Headline
Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report
The Chinese state-sponsored cyberattack threat managed to infiltrate the “lawful intercept” network connections that police use in criminal investigations.
Source: Miro Novak via Alamy Stock Photo
The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.
According to unnamed sources speaking to the Wall Street Journal, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.
In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.
“The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon,” sources told the WSJ. “It appeared to be geared toward intelligence collection.”
Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.
Lawful Intercept Connections in China’s Hacking Sights
The news comes about a week after Salt Typhoon was outed as hacking into major telecom networks for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.
No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as “GhostEmperor,” notes that clearly Salt Typhoon performed extensive reconnaissance.
“Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks,” he tells Dark Reading. “One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to law enforcements’ networks in order for authorities to be able to operate and stream the gathered data in a very secure method.”
This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to “continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook,” he adds.
About the Author
Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.