Why the Salt Typhoon Hack Is Freaking Everyone Out

Even in a year of high-profile Chinese cyberattacks, the Salt Typhoon campaign has stood out. 

The attack, by a Chinese government-linked hacking group dubbed “Salt Typhoon” by investigators, was first revealed in late September. The hackers infiltrated at least eight major U.S. telecommunication networks, including AT&T and Verizon, targeting the cellphones of several government officials and politicians, including President-elect Donald Trump and Vice President-elect J.D. Vance.

T-Mobile was previously reported to be included as well, but the company said in a statement to Foreign Policy that “T-Mobile is not confirmed to be impacted by Salt Typhoon, and we cannot definitively identify this attacker as Salt Typhoon or another similar group.” The company also provided a link to a statement from the company’s chief security officer with additional details, including that the company believes no sensitive consumer data was compromised in its case.

The intrusion has sent alarm bells ringing among intelligence agencies and lawmakers, with Senate Intelligence Committee chair Mark Warner referring to it as the “worst telecom hack in our nation’s history—by far.” Sen. Marco Rubio, the committee’s ranking member and Trump’s nominee for secretary of state, went a step further. “It’s the most disturbing and widespread incursion into our telecommunication systems in the history of the world, not just the country,” he told reporters this month. “That’s about as bad as it gets.”

Even more concerning, U.S. officials said that as of early this month, they had still not been able to expel the hackers from most of the compromised systems and were unable to give a timeline for when that would be achieved. 

On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines on mobile phone usage for “highly targeted individuals,” which CISA official Jeff Greene said refers to “senior government or senior political officials who likely possess information of interest” to China. The agency instructed those individuals to only communicate through apps, such as Signal, that are end-to-end encrypted (which means messages are only accessible to senders and recipients), use a password manager, and avoid receiving authentication codes via text for their logins.

“The targeting we’ve seen is focused on a small number of individuals, but these are still safety precautions that anyone can take to secure their communications against this or other threats,” Greene, who serves as the agency’s executive assistant director for cybersecurity, told reporters on Wednesday. 

But the effects of the hack threaten to be far more widespread, with CISA and its counterpart agencies in Australia, New Zealand, and Canada warning this month that Salt Typhoon’s campaign extends beyond just U.S. networks. It also likely includes more than just prominent politicians, with NBC News reporting that the hackers also accessed general phone call and text data—known as metadata—of more than a million Americans. 

Greene said investigations by CISA and other U.S. government agencies into the extent of the hack are still ongoing. “This particular Salt Typhoon communications compromise is part of a broader pattern of PRC activity directed at critical infrastructure,” he said, using China’s official name. “This is ongoing PRC activity that we need both to prepare for and defend against for the long term.”

Salt Typhoon is the third major Chinese hacking group to be uncovered during the Biden administration. 

In May 2023, Microsoft (whose systems much of the U.S. government runs on) discovered that a group it called Volt Typhoon had burrowed into critical infrastructure networks including water and transportation across the United States—as well as in Guam, home to key U.S. military bases. 

The objectives of the group, which Microsoft said had been active since mid-2021, appear to go beyond the espionage and information-gathering that Chinese cyberattackers are known for: U.S. officials have said the hackers aim to sow chaos in the event of a conflict. 

More recently, U.S. officials announced that they had disrupted a third group, known as Flax Typhoon, which took over hundreds of thousands of internet-connected devices such as webcams. (“Typhoon” is the moniker Microsoft uses to denote groups linked to China, with state-linked hackers from Russia tagged as “Blizzard” and those from Iran called “Sandstorm”). 

Together, the attacks form a picture of alarming provocation and escalation by a highly capable adversary. 

“In my 25 years in cybersecurity, this is the most significant systemic cyber-intrusion to date, period,” Tom Kellermann, who served on President Barack Obama’s cybersecurity commission, said in an interview with Foreign Policy. 

Compromising telecommunication networks serves as an entry point into the “backbone” of U.S. infrastructure that the Chinese could use to “island hop” into different parts of the network and launch more destructive attacks on other critical infrastructure, he added. “This is something we’re going to be dealing with for years, to identify all the back doors that have been placed in the systems.”

The Biden administration is scrambling to hit back, and its response thus far has been relatively limited. The Commerce Department this week reportedly sought to ban leading Chinese firm China Telecom from operating in the United States and may be considering a ban on another company, TP-Link, which makes Wi-Fi routers used by millions of Americans. Congress also just approved $3 billion in funding to remove all Chinese equipment from U.S. telecom networks. 

“I expect the scale and severity of this attack will force the administration to reevaluate some of these measures and take a heavier hand,” said Ryan Fedasiuk, an adjunct fellow in the technology and national security program at the Center for a New American Security who previously served in the State Department’s China House.

Complicating those efforts is the fact that a new administration takes office just a month from now. The Biden administration has made cybersecurity and defense a major focus, and it remains an open question whether Trump will prioritize it in the same way. At the same time, much of the ongoing U.S. tech competition with China—particularly on telecommunications—began under the first Trump administration (see: Huawei). 

“President Trump and his national security team will almost certainly arrive at the same conclusion,” Fedasiuk said. “Hacking the personal devices of sitting U.S. officials and senior campaign staff is certainly one way to kick off a relationship with President Trump’s team—but it’s probably not the approach I would have advised.”

The fact that the majority of national cybersecurity now falls to the private sector could further muddle efforts to rein in Chinese hacking. “I think there’s going to be a lot of deregulation, and that’s not going to help our cybersecurity posture,” said Kellermann, now the senior vice president of cyberstrategy at the cybersecurity firm Contrast Security. “That being said, the Trump administration is very much attempting to marginalize and isolate the reach and power of China, and so perhaps they will appreciate the fact that cyber is a tremendous component of that initiative.”

China has repeatedly denied carrying out cyberattacks against the United States and did so again in the wake of the Salt Typhoon revelations. “There is no evidence that supports the irrational claim of the so-called ‘cyberattacks from China,’” a spokesperson for the Chinese Embassy in Washington told reporters in a briefing this week. “China itself is a target of international cyberattacks and consistently opposes and combats all forms of cyberattacks.” 

Kellermann said the U.S. government needs to step up its offensive cyber-operations against adversaries such as China, Russia, and Iran, which “essentially want to conduct a home invasion versus a burglary.” At the same time, he understands the instinct not to overplay Washington’s hand by revealing too many details at this stage. “Metaphorically, you don’t want to shout out, ‘I’ve got a gun. I’ve called the police,’ when someone’s in your house because they could choose to set your house on fire.” 

FP’s Christina Lu and Lili Pike contributed reporting for this story.

Correction, Dec. 20, 2024: A previous version of this article misstated that T-Mobile was confirmed to be among the telecom companies included in the Salt Typhoon data breach. The piece has been updated to include a statement from the company.

Read More

Chinese Hackers Target U.S. Telecoms

The infiltration raises serious national security concerns in Washington.

China Brief

|

James Palmer

‘Everything, Everywhere, All At Once’: U.S. Officials Warn of Increased Cyberthreats

Washington prepares for a worst-case scenario of attacks on critical infrastructure.

Analysis

|

Rishi Iyengar