Chinese Hackers Target U.S. ISPs: A New Front in Cyber Espionage

Chinese Hackers Target U.S. ISPs: A New Front in Cyber Espionage
Photo by Dominic Kurniawan Suryaputra / Unsplash

In an alarming development for national security, Chinese state-backed hackers have infiltrated several major U.S. telecommunications providers, including Verizon, AT&T, and Lumen Technologies. The attack, attributed to the advanced persistent threat (APT) group Salt Typhoon, has raised significant concerns as the hackers reportedly accessed systems integral to U.S. government wiretapping operations.

Volt Typhoon Hacking Group
Volt Typhoon is a relatively lesser-known entity in the vast and murky world of cyber threats, yet its activities have caught the attention of cybersecurity experts and organizations due to their sophisticated and targeted nature. This hacking group has been attributed to a series of cyber espionage campaigns primarily targeting

This breach is just the latest in a series of sophisticated cyberespionage campaigns linked to Chinese state actors, who have increasingly focused on compromising critical infrastructure. The intrusion into U.S. ISPs has the potential to disrupt law enforcement efforts, spy on sensitive communications, and undermine national security.

The Salt Typhoon Breach: What We Know So Far

The Salt Typhoon attack was first revealed in early October 2024, with reports indicating that the hackers gained access to systems used for court-authorized wiretapping. These systems allow U.S. government agencies, including the Department of Justice and law enforcement, to monitor communications for criminal and national security investigations. The hackers are believed to have remained inside these networks for months, potentially siphoning off sensitive information about U.S. surveillance activities.

Although no official confirmation has been given regarding what exact data was accessed, experts believe that the breach could extend beyond just wiretap systems. There is a possibility that other internet traffic and communications data flowing through the compromised ISPs may have been intercepted. This would grant the attackers a treasure trove of information, including confidential communications between U.S. government agencies, private enterprises, and potentially even foreign governments​(

AppleInsider)​(Taipei Times).

Implications for National Security

The implications of this breach are severe. Access to wiretap systems could allow the hackers to monitor ongoing investigations, including those related to organized crime, terrorism, and other sensitive operations. The potential to disrupt or manipulate wiretapping activities could obstruct justice and hamper U.S. law enforcement efforts.

Furthermore, the breach poses a critical threat to the privacy of U.S. citizens. Wiretap systems are designed to handle extremely sensitive data, including private communications that are legally intercepted under court orders. If the Chinese hackers have access to this data, it could be used for intelligence gathering or even blackmail.

This intrusion also follows a disturbing trend of Chinese cyberattacks on U.S. critical infrastructure. Earlier in 2024, U.S. authorities disrupted Flax Typhoon, another Chinese APT group that had infiltrated a network of over 200,000 consumer devices. In 2021, Volt Typhoon, another Chinese-linked group, was caught targeting U.S. infrastructure, including military assets in Guam​(

AppleInsider)​(Taipei Times).

Technical Aspects of the Attack

Salt Typhoon, tracked by other cybersecurity firms as GhostEmperor and FamousSparrow, is part of a larger Chinese cyberespionage campaign. The group has been highly active since at least 2019, and its tactics have evolved significantly over time. In this particular attack, Salt Typhoon leveraged sophisticated malware and network infiltration techniques to maintain long-term access to the targeted ISP networks.

Once inside, the hackers reportedly focused on accessing systems tied to law enforcement wiretaps, but may have also compromised broader internet traffic monitoring systems. This aligns with previous tactics used by Chinese APT groups, which often seek to gather intelligence by infiltrating the communication networks of governments, military organizations, and large enterprises​(

Taipei Times)​(SecurityWeek).

The exact methods Salt Typhoon used to breach these networks remain unclear. However, security experts believe that the group likely exploited vulnerabilities in the ISPs’ infrastructure, such as unpatched software or weak authentication mechanisms, to gain a foothold. Once inside, they moved laterally through the network, targeting systems that handle sensitive surveillance data​(

Taipei Times).

