2024 United States telecommunications hack

The attackers exploited zero-day vulnerability in Versa Director (Versa Networks){{cite web |author=Black Lotus Labs |title=Taking the Crossroads: The Versa Director Zero-Day Exploitation |url=https://blog.lumen.com/uncovering-the-versa-director-zero-day-exploitation/ |publisher=Lumen Technologies |access-date=27 March 2025 |date=27 August 2024}} and vulnerabilities in unpatched Fortinet and Cisco network devices and routers, targeting core network components.{{Cite news |last=Volz |first=Dusin |last2=Viswanatha |first2=Aruna |last3=Krouse |first3=Sarah |last4=FitzGerald |first4=Drew |date=January 4, 2025 |title=How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons |url=https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95 |url-status=live |access-date=February 9, 2025 |work=The Wall Street Journal}} They also gained access to a high-level network management account that was not protected by multi-factor authentication. Hijacking router(s) inside AT&T's network then gave them access to over 100,000 routers from which further attacks could be launched.{{Cite news |last1=Krouse |first1=Sarah |last2=McMillan |first2=Robert |last3=Volz |first3=Dustin |date=2024-09-26 |title=China-Linked Hackers Breach U.S. Internet Providers in New 'Salt Typhoon' Cyberattack |url=https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835 |url-access=subscription |archive-url=https://archive.today/20241007181947/https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835 |archive-date=7 Oct 2024 |work=The Wall Street Journal}}{{cite news |last1=Nakashima |first1=Ellen |author-link=Ellen Nakashima |date=6 October 2024 |title=China hacked major U.S. telecom firms in apparent counterspy operation |url=https://www.washingtonpost.com/national-security/2024/10/06/salt-typhoon-china-espionage-telecom/ |url-status=live |archive-url=https://web.archive.org/web/20241007185709/https://www.washingtonpost.com/national-security/2024/10/06/salt-typhoon-china-espionage-telecom/ |archive-date=7 October 2024 |access-date=8 October 2024 |newspaper=The Washington Post}}

It is believed that the hackers had access to the networks for over a year before the intrusions were detected by threat researchers at Microsoft.{{cite web |last1=Sanger |first1=David |last2=Barnes |first2=Julian |last3=Barrett |first3=Devlin |last4=Goldman |first4=Adam |date=Nov 22, 2024 |title=Emerging Details of Chinese Hack Leave U.S. Officials Increasingly Concerned |url=https://www.nytimes.com/2024/11/22/us/politics/chinese-hack-telecom-white-house.html |work=The New York Times |access-date=Jan 10, 2025}}

On December 27, 2024, deputy national security advisor Anne Neuberger stated in a White House press conference that the total list of affected telecom companies now stood at 9 after a "hunting guide" was distributed to "key telecom companies" which details how to identify this type of intrusion.{{cite web |url=https://bidenwhitehouse.archives.gov/briefing-room/press-briefings/2024/12/27/on-the-record-press-gaggle-by-white-house-national-security-communications-advisor-john-kirby-38/ |title=On-the-Record Press Gaggle by White House National Security Communications Advisor John Kirby |publisher=White House |date=December 27, 2024 |website=whitehouse.govw |access-date=January 10, 2025}}

Companies confirmed to have been breached in this attack are:{{cite web |last1=Volz |first1=Dustin |last2=Viswanatha |first2=Aruna |last3=Krouse |first3=Sarah |last4=FitzGerald |first4=Drew |date=Jan 4, 2025 |title=How Chinese Hackers Graduated From Clumsy Corporate Thieves to Military Weapons |url=https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95 |access-date=Jan 10, 2025 |work=The Wall Street Journal}}

• Verizon
• T-Mobile
• AT&T
• Lumen Technologies (formerly CenturyLink)
• Charter Communications
• Consolidated Communications
• Windstream Communications

A high priority for the attackers was records of phone calls made by people who work in the Washington D.C. metro area. These records corresponded to over a million users and included: date and time stamps, source and destination IP addresses, phone numbers and unique phone identifiers. According to Anne Neuberger, a "large number" of the individuals whose data was directly accessed were "government targets of interest."{{Cite web |last=Page |first=Carly |date=2025-01-06 |title=Meet the Chinese 'Typhoon' hackers preparing for war |url=https://techcrunch.com/2025/01/06/meet-the-chinese-typhoon-hackers-preparing-for-war/ |access-date=2025-01-08 |website=TechCrunch |language=en-US}}

The hackers compromised telecom systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized wiretapping. The hackers obtained an almost complete list of phone numbers being wiretapped. Officials said having this information would help China know which Chinese spies the United States have identified.

