Salt Typhoon is behind one of the largest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records for senior government officials.
The hacking group, attributed to China, is part of a larger group of hackers with a collective goal of helping China prepare for a possible war with Taiwan, according to researchers. US officials have called China’s potential invasion of Taiwan an “era-defining threat”. Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network for intrusion and controlling the monitoring devices that US telecommunications companies are legally required to install to allow law enforcement to monitor calls and messages.
While Salt Typhoon focuses on hacking telecommunications infrastructure, other groups hacked from China, such as Volt Typhoon, advance destructive cyber attacks that can cause widespread disruption, and Flax Typhoon runs a botnet of Internet-connected hacking devices to hide hackers’ malicious web traffic.
But Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top US phone companies.
The hacks allowed China to obtain call records, text messages and recorded telephone audio from senior US officialsmany of whom were considered government targets of interest. That prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing a foreign adversary could be eavesdropping on their communications.
Salt Typhoon went even further, hacking at least 200 companies worldwide, according to FBI officials. The list of affected countries is constantly growing.
Here are the countries who have attributed hacks to Salt Typhoon.
United States
Some of the top US phone companies, including AT&T and Verizon, were confirmed to have been breached by Salt Typhoon, as was internet provider CenturyLink (now Lumen). T-Mobile said it was targeted, but that the hackers did not have access to its customers’ calls, texts or voicemails.
The giant of satellite communications Viasat was also at risk, allowing hackers to gain access to tools used by law enforcement to access the communications of others.
Internet and data providers Charter Communications (Spectrum) and Windstream were also named as victims of the Salt Typhoon. Fiber optic network giant Consolidated Communications was allegedly hacked as part of the campaign.
Hackers didn’t just target phone and internet providers. Per several exhibitionsSalt Typhoon compromised one US state’s National Guard networks, allowing them to steal data and access other networks in every other US state and multiple regions.
North and South America
According to security company Recorded Futureits researchers saw Salt Typhoon targeting Cisco devices associated with universities in Argentina and Mexico and elsewhere.
Meanwhile, the Canadian government confirmed that its leading telecommunications companies were hacked by China as part of the extensive Salt Typhoon spying campaign. Canada also confirmed that several Cisco routers at a telecom giant were hacked to steal data from the company.
The government in Ottawa warned that it saw companies being targeted that were “broader than just the telecommunications sector.”
Trend Micro said he saw Salt Typhoon activity in Brazil, South America’s most populous country.
Asia, Africa and Oceania
Recorded Future said he has seen Salt Typhoon target at least one Myanmar-based telecom provider, Mytel, through hacked Cisco routers, as well as a South African telecom provider. Attacks targeting university routers have also been observed Bangladesh, Indonesia, Malaysia and Thailand.
Japan has too warned of the threat of Salt Typhoon in its networks.
So much for it Australian governments and New Zealand say they have seen Salt Typhoon activity in their telecommunications and critical infrastructure sectors. New Zealand said it also saw Salt Typhoon hackers across the government sector, as well as transport networks, accommodation and military infrastructure.
Trend Micro It also said it found at least 20 compromised organizations in the telecommunications, consulting, chemical and transportation industries, as well as government and non-profit organizations in countries as diverse as Afghanistan, Eswatini, India, Taiwan and the Philippines.
Europe
The UK government has confirmed that a ‘cluster of activity’ from Salt Typhoon has appeared across the UK. Although the activity was not specified, suggests the news report that high-ranking UK government officials may have had their phone records tapped and text messages read.
Norway also confirmed that Salt Typhoon hacked several organizations in the country.
Dutch authorities in the Netherlands say several smaller ISPs and web hosts were targeted and they had access to routers, but their internal networks were not breached.
An Italian ISP was hacked, per Recorded Future.
And, according to Czech cybersecurity officialsincidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.
