China-linked threat actors are still inside U.S. telecom networks, and evicting them will require replacing “thousands and thousands and thousands” of network devices, according to the chairman of the Senate Intelligence Committee.
The breach of U.S. telecom networks by the Salt Typhoon threat group went on for more than a year in some cases, Sen. Mark R. Warner (D-Virginia) told the Washington Post, and while only 150 victims have been notified so far, the total could eventually number in the “millions.”
Warner, a former telecom venture capitalist, called the breaches the “worst telecom hack in our nation’s history – by far.”
U.S. Telecom Breach Will Require Replacing ‘Thousands’ of Routers and Switches
The telecom network hacks that led to the infiltration of the U.S. court wiretap system and targeted the phone data of top U.S. officials – including President-elect Donald Trump, running mate JD Vance, top congressional and government officials, and the campaign of Vice President Kamala Harris – remain ongoing and will require a massive cleanup effort, according to Warner.
Warner told the Post that the networks are still compromised, and that fixing them could involve physically replacing “literally thousands and thousands and thousands” of routers and switches.
“Unlike some of the European countries where you might have a single telco, our networks are a hodgepodge of old networks,” Warner said. “The big networks are combinations of a whole series of acquisitions, and you have equipment out there that’s so old it’s unpatchable.”
AT&T, Verizon and Lumen Technologies appear to have been hit harder in the attacks than T-Mobile, which has claimed “no evidence of impacts to customer information.”
Top national security officials met with telecom industry executives late last week “to hear from telecommunications sector executives on how the U.S. Government can partner with and support the private sector on hardening against sophisticated nation state attacks,” suggesting a possible cooperative effort to clean up the mess.
And it’s not just China attacking U.S. telecom networks. Cyble dark web researchers have identified more than 50 credible claims of telecom breaches by threat actors this year.
Preparation for Cyber Warfare?
CISA said earlier this year that China-linked threat actors – particularly Volt Typhoon at the time – were targeting communications, energy, transportation systems, and water and wastewater systems in the U.S. and its territories in what may be preparations for cyber warfare:
“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.”
Those comments closely followed an unusual FBI and Department of Justice operation to fix vulnerable routers that were being used by People’s Republic of China (PRC) threat actors to target U.S. critical infrastructure, and FBI Director Christopher Wray has also echoed CISA’s concerns.
U.S. Cyber Command Executive Director Morgan Adamski told the CYBERWARCON conference last week that the Cyber National Mission Force has been deployed 85 times in the last year to combat cyber threats from the PRC and other adversaries, a significant increase from its 22 missions the year before.
