Advertisement

Nominations can be submitted for the 2025 CyberScoop 50 awards!

Click here!

CISA director says threat hunters spotted Salt Typhoon on federal networks before telco compromises 

The incident helped the federal government to seize a virtual private server used by the group and more quickly “connect the dots,” Jen Easterly said.

By

Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
CISA Director Jen Easterly testifies before a House Homeland Security Subcommittee on April 28, 2022, in Washington, D.C. (Photo by Kevin Dietsch/Getty Images)

A top federal cybersecurity official said Wednesday that threat hunters from the Cybersecurity and Infrastructure Security Agency first discovered activity from Salt Typhoon on federal networks, allowing public and private sector defenders to more quickly “connect the dots” and respond to Chinese attacks on the U.S. telecommunications industry.  

Speaking at an event hosted by the Foundation for Defending Democracies, CISA Director Jen Easterly said threat hunters identified malicious activity from the group but didn’t immediately recognize it as part of a larger Chinese hacking campaign.

“We saw this before we understood it was Salt Typhoon,” she said. “We saw it as a separate campaign, called another goofy cyber name.” 

In a blog released Wednesday on CISA’s website, Easterly offered more details on the incident, saying the agency facilitated court orders that allowed the government to identify and seize virtual private servers being leased by the hackers, providing further insight into the scope of their campaign against telecommunications companies.

Advertisement

“This information, along with industry tippers, is what allowed our law enforcement partners to gain access to images of actor-leased virtual private servers,” Easterly wrote. “This, in turn, gave us and our federal government partners visibility into the breadth of the campaign and allowed us to notify and provide technical assistance to known or suspected private sector victims.”

Salt Typhoon is the name given to a Chinese hacking group that has compromised at least nine U.S. telecommunications firms, reportedly hacked into the phones of President-elect Donald Trump and Vice President-elect JD Vance and collected geolocation data for hundreds of phones based around Washington D.C. over the past year at least.  

The widespread compromise of U.S. telecommunications infrastructure, as well as the persistent challenges in purging Salt Typhoon hackers from affected networks, underscores the challenge U.S. policymakers and the private sector face in securing critical infrastructure from foreign adversaries like China, Russia and Iran.

Salt Typhoon is one of at least three known hacking campaigns from China that U.S. officials have been grappling with over the past year.

The FBI and other agencies have also warned about a years-long campaign by another group, Volt Typhoon, to burrow into the networks of U.S. critical infrastructure and pre-position for potential destructive cyberattacks in the future.

Advertisement

More recently, the Department of the Treasury said Chinese hackers used a third-party cybersecurity vendor to break into an unspecified number of workstations and steal data. 

While Salt Typhoon’s motive is believed to be espionage, U.S. officials — including Easterly — have alleged that other groups like Volt Typhoon may be preparing to execute destructive attacks on American critical infrastructure in the event of a Chinese invasion of Taiwan.

CISA maintains a list of nearly 500 “systemically important” critical infrastructure entities that are given extra attention and resourcing from the federal government, including red-teaming and tools for vulnerability scanning, attack-surface management and threat detection. In her blog, Easterly claimed CISA red-teamers and incident responders have used these tools to boot out Chinese hackers in the energy, transportation, water and telecommunications sectors, but notes that “what we have found is likely just the tip of the iceberg.”

Easterly noted that many telecommunications companies are reliant on outdated technologies and architectures that are more vulnerable to cyberattacks because they were built for “efficiency and availability,” not security. They also use a host of technologies outside their network, like edge devices, that can offer pathways to compromise and are increasingly being leveraged by Chinese and Russian hackers.

“Those are edge devices like routers and firewalls and switches, which, you know, would likely never be a part of a systematically important entities list, but are really the connective tissue and the soft underbelly for our adversaries,” she said. “And that’s really the vector that we’ve sort of made easy for the cyber invasion of entities like Volt Typhoon, Salt Typhoon.”

Derek B. Johnson

Written by Derek B. Johnson

Derek B. Johnson is a reporter at CyberScoop, where his beat includes cybersecurity, elections and the federal government. Prior to that, he has provided award-winning coverage of cybersecurity news across the public and private sectors for various publications since 2017. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.
Advertisement
Advertisement

More Like This

Advertisement

Top Stories

Advertisement

More Scoops

Latest Podcasts

Emily Crose on the government’s long history with hackers

Managing the risks of local administrator privileges in a zero-trust world

Phil Venables on the State of the CISO

Vik Phatak on the inherent issues in native cloud firewalls

Government

Technology

Threats

Geopolitics