US agencies assessed Chinese telecom hackers likely hit data center and residential internet providers

Beata Zawrzel/NurPhoto via Getty Images

Featured eBooks
AI, From Front Line to Back Office
Trust in Government
Chasing New Industry
Insights & Reports
Get Print Security Right in 5 Steps
Presented By Carahsoft
Download Now
Build vs. Buy: Choosing the Best Path for Government Technology
Presented By PayIt
Download Now
David DiMolfetta By David DiMolfetta,
Cybersecurity Reporter, Nextgov/FCW

By David DiMolfetta

|

Data center giant Digital Realty and mass media titan Comcast were documented as likely victims of the Salt Typhoon cyberespionage group, people familiar say, marking a potentially major expansion of the group’s initial telecom hacking campaign discovered last year.

Two U.S. security agencies listed mass media provider Comcast and data center giant Digital Realty among companies likely ensnared by a Chinese hacking group previously found inside major U.S. and global telecom operators, according to three people familiar with the matter.

The National Security Agency made the determination that Comcast had likely been impacted by the group, known as Salt Typhoon, according to two of the people. The Cybersecurity and Infrastructure Security Agency cataloged Digital Realty as being potentially compromised, the third person said. The people spoke on the condition of anonymity to discuss the matter’s sensitivity.

Salt Typhoon breached major telecom carriers in a global, multi-year espionage campaign uncovered last year. Over time, news trickled out about the scope and scale of the incident, which was first reported by The Wall Street Journal.

The hacking unit is part of a broader syndicate of state-backed groups tied to different military and intelligence arms of China’s central government. The “Typhoon” moniker comes from a Microsoft naming convention for Beijing-linked cyber actors.

Such intrusions, especially into a data center environment, could give the hackers a potentially far deeper foothold into infrastructure supporting the world’s information service providers than previously known. The agencies’ assessments have not been previously reported.

There’s uncertainty among officials about who was impacted by Salt Typhoon. Various agencies across the U.S. government are in possession of lists of confirmed or potential victims, but it’s not clear if the tallies are consistent with each other, adding to confusion about who may have been accessed, targeted or marked for investigation, one of the people said. 

CISA, for instance, is in possession of a list of both telecom and information technology companies, but an FBI tabulation shows different entities, two of the people said.

Making investigations into the breach more complicated is that multiple telecom providers have invoked legal strategies to protect themselves from disclosing compromise by the hackers. Inside two major U.S. telecom operators, incident response staff have been instructed by outside counsel not to look for signs of Salt Typhoon, said one of the people, declining to name the firms because the matter is sensitive.

Having been assessed as likely victims, CISA representatives should have contacted Digital Realty and Comcast multiple times since December, one of the people said. It’s not clear if consistent back-and-forth communications were established. CISA tends to initiate outreach to potential victims when it’s believed their networks are compromised, according to another person familiar with the cyber defense agency’s notification process.

An intrusion into either provider could carry significant national security risks. Comcast facilitates internet access for millions of users and businesses, while Digital Realty hosts troves of physical infrastructure used by telecom operators, cloud providers and governments to route global web traffic. 

“As a policy, we do not provide comment on individual entities,” a CISA spokesperson said. The NSA declined to comment, and the FBI did not respond to a request for comment. Comcast and Digital Realty did not return multiple requests for comment.

Nextgov/FCW reported in December that hundreds of organizations were notified of potential Salt Typhoon compromise. Last month, CyberScoop reported that CISA and the FBI devised a coordinated notification campaign to alert affected companies and help them deter the hacks, sometimes providing new data on an hourly basis.

The FBI concurred with other agency assessments that the Salt Typhoon attacks, broadly speaking, are the most egregious national security breach in U.S. history by a nation-state hacking group, one of the people said.

“This would confirm what many of us in the cybersecurity industry already suspected. The Salt campaign was broader than just telcos and we have low confidence the attackers have been evicted,” said Marc Rogers, a seasoned telecommunications cybersecurity expert.

Nextgov/FCW also obtained an internal CISA list of communications sector hardware and software products found to have been exploited by China-linked hacking groups. Of several listed, one of those vulnerabilities was found in MikroTik routers, and was first discovered in 2018. MikroTik, a Latvian firm, did not return a request for comment. Some of the software flaws exploited by Salt Typhoon were first disclosed in 2018, Nextgov/FCW previously reported.

