For over a year Chinese state-backed hacking group, Salt Typhoon (also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) has been inside eight of the largest telecommunications’ networks in the U.S., including AT&T, Verizon, T-Mobile, and Lumen. T-Mobile was able to stop the infiltration more quickly than the other telecom companies.

The hack was insidious and extensive, enabling the hackers to intercept communications (i.e., texts, emails, and phone calls) on these networks as well as determine user metadata, such as geolocation.

Image Credit: littlewolf1989 - Adobe Stock

Millions of Americans’ metadata were compromised. However the hackers seemed to specifically target important political figures and people of interest to the Chinese government. One group of targets was president-elect Donald Trump and vice-president-elect J. D. Vance, as well as both Trump’s and Kamala Harris’s campaign officials. Hackers reportedly were only able to tap into unclassified communications on government officials’ phones, not classified information which is usually encrypted. However, the hackers did have the ability tap into a large number of Americans’ phones. So far, the hackers have not been dislodged from the telecom systems and intelligence agencies are still working to determine the extent and scope of the hack.

Officials do know that the hackers targeted people whom the Department of Justice monitors in its law intercept system. That system is court-approved monitoring of individuals that the DOJ believes are informants or criminals for China. This would give the Chinese government a clear picture of which of their operatives have been compromised and which have not. Phone conversations were not necessarily tapped, but the phone numbers and geolocation data were likely enough to give the Chinese government information on the DOJ’s targets.

The scope of the hack remains unclear

Senator Mark Warner (D-Virginia), who is head of the Senate Intelligence Committee and a former telecommunications executive, has called this “the most serious telecom hack in our history,” even worse than Solar Winds and Colonial Pipeline. He found the level of technical sophistication “stunning.”

Troublingly, the update provided by the FBI, FCC, and CISA in a senatorial meeting on Capitol Hill last week indicated the number of Americans (as well as some people in other countries) who have been compromised continues to expand. Experts are still not sure of the extent of the hack and the hackers are still present in U.S. systems, according to Politico.

Senators from both parties walked out of the meeting angry that this hack has gone on for so long without being detected and that no one is taking responsibility for it.

Senator Josh Hawley (R-Missouri) said,

I think the American people need to know the extent of the breach here, I think they will be shocked at the extent of it,” Hawley said. “I think they need to know about their text messages, their voicemail, their phone calls. It’s very bad, it’s very, very bad, and it is ongoing.

The hack was first detected last spring, when Microsoft noticed unusual activity on certain websites. However, officials did not release anything about it until October.

Cybersecurity firm TrendMicro called Salt Typhoon “Earth Estries” before confirming that the same group was likely responsible for all the hacks, which it characterized in its report as sophisticated and difficult to detect:

Earth Estries conducts stealthy attacks that start from edge devices and extend to cloud environments, making detection challenging. They employ various methods to establish operational networks that effectively conceal their cyber espionage activities, demonstrating a high level of sophistication in their approach to infiltrating and monitoring sensitive targets.

What concerns officials is just how insidious the hack was and what this fact says about the integrity of the U.S. telecommunication network.

Sophistication vs. old telecom networks

The Chinese operatives took advantage of laws that prohibit government intelligence agencies from monitoring U.S. private communications networks. Information, like geolocation data, is under the purview of the private companies, which intelligence agencies cannot intercept with a warrant and/or a court order. But private companies must allow police to lawfully track a known foreign operative, which serves as a point of vulnerability.

Image Credit: madscinbca - Adobe Stock

Additionally, most of the U.S. telecommunication networks are a patchwork of new and old systems, some of which date back to the days of telephone landlines, dial-up modems, and ethernet cables. Older systems are harder to maintain with high levels of security, and when one company acquires another, it can be difficult to track down the old server equipment. Aside from not updating their systems, telecommunications companies did not use best practices, such as multi-factor authentication and maintaining activity logs. While these practices may not completely prevent state-sponsored hackers, experts agree that it would have deterred them from gaining such extensive access.

For their part, the government officials also did not use best practices. Encrypted messaging systems, like WhatsApp and Signal, were not compromised. Neither were communications between Apple devices. However, when devices from two networks “talk” to each other, they are exposed to a vulnerability risk, something that cybersecurity experts have warned government entities as well as telecom companies about. Wired reports that Senators Ron Wyden (D-Oregon) and Eric Schmitt (R-Missouri) have written a letter to the investigator general of the Department of Justice. They are asking the Department to investigate its own failure to shore up known vulnerabilities in the telecommunications companies that it uses and to secure its unclassified communications.

There has been a bipartisan and cross-organizational call to enforce basic cybersecurity standards that all telecommunication networks must meet to ensure that something like this does not happen again. However, updating and securing telecommunication networks is no simple task.

Why this is a bigger ethical issue than typical espionage

The hack seemed to be intended to gain intelligence, not to commit sabotage. Intelligence gathering is technically within the “norms of espionage” between nation states. (The U.S. also surveils Chinese telecommunications.) However, as Cécile Fabre points out in Spying Through a Glass Darkly (Oxford 2022), with cyberespionage, the scope and breadth is not the same as traditional spying and the collateral damage from inserting malware can be much greater. Furthermore, because intelligence groups are still working to determine the scope of the hack, it is too soon to determine its full intentions and targets.

While targeting political leaders is one matter, intercepting millions of Americans’ communications is another. Widespread acquisition of citizens’ data is not the same thing as gathering intelligence on a country’s military, for example. Currently there are laws in the U.S. that prohibit intelligence agencies from tapping into telecom companies’ customer metadata unless there is a warrant and/or a court-approved reason to do so. This means intelligence agencies must rely on private businesses to secure user data.

This brings up the question of responsibility. Who is responsible for allowing the Salt Typhoon hack to go on for so long and to infiltrate so deeply into the major telecom operators’ systems? Telecommunications networks blame regulators and U.S. intelligence agencies for not stopping the hack, while intelligence agencies blame telecommunications networks for not maintaining even basic cybersecurity standards on their systems. Telecommunications companies have had little incentive to spend the time and money needed to completely update their systems, even though they have been called to do so, and government agencies transmit data over the same wires that normal citizens do.

China’s cyberespionage and cybertheft has been a known problem for at least the last decade. Perhaps this latest hack will spur everyone involved to be more diligent about protecting Americans’ data.