{{Further|Chinese interference in the 2024 United States elections}}

In October, Donald Trump's campaign was notified that phones used by Trump and JD Vance may have been affected by the hack as well as the staff of the Kamala Harris 2024 presidential campaign.{{Cite news |last=Barrett |first=Devlin |last2=Swan |first2=Jonathan |last3=Haberman |first3=Maggie |date=October 25, 2024 |title=Chinese Hackers Are Said to Have Targeted Phones Used by Trump and Vance |url=https://www.nytimes.com/2024/10/25/us/politics/trump-vance-hack.html |access-date=October 25, 2024 |work=The New York Times}}

According to Foreign Policy, the attack has "hardened anti-China consensus" in the U.S. government.{{Cite web |last=Palmer |first=James |date=2025-01-09 |title=Salt Typhoon Stirs Panic in Washington |url=https://foreignpolicy.com/2025/01/07/china-salt-typhoon-hack-threat-panic-washington/ |url-access=subscription |access-date=2025-01-08 |website=Foreign Policy |language=en-US}} Senator Mark Warner, chairman of the U.S. Senate Select Committee on Intelligence, called the intrusion the "worst telecom hack in our nation's history", describing it as making prior cyberattacks by Russian actors look like "child's play" by comparison.{{Cite news |last=Nakashima |first=Ellen |author-link=Ellen Nakashima |date=November 21, 2024 |title=Top senator calls Salt Typhoon 'worst telecom hack in our nation's history' |url=https://www.washingtonpost.com/national-security/2024/11/21/salt-typhoon-china-hack-telecom/ |url-access=registration |access-date=December 31, 2024 |work=The Washington Post}}

Matthew Pines, director of intelligence at SentinelOne, stated that "the Salt Typhoon hacks will be seen as the worst counterintelligence breach in U.S. history" which "gives MSS bread crumbs to trace back to and cauterize strategically critical U.S. sources and methods." He suggested the data breach is worse than the 2015 hack of the U.S. Office of Personnel Management carried out by the MSS' Jiangsu State Security Department.{{Cite tweet |number=1873035801975796036 |user=matthew_pines |title=I think the Salt Typhoon hacks will be seen as the worst counterintelligence breach in US history. Though not reported yet, seems likely that the MSS compromised the FISA "selectors" in US telcos. The fallout from this is unfathomable. FBI NSD damage assessment is max pain rn. |first=Matthew |last=Pines |date=2024-12-28 |access-date=2024-12-30 |language=en}}

In retaliation for the attack, the U.S. Department of Commerce announced it would ban the remaining U.S. operations of China Telecom. The Department of Defense placed Chinese media conglomerate Tencent, shipping giant COSCO, battery manufacturer CATL, semiconductor manufacturer ChangXin Memory Technologies, and drone maker Autel Robotics on a blacklist of "Chinese military companies".{{Cite news |last=Sanger |first=David E. |author-link=David E. Sanger |date=2024-12-16 |title=Biden Administration Takes First Step to Retaliate Against China Over Hack |url=https://www.nytimes.com/2024/12/16/us/politics/biden-administration-retaliation-china-hack.html |archive-url=http://web.archive.org/web/20241227060307/https://www.nytimes.com/2024/12/16/us/politics/biden-administration-retaliation-china-hack.html |archive-date=2024-12-27 |access-date=2024-12-31 |work=The New York Times |language=en}} The designation can disqualify U.S. businesses which transact with listed companies from future U.S. government contracts.{{Cite news |last=Stevenson |first=Alexandra |date=2025-01-07 |title=U.S. Adds Tencent to Chinese Military Companies Blacklist |url=https://www.nytimes.com/2025/01/06/business/us-chinese-military-companies-tencent-catl.html |access-date=2025-01-08 |work=The New York Times |language=en-US |issn=0362-4331}}

The Chinese Embassy in Washington, D.C. claimed the allegations were all U.S. efforts to "smear and slander" China.

