CYE Insights

China’s Breach of U.S. Telecoms: A Cyber Wake-Up Call

January 13, 2025

China’s Breach of U.S. Telecoms: A Cyber Wake-Up Call

What Happened?

In 2024, a China-linked state-sponsored group, dubbed “Salt Typhoon,” infiltrated major U.S. telecommunications companies, including Verizon, AT&T, and Lumen Technologies. They managed to access the lawful intercept systems that law enforcement agencies depend on to monitor communications under court orders. Recently, it was reported that Salt Typhoon breached a ninth telecom company as part of a cyberespionage campaign.

Historically, law enforcement could intercept unencrypted communications, which contributed to their resistance to widespread encryption for public use. For example, during the early 2000s, efforts to regulate and weaken encryption standards were justified by the need for “easier access” to intercepted data. Now, it is recommended to enable all encryption, as this incident demonstrates how critical it is to protect communications from being exploited by adversaries. The FBI’s recent public statements highlight its growing support for end-to-end encryption, acknowledging that it is one of the most effective tools for safeguarding private communications from interception, even as they balance it against investigative needs. But even then, they still needed court orders to access this data—a safeguard that this breach has potentially undermined. The breach reportedly granted unprecedented access to sensitive communications data, potentially including the content of intercepted calls and the metadata tied to them.

How did this happen? While details are still emerging, cybersecurity experts speculate a likely combination of methods was used. Phishing campaigns targeting telecom employees were likely used to gain initial access, exploiting human vulnerabilities to bypass initial security layers. Legacy systems within telecom networks, often left unpatched, provided threat actors with easy entry points to critical infrastructure. Additionally, some reports have speculated on the possible use of Border Gateway Protocol (BGP) hijacking—a technique used to temporarily reroute internet traffic through maliciously controlled servers—to exfiltrate data or gain further access. Notably, in late September, changes in Verizon’s BGP routing temporarily forwarded traffic through Hong Kong, raising concerns about intentional or malicious traffic redirection and its implications for data security.

Lessons from the Past

This isn’t the first time state-backed threat actors have targeted telecom systems. A quick look at history reveals an unsettling trend:

  • BGP Hijacking by China Telecom (2010): Internet traffic from around the globe was rerouted through Chinese servers, exposing sensitive communications.
  • Cloud Hopper Campaign (2016-2017): State-sponsored attackers infiltrated managed service providers, using them as gateways to client networks.
  • Operation Soft Cell (2019): Telecom companies worldwide became targets of espionage campaigns aimed at monitoring high-profile individuals.

The 2024 breach fits into this pattern, proving once again that telecom infrastructure is a prime target for espionage and underscores its vulnerabilities.

The Dangers at Hand

The implications of this breach are far-reaching and deeply troubling. Here are just a few:

1. National Security Risks

  • Ongoing investigations and counterterrorism efforts could be compromised.
  • High-ranking officials’ and private citizens’ sensitive communications may have been exposed.

2. Erosion of Trust

  • Public confidence in telecom providers and law enforcement’s ability to safeguard sensitive systems is likely to decline. CISA’s efforts to rebuild trust include providing enhanced visibility and hardening guidelines for communications infrastructure, emphasizing proactive measures to secure critical systems.

3. Espionage Advantages

  • Adversaries could monitor investigative efforts and counteract investigations targeting their operations.

4. Cyberwarfare Escalation

  • This attack raises the stakes in global cyber conflicts, driving nations to intensify offensive and defensive operations.

What Did the Threat Actors Gain?

The access reportedly achieved in this breach is staggering:

  • Intercepted Communications: Direct access to monitored communications could expose highly sensitive information.
  • Metadata Surveillance: Understanding who contacted whom, when, and for how long offers strategic insights.
  • Administrative Control: With administrative privileges, threat actors could manipulate data, disable monitoring systems, or surveil law enforcement activities.
  • Persistence: Installing backdoors may ensure continued access, even after initial vulnerabilities are patched. Whether threat actors still remain in the network following the breach is currently unknown. Telecom providers and cybersecurity authorities have not confirmed if all backdoors have been eradicated, leaving the possibility that Salt Typhoon or similar groups might still have hidden footholds within these systems.

