T-Mobile has reported a recent incident involving the Chinese hacking group known as “Salt Typhoon,” which targeted its systems as part of a broader wave of telecom breaches. The hackers initially accessed T-Mobile’s routers to examine potential methods for moving laterally through the network. Fortunately, T-Mobile’s engineers acted swiftly, thwarting the threat actors before they could propagate further into the network or compromise customer data.
This state-sponsored group, also identified as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286, has been active since at least 2019, primarily targeting government entities and telecom companies throughout Southeast Asia.
In a blog post shared on Wednesday, T-Mobile’s Chief Security Officer, Jeff Simon, explained that the attack stemmed from a connected wireline provider’s network but was effectively neutralized by T-Mobile’s robust cyber defenses, which include proactive monitoring and network segmentation.
The breach was uncovered after T-Mobile detected unusual behavior on its routers, including commands typically associated with the reconnaissance phase of cyberattacks, alongside indicators that matched previous attacks linked to Salt Typhoon. Simon clarified to Bloomberg that “many reports suggest these bad actors have gained access to customer information from some providers over time—phone calls, text messages, and other sensitive data, especially from government officials. However, this is not the case with T-Mobile.”
He further emphasized, “Our defenses safeguarded our sensitive customer information, ensured uninterrupted services, and halted the attack’s progression. The attackers did not access any sensitive customer data, including calls, voicemails, or texts.”
The company promptly cut off connectivity to the affected provider’s network, suspecting it may have been compromised, and Simon noted that T-Mobile currently sees no signs of ongoing threats within its network. The findings have been shared with government officials and industry partners as part of T-Mobile’s commitment to transparency and security.
Breached in recent Salt Typhoon telecom attacks
Today, T-Mobile issued a statement about a security breach that happened two weeks ago when they revealed their systems were affected by a series of attacks linked to Salt Typhoon. In late October, CISA and the FBI confirmed these breaches after reports surfaced that a Chinese group had targeted several internet providers like AT&T, Verizon, and Lumen Technologies.
The federal agencies also shared that the attackers accessed the private communications of some government officials, stole customer call records, and obtained data related to law enforcement requests. Additionally, they managed to get into the U.S. government’s wiretapping system.
The exact time when hackers first broke into the telecom companies’ networks is unclear, but a report from the Wall Street Journal states that Chinese hackers had access for several months or even longer. This breach allowed them to gather and steal a large amount of internet traffic from service providers that serve both small and large businesses, as well as millions of Americans.
Last month, Canada announced that various government agencies, including federal political parties and the Senate and House of Commons, were also targeted in wide-ranging network scans believed to be linked to unknown Chinese state hackers. In related attacks, another group of Chinese hackers, known as Volt Typhoon, managed to track and breach several internet service and managed service providers in the U.S. and India by hacking into their networks with stolen credentials obtained through serious security flaws in a tool called Versa Director.