Multiple US telecommunications companies were hacked into by a People’s Republic of China (PRC)-backed threat actor to carry out a full-blown cyber-espionage attack, according to a joint FBI and CISA statement issued on Wednesday.
During what the FBI is calling a “broad and significant cyber espionage campaign,” the threat actors used compromised networks within these companies to steal customer call records data.
The offense included theft of “private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to US law enforcement requests pursuant to court orders,” the statement added.
The statement is in line with a recent report by WSJ in October, which said a China-backed threat actor, tracked by Microsoft as Salt Typhoon, has hacked into US internet service provider (ISP) networks to steal sensitive US data and establish persistence.
Queries sent to CISA for further details on the investigation did not elicit a response until the publishing of this article.
Affected telcos likely include AT&T, Verizon
While the FBI held out on more technical details of the investigation, adding “our understanding of these compromises to grow as the investigation continues,” WSJ had reported that three leading US broadband providers — AT&T, Lumen Technologies, and Verizon Communications — may have been affected.
The campaign targeted sensitive US surveillance systems that are used to comply with court-authorized wiretappings that the companies in question have to provide to the FBI and other agencies for criminal and national security investigations.
The hackers may have also targeted the phones of President-elect Donald Trump and running mate JD Vance.
Days before the official joint statement on Wednesday, several House committees including, the Energy and Commerce, Homeland Security, Intelligence, and Judiciary panels, reportedly received briefings on the campaign.
The initial reporting of the Salt Typhoon campaign had sent investigators looking for signs of compromise in Cisco Systems routers, as they are the core network components that route much of the traffic on the internet.
A Cisco spokesperson, however, had said that a preliminary investigation revealed no such intrusions. Other key TTPs used by China-backed actors include infecting ISPs through zero-days, as in the case of China’s Volt Typhoon, warned against by CISA using Fortinet bugs in espionage campaigns before its takedown by law enforcement in January.