What Can You Do to Protect Yourself?

While individuals are not the direct targets of such sophisticated breaches, these incidents highlight the need for better personal cybersecurity. In addition to the personal steps listed below, it’s critical to align with broader cybersecurity recommendations provided by CISA:

  1. Implement network hardening practices:
    • Ensure secure configurations for all network components, including routers and firewalls, to minimize vulnerabilities.
    • Regularly update and patch systems to protect against known exploits.
  2. Adopt end-to-end encryption:
    • Use messaging platforms that enable end-to-end encryption to ensure your conversations remain private, even if intercepted.
  3. Avoid SMS for confidential communication:
    • SMS lacks robust encryption. If you prefer SMS, consider using encrypted options like iMessage for Apple users, or platforms like Signal, which offer a secure fallback for SMS-like communication. For Android users, RCS (Rich Communication Services) in Google Messages provides encryption for messages between compatible devices, although it currently does not support cross-platform encryption.
  4. Use Multi-Factor Authentication (MFA):
    • Protect accounts with MFA to make unauthorized access significantly more difficult. This cannot be stressed enough—MFA adds an essential layer of security to your accounts by requiring additional verification steps, making it exponentially harder for attackers to gain access, even if passwords are compromised.
  5. Employ VPNs for online privacy:
    • A VPN can help encrypt your internet traffic, offering additional protection from prying eyes, but it does not guarantee anonymity or complete privacy by itself. According to CISA’s recommendations, pairing VPNs with secure network configurations and ensuring proper endpoint security is essential for a robust privacy strategy. Users should pair VPNs with other security measures for a more comprehensive approach to online safety.
  6. Enhance endpoint security:
    • Utilize antivirus software (by a known and reputable vendor, and not free AV_ and endpoint detection tools) to identify and mitigate potential threats, as recommended by CISA.
  7. Implement regular audits:
    • Conduct frequent audits of your devices and networks to identify and address vulnerabilities promptly. After all, you’d rather have a penetration tester find those security holes than a malicious actor.

Final Thoughts

The 2024 breach of U.S. wiretap systems serves as a sobering reminder of the vulnerabilities inherent in critical infrastructure. It’s a wake-up call for telecom providers to modernize their security protocols and for governments to implement stricter regulations. For individuals, it’s an opportunity to prioritize digital privacy and adopt tools that secure personal communications in an increasingly volatile cyber landscape.

This incident should serve as a catalyst for change—both at the organizational level and in personal cybersecurity habits. Organizations, in particular, should heed the recommendations from CISA and the FBI, such as implementing stricter cybersecurity measures, ensuring secure configurations, and conducting regular audits of their communication infrastructures to stay resilient against emerging threats. No one is immune to the ripple effects of cyber espionage, but awareness and action can mitigate the risks.

For the full guidance, mitigation strategies, and recommendations for securing communications infrastructure, refer to the Enhanced Visibility and Hardening Guidance provided by CISA.

Want to learn more about how CYE protects critical infrastructure? Book a demo

Alon Termin

By Alon Termin

Alon Termin is a cybersecurity expert at CYE, specializing in red team assessments, penetration testing, and securing both cloud and on-premises environments.

Latest blog posts

The Evolution of Cyber Risk Quantification: Key Takeaways from Forrester’s Latest Landscape Report CYE Insights | January 6, 2025

The Evolution of Cyber Risk Quantification: Key Takeaways from Forrester’s Latest Landscape Report
Top CISOs & Cyber Influencers Shine a Light on the Future of Cyber in 2025 CYE Insights | December 18, 2024

Top CISOs & Cyber Influencers Shine a Light on the Future of Cyber in 2025
Navigating Challenges and Seizing Opportunities as a CISO in 2025 CYE Insights | December 15, 2024

Navigating Challenges and Seizing Opportunities as a CISO in 2025