Chinese hackers have breached at least three major U.S. telecommunications providers in what appears to be an audacious espionage operation likely aimed in part at discovering the Chinese targets of American surveillance, according to U.S. officials.
The investigation by the FBI, U.S. intelligence agencies and the Department of Homeland Security is in its early stages. The full scope of the compromises and their impact is not yet known, said the officials, who spoke on the condition of anonymity because of the matter’s sensitivity.
Spokespeople for the agencies declined to comment. President Joe Biden has been briefed on the breach, a U.S. official said.
News of the compromise and potential counterintelligence effort, first reported by the Wall Street Journal, comes as Washington and Beijing are seeking to keep their competitive relationship from veering into conflict. The Biden administration views China as its most consequential strategic challenge, as it seeks to rival the United States economically, militarily and in terms of influence in the developing world.
Officials said the breach compromised the networks of companies including Verizon, AT&T and Lumen — three of the country’s largest internet service providers. The list is probably longer, as the hackers have been in the systems for months, officials said.
All three companies declined to comment.
A U.S. security official acknowledged the significance of the breaches but noted that “it’s going to take a little bit more time to figure out” the scale of the intrusion and what information was obtained.
One apparent target is information relating to lawful federal requests for wiretaps, according to U.S. officials. “There is some indication [the lawful intercept system] was targeted,” said the security official. But the hackers’ access was broader and may have included more general internet traffic coursing through the providers’ systems, they said.
There are indications that China’s foreign spy service, the Ministry of State Security, which has long targeted the United States for intelligence, is involved in the breach. Officials internally are referring to it as having been carried out by an arm of the MSS known as Salt Typhoon, a moniker given to the group by Microsoft, which monitors Chinese hacking activity. But they caution that there is as yet no official attribution.
“This has all the hallmarks of an espionage campaign — one with potentially deep access to the most important communication companies in the country,” said Brandon Wales, former executive director at DHS’s Cybersecurity and Infrastructure Security Agency and now a vice president at SentinelOne, a cybersecurity firm. “The impacts are potentially staggering.”
A spokesman for the Chinese Embassy in Washington disputed the U.S. officials’ assertions. “The US intelligence community and cyber security companies have been secretly collaborating to piece together false evidence and spread disinformation about so-called Chinese government’s support for cyberattacks against the United States” in an effort to seek more funding and government contracts, spokesman Liu Pengyu said in an emailed statement. “In fact, China is one of the main victims of cyberattacks.”
Whether the hackers got access to actual lists of federal surveillance targets or their communications — or what they might have taken - is not clear, officials said. It is also not clear whether the subjects of the surveillance at issue were targeted in domestic criminal investigations or in national security cases, such as espionage, terrorism or cybersecurity.
Were China’s state-sponsored hackers to have gained access to this information, it would be “a golden opportunity to thwart the efforts of the United States to collect intelligence on any of the PRC’s activities,” said one former senior U.S. intelligence official, using the initials of the People’s Republic of China. “It enables them to understand exactly who the U.S. government is interested in and to either undermine the government’s intelligence collection efforts or to feed the United States disinformation.”
China has been actively targeting Western democracies, particularly the United States, for years — engaging in industrial and technological espionage as well efforts to learn politicians’ and policymakers’ plans and intentions. More recently, its hackers have gained access to critical U.S. infrastructure networks, such as water, energy and transportation systems, to lie in wait and launch destructive attacks in a potential U.S.-China conflict. And they have sought to spread propaganda and disinformation to promote narratives that favor Beijing and undermine confidence in Western institutions.
The first major Chinese hacking operation targeting Western companies that came to light was dubbed Operation Aurora and was disclosed publicly in 2010 by one of its victims, Google. The hackers who breached Google also gained access to a sensitive database with years’ worth of information about U.S. surveillance targets, The Washington Post reported. The database included information about court orders authorizing federal surveillance that could have signaled active espionage investigations into Chinese agents who maintained email accounts through Google’s Gmail service.
Verizon is one of the major internet service providers grappling with the Salt Typhoon intrusion, said two people familiar with the matter. At the company’s facility in Ashburn, Va., a war room has been set up that includes personnel from the FBI, Microsoft and Google’s Mandiant security division, according to one person.
Hackers apparently were able to exfiltrate some data from Verizon networks by reconfiguring Cisco routers, said one current and one former U.S. official familiar with the matter. The fact that they were able to make changes in the routers without detection reflects the sophistication of the adversary but also raises questions about Verizon’s security posture, analysts said.
Verizon declined to comment. Cisco did not immediately respond to a request for comment.
The Salt Typhoon operation under investigation is separate from a series of intrusions over the past several years into U.S. critical infrastructure carried out by hackers affiliated with the Chinese People’s Liberation Army, a group Microsoft has dubbed Volt Typhoon. U.S. officials have not seen evidence to date that the two campaigns are coordinated, U.S. officials say. In the Volt Typhoon breaches, Chinese military hackers have burrowed into the computer systems of at least a dozen U.S. critical entities, including power and water utilities and some telecommunications companies.
In August, The Post reported that Chinese government-backed hackers had penetrated at least two major U.S. internet service providers to spy on their users, as well as several smaller companies. Some of the intrusions relied on previously undiscovered software flaws, according to researchers at Lumen Technologies.
In December and January, the U.S. government disrupted Volt Typhoon by seizing control of hundreds of routers that the group had been using as springboards into sensitive infrastructure. In September, the United States and allied countries took control of a different network of internet-connected routers and other devices that the Chinese government had been using to spy on sensitive organizations. That botnet was run by a government contractor in Beijing.
Joseph Menn in San Francisco and Aaron Schaffer contributed to this report.