“Something that isn’t being talked about enough is that the initial way in which these attackers used was almost mostly simple flaws like 8-year-old vulnerabilities and credential theft. Instead of talking about ‘ripping and replacing’ we should be looking at why we aren’t patching or maintaining our critical infrastructure,” Rogers said.

Chinese access into datacenter and colocation firms would provide the hackers with a different target set compared to messaging services operated by traditional carriers, said Eric Hanselman, the chief technology, media and telecommunications research analyst at S&P Global Market Intelligence.

“The additional risk would be gaining the ability to monitor intra-service and intra-application communications traffic that doesn’t normally traverse the internet backbone. That could include storage traffic moving from colocation environments into cloud or traffic moving from hosted environments into on-premises infrastructure,” he said in an email to Nextgov/FCW. “That traffic might have less robust protections, as it’s not traversing the open internet.”

Digital Realty has over 300 data centers across 25 countries and 50 metropolitan areas, according to a company marketing webpage, which lists Amazon Web Services, Google Cloud, IBM, Microsoft and Nvidia among its clients. The company is considered one of the largest data center colocation providers in the world, housing the physical systems where cloud and telecom networks exchange data.

“We can reasonably assume that these attackers already have sufficient access into internet infrastructure and are looking to expand the depth with which they can monitor other activities that are taking place within data center environments,” Hanselman said.

Comcast’s broadband and cable customer base is around 51 million, while its total wireless customer count totals about 8.1 million, according to recent earnings data.

It’s widely believed that Salt Typhoon hasn’t been excised from telecom systems, despite public statements from companies saying otherwise. On Thursday, Sen. Josh Hawley, R-Mo., said in a Senate Homeland Security Committee hearing that the hackers are still inside.

“If a foreign actor chose to concentrate on any member of the audience here — we were told behind closed doors, of course — but what we were told is that foreign actors basically have unlimited access to our voice messages, to our telephone calls,” he said.

President Donald Trump, Vice President JD Vance and a range of U.S. officials had their calls and texts directly targeted in the Salt Typhoon hacks. The cyberspies accessed providers’ “lawful intercept” systems, used to comply with government orders requiring access to communications metadata for law enforcement investigations.

“If these reports are accurate, they point to yet another serious and deeply concerning example of the Chinese Communist Party targeting America’s digital infrastructure,” a spokesperson for the House China Select Committee said in an email, noting the panel “has repeatedly warned about the CCP’s efforts to exploit access points into our communications networks, and this apparent breach reinforces the urgent need to harden our defenses.”

In March, House Homeland Security Committee chair Rep. Mark Green, R-Tenn, sent a request to DHS asking the agency to transmit internal documents about Salt Typhoon and another Chinese hacking unit, Volt Typhoon, Nextgov/FCW first reported.

“Every new detail that emerges surrounding the Salt Typhoon intrusions teaches us the lengths China-backed hackers will go to undermine the integrity of our critical infrastructure, U.S. sovereignty and the privacy of Americans,” Green said in a statement to Nextgov/FCW, referencing recent testimony from DHS Secretary Kristi Noem saying CISA is lacking detailed information about the telecom hacks.

“My colleagues and I on the committee share this concern, which is why we sent a letter in March to examine the previous administration’s response to the Volt and Salt Typhoon intrusions,” he added.

The Cyber Safety Review Board — a DHS body that was dismissed at the start of the Trump administration — was in the middle of investigating the Chinese telecom hacks. Lawmakers have called for it to be reinstated. CISA has also been mired in budget plans to slash significant parts of its workforce and operations.

“The bold actions of Salt Typhoon — and other state sponsored threat actors from China — demand that we continue to build analytic capacity at CISA and grow the pool of cyber defenders across the federal enterprise,” said Rep. Bennie Thompson, D-Miss., the top Democrat on the Homeland panel. “‘Doing more with less’ is a convenient rally cry for people who want slash spending — it is also a recipe for disaster that will leave us unaware and unprepared for the likes of Salt Typhoon.”

NEXT STORY: Gov. Greg Abbott signs law creating Texas Cyber Command

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.