On August 27, 2024, ''

The Washington Post ''The Washington Post'', locally known as ''The'' ''Post'' and, informally, ''WaPo'' or ''WP'', is an American daily newspaper published in Washington, D.C., the national capital. It is the most widely circulated newspaper in the Washington m ...

'' reported that at least two major

internet service provider An Internet service provider (ISP) is an organization that provides a myriad of services related to accessing, using, managing, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, no ...

s in the

United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...

had been compromised by Chinese hackers. It was later reported that the hackers affected at least nine telecommunications firms in the U.S., including

AT&T AT&T Inc., an abbreviation for its predecessor's former name, the American Telephone and Telegraph Company, is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the w ...

Verizon Verizon Communications Inc. ( ), is an American telecommunications company headquartered in New York City. It is the world's second-largest telecommunications company by revenue and its mobile network is the largest wireless carrier in the ...

Lumen Technologies Lumen Technologies, Inc. (formerly CenturyLink, Inc.) is an American telecommunications company headquartered in Monroe, Louisiana, which offers communications, network services, security, cloud solutions, voice and managed services through ...

, and

T-Mobile T-Mobile is the brand of telecommunications by Deutsche Telekom Deutsche Telekom AG (, ; often just Telekom, DTAG or DT; stylised as ·T·) is a partially state-owned German telecommunications company headquartered in Bonn and the largest telec ...

, and had also affected dozens of other countries. The hackers were able to access

metadata Metadata (or metainformation) is "data that provides information about other data", but not the content of the data itself, such as the text of a message or the image itself. There are many distinct types of metadata, including: * Descriptive ...

of users' calls and

text messages Text messaging, or texting, is the act of composing and sending electronic messages, typically consisting of alphabetic and numeric characters, between two or more users of mobile phones, tablet computers, smartwatches, desktop computer, des ...

, including date and time stamps, source and destination

IP address An Internet Protocol address (IP address) is a numerical label such as that is assigned to a device connected to a computer network that uses the Internet Protocol for communication. IP addresses serve two main functions: network interface i ...

es, and phone numbers from over a million users, including staff of the

Kamala Harris 2024 presidential campaign Kamala Harris, the List of vice presidents of the United States, 49th vice president of the United States, announced her 2024 campaign for president of the United States, president on July21, 2024. On that date, incumbent president Joe Biden ...

, as well as phones belonging to

Donald Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who is the 47th president of the United States. A member of the Republican Party (United States), Republican Party, he served as the 45 ...

and

JD Vance James David Vance (born James Donald Bowman, August2, 1984) is an American politician, author, attorney, and Marine Corps veteran who is the 50th vice president of the United States. A member of the Republican Party (United States), Republic ...

. The hackers were also able to access

wiretapping Wiretapping, also known as wire tapping or telephone tapping, is the monitoring of telephone and Internet-based conversations by a third party, often by covert means. The wire tap received its name because, historically, the monitoring connecti ...

systems used to conduct court-authorized wiretapping. The attack was later attributed to the

Salt Typhoon Salt Typhoon is an advanced persistent threat actor believed to be operated by China's Ministry of State Security (China), Ministry of State Security (MSS) which has conducted high-profile cyber espionage campaigns, particularly against the Unite ...

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...

actor linked to

China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...

's Ministry of State Security (MSS).

Initial access

The attackers exploited

zero-day vulnerability A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or z ...

in Versa Director (Versa Networks) and

vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...

in unpatched

Fortinet Fortinet, Inc. is an American cybersecurity company with headquarters in Sunnyvale, California. The company develops and sells security solutions like firewalls, endpoint security and intrusion detection systems. Fortinet has offices located ...

and

Cisco Cisco Systems, Inc. (using the trademark Cisco) is an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, s ...

network devices and routers, targeting core network components. They also gained access to a high-level network management account that was not protected by

multi-factor authentication Multi-factor authentication (MFA; two-factor authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence ...

. Hijacking router(s) inside AT&T's network then gave them access to over 100,000 routers from which further attacks could be launched. It is believed that the hackers had access to the networks for over a year before the intrusions were detected by threat researchers at Microsoft.

Impact

On December 27, 2024, deputy national security advisor Anne Neuberger stated in a White House press conference that the total list of affected telecom companies now stood at 9 after a "hunting guide" was distributed to "key telecom companies" which details how to identify this type of intrusion. Companies confirmed to have been breached in this attack are: *

(formerly CenturyLink) *

Charter Communications Charter Communications, Inc., is an American telecommunications and mass media company with services branded as Spectrum. The company is headquartered in Stamford, Connecticut. With over 32 million customers in 41 states as of 2022, it is the ...

Consolidated Communications Consolidated Communications Holdings, Inc. is an American broadband and business communications provider headquartered in Mattoon, Illinois. With 36,000 fiber route miles, it is a top ten fiber provider in the U.S., serving customers in 23 sta ...

Windstream Communications Windstream Holdings, Inc., trading as Windstream Communications is a provider of voice and data network communications to businesses across the United States. Under the Kinetic brand, it offers broadband, phone and digital streaming TV services to ...

Call records

A high priority for the attackers was records of phone calls made by people who work in the Washington D.C. metro area. These records corresponded to over a million users and included: date and time stamps, source and destination IP addresses, phone numbers and unique phone identifiers. According to Anne Neuberger, a "large number" of the individuals whose data was directly accessed were "government targets of interest."

Wiretapping systems

The hackers compromised telecom systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized

. The hackers obtained an almost complete list of phone numbers being wiretapped. Officials said having this information would help China know which Chinese spies the United States have identified.

