Security Breach Exposes U.S. Wiretap Systems to China-Linked Hackers

 

A report in The Wall Street Journal on Saturday reported that Chinese hackers broke into the network of a major U.S. broadband service provider and obtained information about the wiretapping system being used by the federal government, according to the journal. The U.S. telecom industry recently experienced a major cyberattack involving Chinese hacker groups infiltrating its networks, gaining access to highly sensitive wiretapping data. 

However, it was not as severe as the NPD breach earlier in 2017. This attack targeted companies such as Verizon, AT&T, and Lumen Technologies, among others, giving unauthorized access to critical systems used for court-authorized wiretaps - a vital tool used for law enforcement surveillance - meaning that users could access their accounts without authority. As a result of the intrusion, the hackers had in their possession this data for months, which raised concerns regarding the depth of the intrusion and its implications for national security and individual privacy, as well as the future of our country. 

These hackers had been identified by U.S. authorities as being part of a Chinese cyber espionage group. It has brought renewed attention to the vulnerability of American broadband networks and the risks that they pose to the nation's security and surveillance systems as tensions between the two countries have already reached a high point over cyber operations. 

As reported by the Wall Street Journal, an attack linked to the Chinese government penetrated several US broadband providers' networks, allowing access to information that the federal government uses for court-authorized network wiretap requests," according to the article. As of the moment, several people familiar with the matter believe that hackers have been able to access network infrastructure, which was used by the US to facilitate legal requests for communication data for months or even years. It is also reported that these attackers were able to access other tranches of more generic Internet traffic as well, as WSJ sources stated. 

To determine who is responsible for the attack, "Salt Typhoon", a Chinese hacking group, has been attributed to it. This attack has been attributed to a Chinese hacker group that appears to have been performing the attack for intelligence-gathering purposes. The U.S. military previously referred to it as the "Salt Typhoon" due to its salty nature. 

The Department of Homeland Security disrupted a major Chinese hacking group called “Flax Typhoon” earlier this year, just months after highlighting the sweeping cyber espionage China is conducting under the title “Volt Typhoon” in a confrontation with the Chinese government. The Wall Street Journal report also states that Microsoft and others in the cybersecurity industry are investigating the Salt Typhoon attacks.  Besides FamousSparrow, Salt Typhoon is also tracked by GhostEmperor, which is also a subsidiary of Empress Network. 

According to ESET, Famous Sparrow is an active cyberespionage group that has been active for the last couple of years, at least as far back as 2019. Security firms at the time reported that a threat actor had been observed primarily targeting airports, hotels, and government and law firms, as well as international companies in countries including Brazil, Canada, Israel, Saudi Arabia, Taiwan, the UK, and many more.  According to Kaspersky, a security company that described GhostEmperor as a highly skilled and stealthy threat actor with a wide range of targets in Southeast Asia and around the globe, it was made official in 2021. 

Until the end of 2023, Sygnia did not see any activity from this group until it noticed rootkits being delivered through attacks.   A report in the Post and a report in the WSJ both suggested that the US wiretapping system could have been penetrated, although it is unlikely that this has yet been proven. It was recently reported that Homeland Security had disrupted an important Chinese hacking group, the "Flax Typhoon," earlier this year, just a few months after they revealed the sweeping cyber espionage China has been conducting under a codename called "Volt Typhoon," to take on the Chinese state. 

It has also been reported that Microsoft has joined other companies in the cybersecurity industry in investigating the Salt Typhoon attacks, according to the Wall Street Journal report.  The GhostEmperor information surveillance service, which is also run by Empress Network, tracks Salt Typhoon in addition to FamousSparrow. Depending on ESET's definition, Famous Sparrow is part of a cyber espionage group that has been active over the past two years, at least as far back as 2019. The group was created to eavesdrop on networks. 

The authors of this report state that, at the time of writing, security organizations reported that a threat actor had been observed primarily targeting airports, hotels, and law firms, along with international companies from a variety of countries, including Mexico, Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the UK.  A security company called Kasperksy has described GhostEmperor as a highly skilled and stealthy threat actor with a wide range of targets in Southeast Asia as well as across the globe. 

It went official in 2021; a year after the threat actor had formed. After Sygnia's surveillance of this group came to a halt until the end of 2023, Sygnia noticed that rootkits were being delivered through attacks that showed that this group was active.   It was reported both in the Post and the Wall Street Journal that American wiretaps may have been compromised. However, there is no evidence to support this claim, even though it is unlikely that it will ever be proven.