We may have recently been exposed to the largest cyber campaign of all times, in which China managed to completely penetrate the communications infrastructure of its great rival, the United States.In doing so, gained access to huge amounts of invaluable information. The attack is so serious that the US government is in a panic – all Senators have been briefed by the FBI and the NSA. An inter-departmental task force has been established that meets three times a week, the Senate Commerce Subcommittee will hold a special hearing on December 11 to discuss security threats to communications networks and examine best practices for providers to reduce risks to consumers. Additionally, in an unusual step, the FBI and CISA have recommended that the public leverage apps which include end-to-end encryption (E2EE) such as Signal and WhatsApp for phone calls or to send SMS messages.
What happened?
The cyber campaign by the hacker group “Salt Typhoon”, which is identified as a group supported by the Chinese Ministry of National Security, was first discovered in March 2024 by Microsoft. The company identified suspicious activity on the networks of leading telecommunications providers in the United States, including Verizon, AT&T and Lumen Technologies. According to reports, the hackers penetrated the interception systems (in the technical jargon, lawful interception – legal collection of information on citizens of the country) of the US Department of Justice, which gave them access to phone records and sensitive content. This started long before it was detected (probably from the beginning of 2024), which highlighted the sophistication of the attack.
Initial Penetration Method
The hackers used advanced tactics such as exploiting vulnerabilities in the software and hardware of routers and network servers. Cisco vulnerabilities were reportedly exploited to gain initial access, followed by sophisticated identity theft and the use of legitimate software tools for remote control tools (Living off the land) to further penetrate the system. Anne Neuberger, deputy national security adviser for cybersecurity and emerging technology, emphasized the severity of the breach during press briefings in recent days. She confirmed that the attack hit eight US telecom companies, exploiting four previously unknown zero-day vulnerabilities. Neuberger stated that the attackers had likely been exploiting vulnerabilities in private companies’ systems for one to two years. She emphasized that the full scope of the attack is still under investigation and that there is still a risk of undiscovered vulnerabilities being exploited.
It is very likely that the attackers exploited vulnerabilities in the US communications networks that were designed to allow access by the government for surveillance purposes.
Victims and Damage
- Telecommunications industry: The damage was widespread, especially in large communications providers such as Verizon and AT&T, which provide most of the communications infrastructure in the United States. The group was able to access sensitive information on hundreds of millions of private and institutional users.
- Government systems: The campaign compromised surveillance records of US agencies, which could affect their ability to track suspects of criminal activity or espionage.
- Political targets: The attack also targeted the devices of political figures, including staffers of presidential candidate Harris, candidate Trump, and people Senior campaign officials.
- Other critical systems: Beyond communications, hackers have managed to penetrate various organizations in Asia and the United States, raising concerns about a broader penetration affecting critical infrastructure such as electricity and water.
US Government Response
When the breach became known, a wide-ranging investigation by the FBI, the Cyber Agency CISA, and the NSA began.
The US government has established a joint coordination group to address the dangerous penetration of the country’s communications infrastructure. This group, which meets several times a week, works with telecom CEOs and cybersecurity experts to implement stronger security measures across the sector. In addition, federal agencies such as CISA and the FBI have issued updated security guidelines to help telecom providers harden their defenses against similar attacks in the future. The Federal Communications Commission (FCC) has begun working to mitigate the damage and improve protection. FCC Chairwoman Jessica Rosenwortzel has proposed new rules that would require telecom companies to annually certify that they have plans to defend against cyberattacks. The agency aims to ensure that network vulnerabilities exploited by foreign hackers are patched, requiring carriers to meet specific security standards to protect against unauthorized access.
At the same time, and recognizing that systems are still at high risk of further (or ongoing) intrusion, the FBI and CISA have recommended that the public refrain from making unencrypted phone calls and text messages and switch to end-to-end encrypted (E2EE) communication apps such as Signal and WhatsApp (as those that are not vulnerable to the security weaknesses of the major carriers).
In addition, the CISA and FBI have urged users to implement multi-factor authentication and ensure that their devices receive timely operating system updates to protect against additional and unpatched cybersecurity risks. Still known.
Implications for US national security
US Senators have been briefed on the issue and have expressed deep concern and called for action following the revelation of China’s massive cyber espionage campaign. Senator Mark Warner described it as “the worst telecom breach in our nation’s history.” Senators from both parties are demanding immediate reforms to improve the security posture of telecommunications providers. Democratic Senator Ron Wyden has begun drafting legislation to improve telecom security, and Senator Eric Schmitt has urged the Pentagon to enforce stronger cybersecurity measures for its own providers. Republican Senator Rick Scott has criticized the government for failing to detect or prevent the breach sooner, and has called for accountability and solutions.
There are also voices calling for a more significant response against China itself.
The end of surveillance?
The authorities’ recommendation to switch to end-to-end encrypted communications (which do not run over traditional telecom infrastructure) pulls the rug out from under the intention of the Communications Assistance for Law Enforcement Act (CALEA), which gave US authorities unlimited ability to eavesdrop (or intercept any type of transmission, with a court order of course) on its citizens.
CALEA is an American law enacted in 1994. Its main purpose was to ensure that telecommunications providers could provide access to information to law enforcement authorities for the purpose of legal wiretapping. The law was created at a time when digital technologies became dominant, and it was necessary to update the ability of law enforcement agencies to conduct wiretapping in these new systems as well. The law requires communication providers (such as telephone, Internet, and messaging services companies) to implement mechanisms in their systems that will allow authorities to conduct wiretaps, provided that there is a court order to do so. If citizens do indeed act according to the recommendation, their surveillance will become more difficult. It is possible, paradoxically, that one of the most serious security breaches in history, one that led to information theft on a historic scale and the violation of the privacy of millions, will actually lead to an improvement in the privacy of US citizens (or at least make it more difficult for the authorities to collect this information).
