Top senator calls Salt Typhoon ‘the worst telecom hack in our nation’s history’

The Chinese government espionage campaign that has deeply penetrated more than a dozen U.S. telecommunications companies is the “worst telecom hack in our nation’s history - by far,” a senior U.S. senator told The Washington Post in an interview this week.

The hackers, part of a group dubbed Salt Typhoon, have been able to listen in on audio calls in real time and have in some cases moved from one telecom network to another, exploiting relationships of “trust,” said Sen. Mark R. Warner (D-Virginia), chairman of the Senate Intelligence Committee and a former telecom venture capitalist. Warner added that intruders are still in the networks.

Though fewer than 150 victims have been identified and notified by the FBI - most of them in the Washington, D.C., region, the records of people those individuals have called or sent text messages to run into the “millions,” he said, “and that number could go up dramatically.”

Those records could provide further information to help the Chinese identify other people whose devices they want to target, he said. “My hair’s on fire,” Warner said.

Those details, some previously undisclosed, add to the alarming understanding of the scope of the hack since late September, when the U.S. government, after being alerted by industry, began to grasp its seriousness. “The American people need to know” how serious the intrusion is, Warner said.

The hackers targeted the phones of President-elect Donald Trump, his running mate JD Vance, as well as people working for the campaign of Vice President Kamala Harris and State Department officials.

The effort was not directly election-related, Warner noted, as the hackers got into the telecom systems months earlier - in some cases more than a year ago.

The networks are still compromised and booting the hackers out could involve physically replacing “literally thousands and thousands and thousands of pieces of equipment across the country,” specifically outdated routers and switches, Warner said.

“This is an ongoing effort by China to infiltrate telecom systems around the world, to exfiltrate huge amounts of data,” he said.

The Salt Typhoon telecom breach makes Colonial Pipeline and SolarWinds - major cyberattacks linked, respectively, to Russian-speaking criminals and to the Russian government - “look like child’s play,” Warner said.

The Salt Typhoon hack is seen by government officials as an espionage operation rather than pre-positioning for a critical infrastructure sabotage.

Hackers have acquired access to the system that logs U.S. law enforcement requests for criminal wiretaps, allowing the Chinese to know who is of interest to authorities. There is no evidence so far that hackers have compromised the collection system itself through which law enforcement listens in on wiretapped calls, said U.S. officials, speaking on the condition of anonymity because of the matter’s sensitivity.

The calls on which Chinese hackers were able to listen in were not part of the “lawful intercept,” or wiretap, system, officials said. But hackers also had access unencrypted communications, including text messages. End-to-end encrypted communications such as those on the Signal platform are believed to be protected, officials said.

The Post previously reported that the hackers were able to reconfigure Cisco routers to exfiltrate data from Verizon networks.

The FBI is investigating the intrusion, along with other federal agencies.

“Specifically, we have identified that [Chinese government]-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,” the FBI said in a statement issued with the Cybersecurity and Infrastructure Security Agency earlier this month.

So far, the hack is known to have affected major U.S. firms such as AT&T, Verizon and T-Mobile, U.S. and industry officials said.

“This is massive, and we have a particularly vulnerable system,” Warner said. “Unlike some of the European countries where you might have a single telco, our networks are a hodgepodge of old networks. ... The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable.”

The severity of the intrusions highlights the need for stronger measures for a sector that is largely unregulated, said Warner, echoing other lawmakers and Biden administration officials.

“We’re the telecom envy of the world,” Warner said. “I don’t want to slow that innovation. I don’t want to come in with some new, heavy-handed regulation. This ought to just be about safety and security.”

Senior Biden administration officials said in an interview that aggressive Chinese hacking activity has not let up despite efforts across multiple administrations to counter it. Sanctions, public accusations, network takedowns, indictments - nothing has made a real dent in the Chinese agencies’ calculus.

“We’ve had for the last decade voluntary public-private partnership efforts,” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies. “But we continue to see successful breaches, and in many cases, as with ransomware attacks, we continue to see pretty basic cybersecurity practices not being followed.”

Now that China’s hackers have become even more brazen, pre-positioning themselves in U.S. and other countries’ critical infrastructure, “we need to lock our digital doors,” Neuberger said.

Biden administration officials say that cyber regulation can make critical infrastructure systems a harder target, pointing to emergency cyber directives in the wake of the Colonial hack that required pipeline companies to improve their security.

The initial directives were panned by industry as being too prescriptive and ineffective. Kimberly Denbow, an executive at the American Gas Association, on Tuesday described the regulations in congressional testimony as “filled with unattainable cybersecurity measures and compliance timelines that, rather than improving sector cybersecurity, actually increased pipeline system vulnerability and threatened system reliability.”

After consultation with the companies, the Transportation Security Administration issued several revisions, following up with similar requirements for railroads and airports, TSA Administrator David Pekoske said. These rules included creating a cybersecurity response plan to ensure that if a system is disrupted in a cyberattack, the owners can get it back up and running as quickly as possible.

The TSA also specified outcomes that the entities needed to achieve, letting the companies figure out how for themselves, Pekoske said. Those included, for instance, separating operational and administrative networks, ensuring that only authorized personnel had access to critical systems and continuous monitoring of those systems.

The revised requirements are an improvement, Denbow said in an interview. It “made a world of difference” that they’re “performance based,” she said. But the pipeline industry still has concerns that the TSA is dictating how a company should run aspects of its business, such as corporate governance and training, she said.

As of October 2023, only 53 percent of the several dozen critical pipeline companies in the country were in compliance with the requirements, Pekoske said. Today, he said, that figure is 100 percent.

Likewise, as of October 2023, only 21 percent of critical rail companies were compliant with directives, which had been issued a year earlier. Today 68 percent are, he said.

For critical aviation sector entities, which were subject to regulation as of March 2023, 57 percent are now in compliance.

While Trump has generally been hostile toward big government and most forms of regulation, his administration is likely to be staffed with China hawks who feel strongly about the need to curb Chinese spying, hacking and supply chain threats.

Brendan Carr, Trump’s nominee for Federal Communications Commission chairman, told reporters Thursday that he had been receiving briefings on Salt Typhoon and hoped to go deeper on the issue. “Cybersecurity is going to be an incredibly important issue,” he said. “National security is going to be a top priority.”

- - -

Eva Dou and Aaron Schaffer in Washington contributed to this report.