year Before Known Wireless Breaches

The Scope of the Hackers' Attacks

The hackers spent the winter and spring of this year scouring the internet to identify hundreds of potentially vulnerable devices in countries all over the world, according to Recorded Future. They then used old, unpatched cybersecurity vulnerabilities to break into some of them, according to the report.

Over the past few months, Salt Typhoon hackers have shifted their strategy to broadly target such devices around the world, said Renals, of Palo Alto Networks. "The targeting and compromise of telecommunications companies has a direct impact on the everyday lives of citizens as these networks are foundational to modern society," he said.

The Threat of Salt Typhoon

Salt Typhoon remains a serious and significant threat to US and global telecommunications networks, putting sensitive information and communications at risk. The hackers' ultimate objective was "to use this initial access as a launchpad to pivot into the sensitive, internal core of telecommunications networks," said Jonathan Luff, chief of staff at Recorded Future.

"Salt Typhoon continues to methodically target devices within telecommunications networks to potentially gain access to the providers’ internal systems," Luff said. The group "remains a serious and significant threat to US and global telecommunications networks."

The Impact on Citizens

The hackers' targeting of telecommunications companies has a direct impact on the everyday lives of citizens, as these networks are foundational to modern society. The compromise of network devices can lead to disruptions in services, data breaches, and other security risks.

"Salt Typhoon's recent shift towards indiscriminate targeting of vulnerable network edge devices is equally concerning," said Renals. A representative of LG Uplus declined to identify the client who owned the compromised device but said that the company guided them "to ensure appropriate measures are taken" in April.

The Response from Telecom Companies

Comcast spokesperson Joel Shadle said that the Philadelphia-based company conducted its own investigation, worked with government investigators and found no evidence that Salt Typhoon has impacted Comcast. LG Uplus said that it had found no evidence of any further hacking attempts targeting the company in relation to this incident.

MTN said it hadn't detected a cyberattack by Salt Typhoon. The group's latest hacking attempts continue a campaign that US officials disclosed last year that compromised AT&T Inc., Verizon Communications Inc. and at least seven other American telecommunications companies.

The Pattern of Chinese Government-Backed Hackers

Chinese government-backed hackers have been known to target telecommunications companies, allowing them to collect intelligence and maintain persistent access in the event of a future crisis. According to Andrew Reddie, a professor at the University of California, Berkeley, "the pattern of targeting telecommunications companies allows them to maintain persistent access."