China hack enabled vast spying on US officials, likely ensnaring thousands of contacts

Chinese hackers burrowed into U.S. telecommunications infrastructure over eight months or more. Photo: Agence France-Presse/Getty Image
Chinese hackers burrowed into U.S. telecommunications infrastructure over eight months or more. Photo: Agence France-Presse/Getty Image

Summary

Hackers for months scooped up call logs, unencrypted texts and some audio in breach, allowing them to pierce America’s communications infrastructure without detection.

Hackers linked to Chinese intelligence used precision strikes to quietly compromise cellphone lines used by an array of senior national security and policy officials across the U.S. government in addition to politicians, according to people familiar with the matter.

This access allowed them to scoop up call logs, unencrypted texts and some audio from potentially thousands of Americans and others with whom they interacted. The emerging picture of the intrusion’s reach helps confirm the intelligence community’s concerns about the potentially dire national security consequences of the attack, the people said.

Hackers burrowed deep into U.S. telecommunications infrastructure over eight months or more. With each layer of network infrastructure they unlocked, the Beijing-linked group studied how America’s communications wiring works without detection, carrying out targeted thefts, people familiar with the breach said.

The newly uncovered espionage campaign, earlier reported in September by The Wall Street Journal, is the latest in a long string of successes for China’s government hackers, as Western governments accuse Beijing of spying at an unprecedented scale.

But as U.S. officials and security experts piece together what the hackers—part of a group nicknamed Salt Typhoon by investigators—were able to achieve, they have assembled clues that fuel concerns that China’s mastery of cyber-espionage is dangerously advanced.

The hackers appeared to have had the ability to access the phone data of virtually any American who is a customer of a compromised carrier—a group that includes AT&T and Verizon—but limited their targets to several dozen select, high-value political and national-security figures, some of the people familiar with the investigation said.

The hackers also appear to have infiltrated communications providers outside the U.S., including at least one country that closely shares intelligence with the U.S., though it isn’t yet clear where or how extensively. Investigators expect more victims to be identified as the probe continues.

Investigators don’t yet know how China planned to use the information it allegedly stole. U.S. intelligence officials have warned for over a decade that Beijing has amassed an enormous trove of information on Americans in order to identify undercover spies, understand and anticipate decisions by political leaders, and potentially build dossiers on ordinary citizens for future use.

Though political figures are among those spied upon, officials don’t suspect the Chinese are seeking to use the access to disrupt or otherwise interfere in the presidential election.

U.S. security officials have said they are concerned that China is applying artificial intelligence to their stolen data to glean additional insights and create elaborate social maps of millions of Americans.

“It’s a vulnerability that no one imagined or anticipated," Sen. Marco Rubio, the top Republican on the Senate intelligence panel, said Sunday on CBS’s “Face the Nation." Mark Warner, the committee’s Democratic chairman, said last week that it was “one of the most serious breaches" he had ever seen.

In a statement, a spokesman for the National Security Council said U.S. agencies across the federal government were “collaborating to aggressively mitigate this threat" and were “surging support to affected entities and determining the full scope and impact on Americans, companies and the government."

He added: “We are taking this matter very seriously."

Breaking in

At Lumen Technologies—a carrier and government contractor whose network makes up a core piece of the global internet—hackers stole credentials to give themselves access to parts of the management layer of the company’s infrastructure in late summer. That access helped them quietly collect information about how network routers were configured and perform other reconnaissance for more than a month before they were caught.

In the broader attack on U.S. telecom networks, officials believe that the hackers also targeted systems that carriers use to comply with court-authorized surveillance requests. At Lumen, which doesn’t provide wireless service, the attackers didn’t steal any customer data or access its wiretap capabilities, according to people familiar with the matter. Lumen, which has contracts with the Pentagon and other U.S. agencies, was notified of the intrusion by a company that specializes in threat intelligence, the people said.

While the hackers appear to have used multiple vectors for their attacks on other telecom companies, they were able to gain some access in part by compromising routers from Cisco Systems and other equipment makers, some of the people said.

The hackers have also attempted to re-enter patched systems after being ejected from them by exploiting additional powerful vulnerabilities, some of which weren’t previously known to cybersecurity analysts. That bold behavior confounded some U.S. officials because it appeared the hackers were essentially scraping to stay inside systems long after their cover was blown, taunting investigators and continuing to collect data.

In one breakthrough, investigators have determined that the hackers were working on behalf of a Chinese intelligence agency, likely the Ministry of State Security, which is responsible for foreign intelligence collection. They have identified a specific Chinese contractor they believe carried out the attack, the people familiar with the inquiry said. The MSS often relies on contractors to carry out hacking missions.

A spokesman for the Chinese Embassy in Washington has previously denied the country’s involvement in the hack and accused U.S. spy agencies and cybersecurity firms of “secretly collaborating to piece together false evidence."

What they took

The hackers were able to capture at least some voice audio from some compromised victims, including people affiliated with both Trump and Harris campaigns, investigators have learned. It is unclear whether they recorded actual calls, voice memos or something else.

After Trump’s running mate, JD Vance, was notified that he had been a target of the Salt Typhoon hacking group, he joked about it on a popular podcast. “It’s a pretty badass name, right? If they have anything on me, I can’t be too pissed off at them," Vance told podcaster Joe Rogan.

In addition to surveillance on specific Americans, targeting of court-authorized wiretap systems has prompted fears Beijing was able to observe ongoing U.S. inquiries into Chinese spies and others.

The group behind the Salt Typhoon attacks has previously compromised some telecommunications infrastructure in Southeast Asia, according to cybersecurity researchers.

The Slovakia-based cybersecurity firm ESET has long referred to the Salt Typhoon hacking group as FamousSparrow and says it has previously broken into government agencies and hotel networks worldwide, including in France, the U.K., Israel, Saudi Arabia, Taiwan and Brazil, among other countries. They were one of more than 10 advanced hacking teams caught exploiting a series of flaws in Microsoft’s Exchange email software in 2021, according to ESET.

The 2021 Exchange hack rendered an estimated tens of thousands of businesses and government networks vulnerable to intrusion. The Biden administration blamed China’s Ministry of State Security for those hacks, a callout that was joined by the U.S. and the European Union.

Robert McMillan contributed to this article.

Write to Dustin Volz at dustin.volz@wsj.com, Aruna Viswanatha at aruna.viswanatha@wsj.com, Drew FitzGerald at andrew.fitzgerald@wsj.com and Sarah Krouse at sarah.krouse@wsj.com

Catch all the Politics News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates & Live Business News.
more

topics

MINT SPECIALS