The White House has confirmed that a ninth US telecommunications company has fallen victim to the "Salt Typhoon" cyber-espionage campaign, marking an expansion of a sophisticated Chinese state-sponsored hacking operation that has already compromised multiple major telecom providers.
Deputy National Security Adviser Anne Neuberger revealed that one of the breached telecoms had an administrator account controlling over 100,000 routers, giving the attackers broad network access. While the total number of affected individuals remains unclear, officials confirmed that fewer than 100 people had their actual phone calls and text messages intercepted, with most targets concentrated in the Washington, DC, and Virginia areas.
The Salt Typhoon group, also tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286, has been actively targeting government entities and telecom companies throughout Southeast Asia since 2019.
The campaign, which reportedly began in 2022, has exploited vulnerabilities in network infrastructure devices like routers, switches, and firewalls operated by major providers including AT&T, Verizon, and Lumen Technologies.
In response to the breaches, the US government is implementing several countermeasures.
The Federal Communications Commission (FCC) is scheduled to vote in mid-January on new rules to protect critical infrastructure, while the Commerce Department is moving forward with a ban on China Telecom's remaining US operations. Additionally, the government is considering restrictions on TP-Link routers pending security investigations.
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and NSA, has released guidance to help telecom administrators harden their systems against future attacks.
CISA has also urged senior government officials to switch to end-to-end encrypted messaging apps like Signal to minimize communication interception risks.
While officials maintain that classified communications remain secure, a senior CISA official acknowledged uncertainty about whether the threat actors have been completely removed from the compromised networks, highlighting the ongoing challenges in securing critical telecommunications infrastructure against state-sponsored cyber threats.