Response and Mitigation Efforts

In response to the breach, U.S. government agencies and private cybersecurity firms have launched an investigation to determine the full extent of the damage. Microsoft, along with other cybersecurity experts, is reportedly assisting with the investigation. While the investigation is ongoing, the breach has already triggered calls for stronger cybersecurity measures across U.S. telecommunications networks​(

SecurityWeek).

The breach also highlights the need for more robust defenses against APT groups like Salt Typhoon. Experts have called for the implementation of advanced security technologies, such as micro-segmentation and private 5G networks, which could help isolate sensitive systems from broader internet traffic. Additionally, network operators are being urged to adopt zero-trust security models that assume any user or system could be compromised​(

Taipei Times)​(SecurityWeek).

The Role of China in Global Cyber Espionage

This attack on U.S. ISPs is part of a broader pattern of cyber espionage linked to the Chinese government. For years, China has been accused of engaging in widespread cyberattacks aimed at gathering intelligence, stealing intellectual property, and undermining the security of foreign nations.

China’s focus on telecommunications networks is particularly concerning. By compromising ISPs, Chinese hackers can gain access to a vast amount of data flowing through critical infrastructure. This not only gives them insight into U.S. government activities but also allows them to monitor private communications on a massive scale.

The Chinese government has consistently denied any involvement in cyber espionage, but the evidence suggests otherwise. In the past, groups like Volt Typhoon and Flax Typhoon have been linked to Chinese intelligence operations. These groups have targeted everything from military installations to critical infrastructure, and the U.S. is not the only country affected. Chinese hackers have also been active in Europe, the Middle East, and Southeast Asia, where they have targeted government agencies, telecommunications providers, and other high-value targets​(SecurityWeek).

Other Cyber Typhoons

several "Typhoon" groups have been discussed in the cybersecurity domain, most notably by Microsoft and other security firms. Here’s an overview of some of these groups, particularly focusing on Volt Typhoon, Flax Typhoon, and Salt Typhoon:

1. Volt Typhoon

  • Overview: Volt Typhoon is a state-sponsored Chinese APT (advanced persistent threat) group that has been active since at least mid-2021. Microsoft has closely tracked this group and revealed that its primary targets are U.S. critical infrastructure, particularly focusing on military assets and communications infrastructure in Guam, a crucial U.S. territory in the Pacific.
  • Modus Operandi: The group uses stealthy, living-off-the-land (LOTL) techniques, meaning they rely on built-in network management tools rather than deploying traditional malware. This makes it challenging to detect their presence. They exploit vulnerabilities in internet-connected devices and infrastructure to conduct long-term espionage.
  • Motivation: Volt Typhoon is believed to be gathering intelligence for China’s strategic objectives, particularly focusing on military readiness and operations in the Asia-Pacific region.
  • Notable Incidents: In 2021, Volt Typhoon compromised thousands of devices and network systems, including routers and firewalls, using them as entry points into critical networks. This group has also been linked to potential espionage preparations in the event of a conflict between China and the U.S.​(AppleInsider)​(Taipei Times).

2. Flax Typhoon

  • Overview: Flax Typhoon is another Chinese-linked cyberespionage group, but its focus appears to be more on civilian targets rather than purely military or infrastructure. Discovered earlier in 2024, Flax Typhoon is involved in espionage activities that target a variety of sectors, including consumer devices and broad telecommunications networks.
  • Modus Operandi: Like Volt Typhoon, Flax Typhoon relies on sophisticated techniques to infiltrate networks and maintain persistent access. This group typically targets internet-connected consumer devices, such as routers, cameras, and other smart devices, using them to create large botnets that serve as entry points into critical networks.
  • Notable Incidents: Earlier in 2024, U.S. authorities disrupted a network of over 200,000 internet-connected devices that Flax Typhoon had used as part of its espionage activities. The incident was a significant warning of the vulnerability of the Internet of Things (IoT) devices to state-sponsored hacking​(AppleInsider).

