The Biden administration this week stood up a multi-agency team to confront a growing crisis involving Chinese cyberattacks of U.S. telecommunications companies believed to be for intelligence gathering.
The breach now has affected “about 10 or 12” companies, two people familiar with the investigation said, speaking like others interviewed for this article on the condition of anonymity because of the matter’s sensitivity. The people did not specify if the companies were all American firms or if some were subsidiaries.
At least three major companies were breached: AT&T, Verizon and Lumen. All have declined to comment.
The U.S. government, the companies themselves and security firms that are helping investigate the intrusions still do not know how the attacker first penetrated the companies’ networks. That lack of a clear entry point is making it difficult to kick the attacker out, several people familiar with the matter said.
“It’s a sophisticated actor, and you need sophisticated ways to do that,” one person said. “The offense is better than the defense.. … It looks to be a widespread intelligence operation and one that [the government is] determined to address.”
The White House on Tuesday convened a meeting of deputy secretaries of key agencies to stand up what’s known as a “unified coordination group.” The group’s role is to ensure there is consistent interagency visibility into the response by the FBI, the Office of the Director of National Intelligence and the Department of Homeland Security’s Cybersecurity and Information Security Agency (CISA).
The FBI, the White House National Security Council and CISA declined to comment on the ongoing investigation.
Similar coordination groups were formed to address the Chinese breach of Microsoft Exchange servers in early 2021, and before that, the Russian SolarWinds compromise that enabled the breaches of nine federal agencies, though not the Pentagon, officials said at the time.
Investigators are still working to understand the scope and nature of the compromise and what the hackers may have accessed or exfiltrated.
The breach was attributed privately by Microsoft to a group it dubbed Salt Typhoon, U.S. officials said. Microsoft discovered some of the intrusions last month.
Whether the latest breach is in fact the work of Salt Typhoon — thought by U.S. intelligence to be an arm of the Ministry of State Security, China’s foreign spy service — is not yet certain, officials say privately.
But a U.S. official said whether it turns out to be the work of a Chinese security agency or a contractor, signs point to the breach being directed by or linked to the Chinese government for espionage or counter-espionage purposes.
One U.S. official told The Washington Post last week that “there is some indication” the systems that track federal wiretap requests to telecommunications providers were targeted. However, investigators “don’t yet have 100% evidence that they were compromised,” the person familiar with the matter said.
On Thursday, the leaders of the House Select Committee on the Chinese Communist Party wrote to the chief executives of the three companies seeking a closed-door briefing on the breaches, including what specific measures the companies are taking to protect the federal wiretap requests.
Were China’s state-sponsored hackers to have gained access to information about federal requests for wiretaps, it would be “a golden opportunity” to thwart U.S. efforts to collect intelligence on Chinese government activities, one former senior U.S. intelligence official told The Washington Post. It would enable adversaries to understand whom the U.S. government is interested in and undermine surveillance efforts, the former official said.