5 Things To Know On The ‘Salt Typhoon’ ISP Hack

A Wall Street Journal report pointed to Verizon and AT&T among the impacted internet service providers in the China-linked attacks.

Verizon and AT&T were reportedly among the affected internet service providers in a China-linked hacking campaign by a group tracked as Salt Typhoon.

The report Saturday from the Wall Street Journal followed the outlet’s prior reporting on Salt Typhoon attacks against ISPs in September.

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

What follows are five things to know on the reported “Salt Typhoon” ISP hack.

Surveillance Systems Targeted

The WSJ report indicated that the hackers may have been targeting federally used wiretapping systems, presumably with the aim of accessing data that federal agencies had intercepted through court-approved surveillance.

Internet traffic that is “more generic” may have also been accessed in the campaign, according to the WSJ.

The network access obtained by the attackers may have been maintained “for months or longer,” the report said.

The FBI declined to comment in an email Monday.

ISPs Impacted

In addition to AT&T and Verizon, the attack targeted Lumen Technologies, according to the WSJ report.

AT&T declined to comment Monday. CRN has reached out to Verizon and Lumen for comment.

The cyberattack campaign from Salt Typhoon has targeted internet service providers in the U.S. “in recent months,” with the threat actors seeking to obtain sensitive data, according to the WSJ’s report in September.

The attacks managed to breach a “handful” of U.S. ISPs, the previous report said.

China-Linked Group

The September report from the WSJ identified the threat group — connected to the Chinese government — as “Salt Typhoon.”

The group has been carrying out attacks since 2020 primarily focused on data theft and espionage, according to Microsoft research cited in the WSJ report.

The group’s targets are mainly based in North America and Southeast Asia, Microsoft has found, according to the report.

Other security researchers have referred to the group under the names FamousSparrow and GhostEmperor, the report said.

Microsoft Taking Part In Investigation

The name “Salt Typhoon” follows Microsoft’s naming convention for threat actors associated with China, and the WSJ report Saturday said it’s now confirmed that Microsoft has been part of the investigation into the Salt Typhoon hack of multiple ISPs.

Among other things, Microsoft has been involved in determining what sensitive data may have been obtained by the attackers, according to the report.

CRN has reached out to Microsoft for comment.

Cisco Routers Investigated

A portion of the investigation has been devoted to determining whether routers from Cisco Systems may have been accessed as part of the Salt Typhoon campaign targeting ISPs, according to the WSJ report.

The report did not specify what the basis was for Cisco routers being a part of the investigation or which models have been examined.

CRN has reached out to Cisco for comment.