3. Salt Typhoon

  • Overview: Salt Typhoon is the most recent APT group linked to Chinese state-backed hacking. The group was exposed in October 2024 after reports surfaced that it had breached several U.S. ISPs, including Verizon and AT&T. This group focuses on targeting sensitive infrastructure, particularly U.S. telecoms and wiretap systems used by the federal government.
  • Modus Operandi: Salt Typhoon uses a combination of malware and LOTL techniques to infiltrate telecom networks and persist undetected for months. The group is believed to have accessed systems used for wiretapping operations, raising serious concerns about national security and privacy​(Taipei Times)​(SecurityWeek).
  • Overview: While not directly named as Typhoon groups by Microsoft, these two groups have been linked to Salt Typhoon by other cybersecurity firms. FamousSparrow and GhostEmperor are part of China’s broader cyberespionage ecosystem. FamousSparrow, identified by ESET, has been active since 2019, mainly targeting governments and high-profile industries worldwide. GhostEmperor, described by Kaspersky, is a stealthy actor that also targets telecoms and government entities.
  • Modus Operandi: These groups use advanced rootkits and stealth malware to infiltrate networks, evade detection, and maintain persistent access over long periods.

5.Bronze President (APT31)

  • Overview: This is a well-known Chinese state-sponsored hacking group also tracked as APT31. Bronze President has been active for several years and is focused on cyber espionage campaigns targeting government organizations, international entities, and the defense sector. It primarily aims to steal intellectual property and sensitive government information.
  • Modus Operandi: The group utilizes a variety of malware, including phishing campaigns, and exploits vulnerabilities to infiltrate systems. It is also known for mimicking legitimate tools, which helps it evade detection.
  • Notable Incidents: APT31 has been linked to hacks in several Western nations, including breaches of European governments and defense contractors.

6.Hafnium

  • Overview: Hafnium is a Chinese APT that gained notoriety in early 2021 for exploiting vulnerabilities in Microsoft Exchange Servers. This campaign was one of the most significant cyber espionage attacks in recent years, compromising over 30,000 organizations globally.
  • Modus Operandi: Hafnium typically exploits zero-day vulnerabilities in web-facing applications and then deploys a range of malware to exfiltrate sensitive data. The attack on Microsoft Exchange involved the use of web shells to establish long-term persistence in victim networks.
  • Notable Incidents: The Microsoft Exchange Server hack, which involved exploiting zero-day vulnerabilities in unpatched systems, allowed Hafnium to access email communications across multiple industries, including governmental organizations, defense contractors, and healthcare institutions​(AppleInsider).

7.APT40 (TEMP.Periscope)

  • Overview: APT40, also known as TEMP.Periscope, is a Chinese hacking group linked to the Chinese Ministry of State Security (MSS). It primarily targets maritime industries and organizations involved in the South China Sea disputes. APT40 is known for its strategic focus on gathering intelligence to support China’s military and geopolitical interests.
  • Modus Operandi: The group employs spear-phishing techniques and exploits vulnerabilities in publicly accessible systems to infiltrate networks. It often targets universities, research institutions, and companies involved in advanced technology development.
  • Notable Incidents: APT40 has been linked to breaches of multiple defense contractors, think tanks, and academic institutions across Europe, Asia, and the U.S.​(SecurityWeek).

8.RedEcho

  • Overview: RedEcho is a Chinese state-sponsored group that has focused on targeting India’s critical infrastructure, including its power sector. This group gained significant attention in 2021 when it was discovered that it had breached India’s power grids during the country’s heightened tensions with China.
  • Modus Operandi: RedEcho uses malware to conduct long-term espionage and surveillance activities on critical infrastructure systems. Its attacks are typically designed to go undetected for extended periods, which raises concerns about potential sabotage capabilities.
  • Notable Incidents: The group’s infiltration of India’s power grid during border conflicts between the two nations demonstrated its ability to influence geopolitical events through cyberattacks​(Taipei Times).