On October 9, the Electronic Frontier Foundation issued a press release stating how any lawful wiretapping system can be compromised by attackers and that "there is no backdoor that only lets in good guys and keeps out bad guys".{{Cite web |last=Cohn |first=Joe Mullin and Cindy |date=2024-10-09 |title=Salt Typhoon Hack Shows There's No Security Backdoor That's Only For The "Good Guys" |url=https://www.eff.org/deeplinks/2024/10/salt-typhoon-hack-shows-theres-no-security-backdoor-thats-only-good-guys |access-date=2025-02-04 |website=Electronic Frontier Foundation |language=en}}

On December 4, 2024 the CISA, FBI, and cybersecurity agencies from New Zealand, Canada, and Australia jointly released a guide for hardening network infrastructure titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure. The agencies urged network engineers, particularly ones at telecom companies, to implement the security best practices described therein.{{cite web |url=https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure |title=Enhanced Visibility and Hardening Guidance for Communications Infrastructure |date=December 4, 2024 |access-date=January 11, 2025 |publisher=Cybersecurity & Infrastructure Security Agency}}

On December 10, Senator Ron Wyden released a draft of the Secure American Communications Act, a bill which would order the FCC to require telecoms to adhere to a list of security requirements and perform annual tests to check for vulnerabilities. Wyden claimed that "it was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules".{{cite web |url=https://www.wyden.senate.gov/news/press-releases/wyden-releases-draft-legislation-to-secure-us-phone-networks-following-salt-typhoon-hack |date=December 10, 2024 |access-date=January 11, 2025 |title=Wyden Releases Draft Legislation to Secure U.S. Phone Networks Following Salt Typhoon Hack |publisher=wyden.senate.gov}}

On January 17, 2025, the U.S. Treasury Department's Office of Foreign Assets Control sanctioned Yin Kecheng of Shanghai and Sichuan Juxinhe Network Technology Co. Ltd. as having "direct involvement" in Salt Typhoon.{{Cite web |last=Johnson |first=Derek B. |date=2025-01-17 |title=Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks |url=https://cyberscoop.com/treasury-sanctions-chinese-cybersecurity-company-salt-typhoon-hacks/?stream=top |access-date=2025-01-21 |website=CyberScoop |language=en-US}}{{Cite news |date=18 January 2025 |title=US Treasury Department imposes sanctions on Chinese company over Salt Typhoon hack |url=https://www.reuters.com/technology/cybersecurity/us-treasury-dept-issues-sanctions-related-salt-typhoon-hack-2025-01-17/ |access-date=21 January 2025 |agency=Reuters}}

On January 20, shortly after Trump retook office, acting Secretary of Homeland Security Benjamine Huffman signed a memo abolishing all DHS advisory boards. This included the Cyber Safety Review Board, which was investigating the hack and preparing a report on how to prevent future attacks.{{Cite web |last=Sganga |first=Nicole |date=2025-01-22 |title=DHS terminates all its advisory committees, ending its investigation into the Chinese-linked telecom hack - CBS News |url=https://www.cbsnews.com/news/dhs-terminates-all-advisory-committees-ends-investigation-chinese-linked-telecom-hack-salt-typhoon/ |access-date=2025-03-25 |website=CBS News}}{{Cite web |last=Leyden |first=John |date=January 22, 2025 |title=Trump disbands Cyber Safety Review Board, Salt Typhoon inquiry in limbo |url=https://www.csoonline.com/article/3807871/trump-administration-disbands-dhs-board-investigating-salt-typhoon-hacks.html |access-date=2025-03-25 |website=CSO Online}}

• Cyberwarfare and China

{{Reflist}}

Category:Cyberwarfare by China

Category:Cyberattacks

Category:China–United States relations

Category:Cyberwarfare in the United States

Category:2024 controversies in the United States

Category:History of telecommunications in the United States