Presidential election

In October, Donald Trump's campaign was notified that phones used by

Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who is the 47th president of the United States. A member of the Republican Party (United States), Republican Party, he served as the 45 ...

and

may have been affected by the hack as well as the staff of the

Response

According to ''

Foreign Policy Foreign policy, also known as external policy, is the set of strategies and actions a State (polity), state employs in its interactions with other states, unions, and international entities. It encompasses a wide range of objectives, includ ...

'', the attack has "hardened anti-China consensus" in the U.S. government. Senator

Mark Warner Mark Robert Warner (born December 15, 1954) is an American businessman and politician serving as the senior United States senator from Virginia, a seat he has held since 2009. A member of the Democratic Party, Warner served as the 69th gove ...

, chairman of the U.S. Senate Select Committee on Intelligence, called the intrusion the "worst telecom hack in our nation's history", describing it as making prior cyberattacks by Russian actors look like "child's play" by comparison. Matthew Pines, director of intelligence at SentinelOne, stated that "the Salt Typhoon hacks will be seen as the worst counterintelligence breach in U.S. history" which "gives MSS bread crumbs to trace back to and cauterize strategically critical U.S. sources and methods." He suggested the data breach is worse than the 2015 hack of the U.S. Office of Personnel Management carried out by the MSS'

Jiangsu State Security Department The Jiangsu State Security Department () is the provincial bureau of the Chinese Ministry of State Security in Jiangsu which serves as the coastal province's intelligence service and secret police. They are involved extensively in espionage a ...

. In retaliation for the attack, the

U.S. Department of Commerce The United States Department of Commerce (DOC) is an executive department of the U.S. federal government. It is responsible for gathering data for business and governmental decision making, establishing industrial standards, catalyzing econo ...

announced it would ban the remaining U.S. operations of

China Telecom China Telecom Corporation Limited (CT) is a Chinese telecommunications company. It is one of the publicly traded red chip companies of the state-owned China Telecommunications Corporation. The company's H shares have been traded on the Sto ...

. The Department of Defense placed Chinese media conglomerate

Tencent Tencent Holdings Ltd. ( zh, s=腾讯, p=Téngxùn) is a Chinese Multinational corporation, multinational technology Conglomerate (company), conglomerate and holding company headquartered in Shenzhen. It is one of the highest grossing multimed ...

, shipping giant

COSCO China Ocean Shipping Company (COSCO) was a former shipping corporation from 1961 to 2016, owned by the State Council of the People's Republic of China, State Council of China. The company merged with China Shipping Group, China Shipping Grou ...

, battery manufacturer

CATL Contemporary Amperex Technology Co., Limited (CATL) is a Chinese battery manufacturer and technology company founded in 2011 that specializes in the manufacturing of lithium-ion battery, lithium-ion batteries for electric vehicles and energy st ...

, semiconductor manufacturer ChangXin Memory Technologies, and drone maker

Autel Robotics Autel Robotics Co., Ltd. is a Chinese aerial drone manufacturer. History Autel Robotics Co., Ltd. was founded in 2014 in Shenzhen by Maxwell Lee and Li Hongjing. Maxwell Lee is a Chinese American entrepreneur. Autel Robotics has received gove ...

on a blacklist of "Chinese military companies". The designation can disqualify U.S. businesses which transact with listed companies from future U.S. government contracts. The Chinese Embassy in Washington, D.C. claimed the allegations were all U.S. efforts to "smear and slander" China. On October 9, the

Electronic Frontier Foundation The Electronic Frontier Foundation (EFF) is an American international non-profit digital rights group based in San Francisco, California. It was founded in 1990 to promote Internet civil liberties. It provides funds for legal defense in court, ...

issued a press release stating how any lawful wiretapping system can be compromised by attackers and that "there is no backdoor that only lets in good guys and keeps out bad guys". On December 4, 2024 the CISA, FBI, and cybersecurity agencies from New Zealand, Canada, and Australia jointly released a guide for hardening network infrastructure titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure. The agencies urged network engineers, particularly ones at telecom companies, to implement the security best practices described therein. On December 10, Senator

Ron Wyden Ronald Lee Wyden ( ; born May 3, 1949) is an American politician serving as the Seniority in the United States Senate, senior United States Senate, United States senator from Oregon, a seat he has held since 1996 United States Senate special el ...

released a draft of the Secure American Communications Act, a bill which would order the FCC to require telecoms to adhere to a list of security requirements and perform annual tests to check for vulnerabilities. Wyden claimed that "it was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules". On January 17, 2025, the U.S. Treasury Department's

Office of Foreign Assets Control The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency of the United States Department of the Treasury, United States Treasury Department. It administers and enforces economic and trade economic sanctions, ...

sanctioned Yin Kecheng of

Shanghai Shanghai, Shanghainese: , Standard Chinese pronunciation: is a direct-administered municipality and the most populous urban area in China. The city is located on the Chinese shoreline on the southern estuary of the Yangtze River, with the ...

and Sichuan Juxinhe Network Technology Co. Ltd. as having "direct involvement" in Salt Typhoon. On January 20, shortly after Trump retook office, acting Secretary of Homeland Security

Benjamine Huffman Benjamine Carry Huffman is an American law enforcement official who served as Director of Federal Law Enforcement Training Centers, acting United States secretary of homeland security from January 20 to 25, 2025 and acting Deputy Secretary of Hom ...

signed a memo abolishing all DHS advisory boards. This included the Cyber Safety Review Board, which was investigating the hack and preparing a report on how to prevent future attacks.

References

{{Reflist Cyberwarfare by China Cyberattacks China–United States relations Cyberwarfare in the United States 2024 controversies in the United States History of telecommunications in the United States