9.Stone Panda (APT10)

  • Overview: APT10, also known as Stone Panda or Cicada, is a well-documented Chinese cyber espionage group that has been operating for over a decade. It primarily targets managed service providers (MSPs), healthcare, and the aviation sectors. APT10 has been involved in several high-profile campaigns, stealing massive amounts of intellectual property from Western companies.
  • Modus Operandi: APT10 uses phishing attacks and exploits vulnerabilities in third-party services (like MSPs) to gain access to sensitive corporate and government data. Once inside, it uses customized malware to exfiltrate large amounts of data.
  • Notable Incidents: One of the largest global cyber espionage campaigns linked to APT10 was Operation Cloud Hopper, where the group infiltrated numerous MSPs to steal data from a wide array of industries, including healthcare, aviation, and technology​(SecurityWeek).

10.APT41 (Winnti)

  • Overview: APT41, also known as the Winnti Group, is a versatile Chinese hacking group that engages in both espionage and financially motivated cybercrime. It is one of the most active Chinese APTs and has a broad target range, including healthcare, technology, telecommunications, and even gaming companies.
  • Modus Operandi: APT41 uses a mix of sophisticated cyber espionage techniques and traditional hacking methods, such as ransomware and supply chain attacks. The group is known for its adaptability and ability to switch between espionage and cybercrime depending on its objectives.
  • Notable Incidents: APT41 has been involved in major global cyberattacks, including breaching the networks of several healthcare organizations during the COVID-19 pandemic. It was also involved in several high-profile ransomware campaigns, indicating its dual motivation of espionage and financial gain​(Taipei Times).

11.Mustang Panda (APT27)

  • Overview: APT27, often referred to as Mustang Panda, is another Chinese state-sponsored hacking group known for targeting diplomatic organizations, NGOs, and governmental entities worldwide. The group is focused on long-term espionage activities and has been linked to Chinese intelligence services.
  • Modus Operandi: Mustang Panda relies heavily on phishing attacks and the use of custom malware. Its campaigns are often tailored to the specific political or strategic goals of the Chinese state.
  • Notable Incidents: APT27 has been active in campaigns targeting Western diplomatic missions and entities involved in human rights issues. The group has been implicated in attempts to steal sensitive governmental data from several Southeast Asian countries​(SecurityWeek).

These groups showcase China’s strategic use of cyberattacks to gather intelligence, steal intellectual property, and potentially prepare for future conflicts. Many of these attacks focus on critical infrastructure and government systems, emphasizing the importance of defending against these sophisticated adversaries.

These Typhoon-named groups are part of a larger network of Chinese APTs that have been intensifying their cyber espionage campaigns, targeting critical infrastructure globally to gain intelligence and potentially disrupt key systems. Microsoft and other firms continue to track these groups closely, as they pose a significant threat to both national security and global cybersecurity​(SecurityWeek).

Conclusion: A Growing Cybersecurity Threat

The Salt Typhoon attack on U.S. ISPs marks a significant escalation in China’s cyber espionage activities. By infiltrating the networks of major telecom providers, Chinese hackers have potentially gained access to some of the most sensitive data in the U.S., including wiretapping systems used for law enforcement and national security investigations.

This breach underscores the urgent need for stronger cybersecurity measures, particularly in critical infrastructure sectors like telecommunications. As cyber espionage becomes an increasingly prevalent tool of statecraft, the U.S. and its allies must invest in cutting-edge defenses to protect their networks from sophisticated adversaries like Salt Typhoon.

The Salt Typhoon breach also serves as a reminder of the global nature of the cybersecurity threat landscape. As nation-states continue to use cyberattacks to advance their geopolitical interests, the need for international cooperation on cybersecurity has never been more critical. Whether through information sharing, joint investigations, or coordinated defensive measures, countries must work together to defend against the growing menace of state-sponsored cyberattacks​(

Taipei Times)​(SecurityWeek).

In the aftermath of this breach, it is clear that the stakes have never been higher. With national security, privacy, and the rule of law at risk, the need for vigilance and action has never been more urgent.

Read more