Full Report
In a call with reporters, senior officials at the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI said the agencies have been investigating the incident since late spring, and have uncovered an expansive campaign that some lawmakers are calling the worst telecom hack in the nation’s history.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
Attributed to Chinese hackers. Known aliases include "Salt Typhoon." Associated with cyber-espionage activities.
## Activity Summary
Investigation began in late spring. Described as an expansive campaign, potentially the "worst telecom hack" in U.S. history. The group deeply penetrated multiple telecom companies. Security agencies (CISA, FBI, NSA) are working with scores of telecom companies to identify and remove the threat actors, but acknowledge they cannot be certain the adversary has been completely evicted.
## Tactics, Techniques & Procedures
- Penetrated critical telecommunications infrastructure.
- Stole vast amounts of data regarding individual communications (who, when, where).
- Intercepted audio and text communications content (for a select group of targeted individuals).
- Acquired metadata on phone calls and texts.
- Targeted CALEA (Communications Assistance to Law Enforcement Act) systems as one of several targets.
## Targeting
- Sectors: Telecommunications, Critical Infrastructure.
- Geography: United States (primary focus indicated by official response).
- Victims: Multiple telecom companies. Targeted individuals included officials from both U.S. presidential campaigns (specifically mentioning President-elect Donald Trump and JD Vance).
## Tools & Infrastructure
Specific malware families or infrastructure details were not provided in the summary, focusing instead on the operational impact and victims.
## Implications
The threat actor has achieved deep, sustained access into critical U.S. telecommunications infrastructure, representing a significant national security concern. The actors' continued presence raises questions about the long-term security posture of U.S. network communications.
## Mitigations
- Security engineers and network defenders should utilize the "[visibility and hardening guidance](http://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure)" issued by CISA, FBI, NSA, and international partners.
- Focus on hardening telecommunication infrastructure specific to the threat actor's access vectors.
- Conduct thorough investigations to ensure the adversary is fully evicted from systems.