Share this article on:
Chinese state-sponsored hackers have accessed and collected the communications of a number of US government officials, according to US cyber agencies.
In a joint statement released by the FBI and US Cybersecurity and Infrastructure Security Agency (CISA), investigations into Chinese government espionage of US telcos revealed that threat actors had gained access to the networks of multiple US telcos.
“Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to US law enforcement requests pursuant to court orders,” said the statement issued on Wednesday (13 November).
“We expect our understanding of these compromises to grow as the investigation continues.”
The findings come as the US agencies confirmed in October that a Chinese state-sponsored threat actor had breached multiple US telcos.
AT&T, Verizon, and Lumen Technologies had all been breached by the group UNC2286, better known as Salt Typhoon.
“The US government is investigating the unauthorised access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China,” said the FBI and CISA at the time.
“After the FBI identified specific malicious activity targeting the sector, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) immediately notified affected companies, rendered technical assistance, and rapidly shared information to assist other potential victims.”
According to sources speaking with WSJ, the threat actors had maintained network access “for months or longer”, allowing them to collect a large amount of call data from millions of US customers.
Chinese state-sponsored threat actors have been observed using living-off-the-land techniques to maintain a presence on a victim network for long periods.
A joint advisory released by the Five Eyes information-sharing alliance in February revealed that the Chinese state-sponsored hacking group Volt Typhoon may have had access to critical infrastructure providers’ IT networks for at least five years.
“CISA, NSA, FBI [as well as US critical infrastructure agencies and the Five Eyes alliance] … are releasing this advisory to warn critical infrastructure organisations about this assessment, which is based on observations from the US authoring agencies’ incident response activities at critical infrastructure organisations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus),” the release said.