Two U.S. security agencies listed mass-media provider Comcast and data center giant Digital Realty among companies likely ensnared by a Chinese hacking group that has penetrated U.S. and global telecom operators, according to three people familiar with the matter.
The National Security Agency determined that Comcast had likely been affected by Salt Typhoon, according to two of the people. The Cybersecurity and Infrastructure Security Agency believes Digital Realty may have been compromised, the third person said. The people spoke on the condition of anonymity to discuss the assessments, which have not been previously reported.
Salt Typhoon breached major telecom carriers in a global, multiyear espionage campaign whose scope and scale have gradually come to light since September. The hacking unit is part of a broader syndicate of state-backed groups tied to military and intelligence arms of China’s central government. The “Typhoon” moniker comes from a Microsoft naming convention for Beijing-linked cyber actors.
Such intrusions, especially into a data center, could give the hackers a far deeper foothold than previously known into the infrastructure used by the world’s information service providers.
There’s uncertainty among U.S. officials about who was affected by Salt Typhoon. Lists of confirmed or potential victims are held by various agencies, but they don’t always match. CISA, for instance, has a list of telecom and information-technology companies, but an FBI tabulation shows different entities, two of the people said. This creates confusion about who may have been targeted or breached, one of the people said.
And some companies are making efforts to avoid disclosing that hackers have penetrated their networks. At two major U.S. telecom providers, incident-response staff have been instructed by outside counsel not to look for signs of Salt Typhoon, said one of the people, declining to name the firms because the matter is sensitive.
One of the people said that CISA representatives should have contacted likely victims such as Digital Realty and Comcast multiple times since December, but it’s not clear whether consistent back-and-forth communications were established. CISA tends to contact potential victims when it’s believed their networks are compromised, according to another person familiar with the cyber defense agency’s notification process.
An intrusion into either provider could carry national-security risks. Comcast facilitates internet access for millions of users and businesses, while Digital Realty hosts troves of physical infrastructure used by telecom operators, cloud providers and governments to route global web traffic.
“As a policy, we do not provide comment on individual entities,” a CISA spokesperson said. The NSA declined to comment, and the FBI did not respond to a request for comment. Comcast and Digital Realty did not return multiple requests for comment.
In December, hundreds of organizations were notified of potential Salt Typhoon compromise. Last month, CyberScoop reported that CISA and the FBI devised a coordinated notification campaign to alert affected companies and help them deter the hacks, sometimes providing new data on an hourly basis.
The FBI concurred with other agency assessments that the Salt Typhoon attacks, broadly speaking, are the most egregious national-security breach by a nation-state hacking group in U.S. history, one of the people said.
“This would confirm what many of us in the cybersecurity industry already suspected. The Salt campaign was broader than just telcos and we have low confidence the attackers have been evicted,” said Marc Rogers, a seasoned telecommunications cybersecurity expert.
Nextgov/FCW obtained an internal CISA list of communications-sector hardware and software products found to have been exploited by China-linked hacking groups. One of the vulnerabilities, discovered in 2018, was found in routers made by MikroTik, a Latvian firm that did not return a request for comment. Some of the software flaws exploited by Salt Typhoon were first disclosed in 2018, Nextgov/FCW previously reported.
“Something that isn’t being talked about enough is that the initial way in which these attackers used was almost mostly simple flaws like 8-year-old vulnerabilities and credential theft. Instead of talking about ‘ripping and replacing’ we should be looking at why we aren’t patching or maintaining our critical infrastructure,” Rogers said.
Chinese access into datacenter and colocation firms would provide the hackers with a different target set compared to messaging services operated by traditional carriers, said Eric Hanselman, the chief technology, media and telecommunications research analyst at S&P Global Market Intelligence.
“The additional risk would be gaining the ability to monitor intra-service and intra-application communications traffic that doesn’t normally traverse the internet backbone. That could include storage traffic moving from colocation environments into cloud or traffic moving from hosted environments into on-premises infrastructure,” Hanselman said in an email to Nextgov/FCW. “That traffic might have less robust protections, as it’s not traversing the open internet.”
Digital Realty has more than 300 data centers in 25 countries and 50 metropolitan areas, according to a company marketing webpage, which lists Amazon Web Services, Google Cloud, IBM, Microsoft and Nvidia among its clients. The company is considered one of the largest data center colocation providers in the world, housing the physical systems where cloud and telecom networks exchange data.
“We can reasonably assume that these attackers already have sufficient access into internet infrastructure and are looking to expand the depth with which they can monitor other activities that are taking place within data center environments,” Hanselman said.
Comcast has about 51 million broadband and cable customers and about 8.1 million wireless customers, according to recent earnings data.
It’s widely believed that Salt Typhoon hasn’t been excised from telecom systems, despite public statements from companies saying otherwise. On Thursday, Sen. Josh Hawley, R-Mo., said in a Senate Homeland Security Committee hearing that the hackers are still inside.
“If a foreign actor chose to concentrate on any member of the audience here — we were told behind closed doors, of course — but what we were told is that foreign actors basically have unlimited access to our voice messages, to our telephone calls,” Hawley said.
President Donald Trump, Vice President JD Vance, and other U.S. officials had their calls and texts directly targeted in the Salt Typhoon hacks. The cyberspies accessed providers’ “lawful intercept” systems, used to comply with government orders requiring access to communications metadata for law enforcement investigations.
“If these reports are accurate, they point to yet another serious and deeply concerning example of the Chinese Communist Party targeting America’s digital infrastructure,” a spokesperson for the House China Select Committee said in an email, noting the panel “has repeatedly warned about the CCP’s efforts to exploit access points into our communications networks, and this apparent breach reinforces the urgent need to harden our defenses.”
In March, House Homeland Security Committee chair Rep. Mark Green, R-Tenn, asked DHS for internal documents about Salt Typhoon and another Chinese hacking unit, Volt Typhoon, Nextgov/FCW first reported.
“Every new detail that emerges surrounding the Salt Typhoon intrusions teaches us the lengths China-backed hackers will go to undermine the integrity of our critical infrastructure, U.S. sovereignty and the privacy of Americans,” Green said in a statement to Nextgov/FCW, alluding to recent testimony from DHS Secretary Kristi Noem that CISA lacks detailed information about the telecom hacks.
“My colleagues and I on the committee share this concern, which is why we sent a letter in March to examine the previous administration’s response to the Volt and Salt Typhoon intrusions,” Green said.
The Cyber Safety Review Board — a DHS body that was dismissed at the start of the Trump administration — was in the middle of investigating the Chinese telecom hacks. Lawmakers have called for it to be reinstated. CISA has also been mired in budget plans to slash its workforce and operations.
“The bold actions of Salt Typhoon — and other state sponsored threat actors from China — demand that we continue to build analytic capacity at CISA and grow the pool of cyber defenders across the federal enterprise,” said Rep. Bennie Thompson, D-Miss., the top Democrat on the Homeland panel. “‘Doing more with less’ is a convenient rally cry for people who want to slash spending — it is also a recipe for disaster that will leave us unaware and unprepared for the likes of Salt Typhoon.”
Read the full article here