China-linked hackers breach U.S. internet providers in new ‘salt typhoon’ cyberattack

The hacking campaign is a sign of the stealthy success Beijing’s massive digital army of cyberspies has had breaking into valuable computer networks in the US and around the globe.

Sarah Krouse and Robert McMillan

3 min read

6:33AMSeptember 26, 2024

Dow Jones

FBI Director Christopher Wray says China poses a massive cyber threat. Picture: AFP.

Hackers linked to the Chinese government have broken into a handful of US internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.

The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that US investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing’s massive digital army of cyberspies has had breaking into valuable computer networks in the US and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America’s broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack.

Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet, according to people familiar with the matter. A Cisco spokeswoman didn’t immediately provide comment Wednesday.

Microsoft is investigating the intrusion and what sensitive information may have been accessed, people familiar with the matter said. A spokesman for the company declined to comment.

Chinese spy agency accused of sustained cyber espionage

China has made a practice of gaining access to internet-service providers around the world. But if hackers gained access to service providers’ core routers, it would leave them in a powerful position to steal information, redirect internet traffic, install malicious software or pivot to new attacks, said Steven Adair, the founder of Volexity, a cybersecurity firm that has investigated China-backed intrusions.

Former US intelligence officials said the alleged attack appeared audacious in scope, even by the standards of past major breaches achieved by Chinese hacking squads.

“This would be an alarming – but not really surprising – expansion of their malicious use of cyber to gain the upper hand over the United States,” said Glenn Gerstell, former general counsel at the National Security Agency.

Gerstell, who spent decades working as a lawyer on telecommunications and technology matters, noted that China for years had relied on cyber theft to steal industrial and military secrets before quietly positioning itself inside American critical infrastructure. “Now it seems they are penetrating the very heart of America’s digital life, by burrowing into major internet-service providers,” he said.

Hackers targeting cyber infrastructure China’s approach to ‘unrestricted warfare’

Last week, US officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into US networks for a China-based hacking group called Flax Typhoon. And in January, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of US critical infrastructure.

“The cyber threat posed by the Chinese government is massive,” said Christopher Wray, the Federal Bureau of Investigation’s director, speaking earlier this year at a security conference in Germany. “China’s hacking program is larger than that of every other major nation, combined.” US security officials allege that Beijing has tried and at times succeeded in burrowing deep into US critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China’s actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the US’s ability to mobilise support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island.

While US officials have warned Volt Typhoon appears largely focused on prepositioning into networks to later detonate cyberattacks that could cripple operations of infrastructure, the Salt Typhoon activity appeared to be more geared toward intelligence collection, people familiar with the matter said.

Officials have repeatedly said that what the private sector and government agencies know about Chinese intrusions into critical infrastructure is likely the “tip of the iceberg” because of how stealthy and sophisticated the hackers have been.

China has routinely denied allegations from Western governments and technology firms that it relies on hackers to break into foreign government and business computer networks. The Chinese Embassy in Washington didn’t respond to a request for comment.

China’s state-backed hackers have long shown an interest in compromising global telecommunications infrastructure. A report published in 2019 by Cybereason, a US cybersecurity firm, found that Chinese spies had hacked into the cellular networks of at least 10 global carriers to steal geolocation data as well as text messaging records and call logs.

Dow Jones