Report to Congress on Chinese Hacks of U.S. Telecoms

October 30, 2024 10:58 AM

The following is the Oct. 29, 2024, Congressional Research Service In Focus report. Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications.

From the report

In early October 2024, media outlets reported that People’s Republic of China (PRC) state-sponsored hackers infiltrated United States telecommunications companies (including internet service providers). The U.S. government has since confirmed both the PRC’s actions and the existence of an ongoing investigation into the hacks. This is not the first time that the PRC has attacked the U.S. communications sector—and reflects a pattern of targeting the sector for both its role in enabling other sectors, and also the value of the systems and data contained within the sector itself.

The methods used by the PRC hackers in the attack have not been publicly disclosed, nor have the specific systems or data that were targeted. But, public reporting suggests that the hackers may have targeted the systems used to provide court-approved access to communication systems used for investigations by law enforcement and intelligence agencies. PRC actors may have sought access to these systems and companies to gain access to presidential candidate communications. With that access, they could potentially retrieve unencrypted communication (e.g., voice calls and text messages).

The White House reportedly established a Cyber Unified Coordination Group (Cyber UCG) on October 8, 2024, to coordinate responses to the hacking.

This In Focus discusses PRC cyber actors as well as broader cybersecurity and risk management considerations for Congress.

PRC Hackers: The Typhoons

The U.S. Intelligence Community (IC) assesses that the PRC is “the most active and persistent cyber threat” to U.S. institutions. The Office of the National Cyber Director has highlighted China’s ambitions “to hold at risk U.S. and allied critical infrastructure, shape U.S. decision-making in a time of crisis, and use cyber capabilities to augment PRC geopolitical objectives.”

Typhoon is the moniker Microsoft Corporation assigns to attributed threat actors with PRC state sponsorship—a moniker the U.S. government also adopts. There are three publicly disclosed Typhoon threat actor groups.

  • Volt Typhoon. These actors use a technique known as living off the land, which involves using built-in tools on the target network to execute objectives without installing malware (which may be detected). Volt Typhoon has been known to target United States critical
  • infrastructure entities. The IC assesses that Volt Typhoon’s targeting of these companies carries limited espionage potential, and is instead part of an effort to prepare to disrupt U.S. infrastructure.
  • Flax Typhoon. These actors are associated with PRC information security companies that take directions from the PRC government. They target Taiwan and U.S. critical infrastructure domestically and abroad. Flax Typhoon actors also use living off the land techniques, and have compromised hundreds of internet-of-things (IOT) devices to create a botnet that they used to carry out attacks. The U.S. government said that it had disrupted one such botnet in September 2024.
  • Salt Typhoon. These actors are reportedly responsible for the compromise of U.S. telecommunications companies reported in October 2024. They appear to have conducted counterintelligence operations, seeking information on PRC targets that the United States may be surveilling. To date, the U.S. government has not released official confirmation of the attack, nor this group.

Download the document here.

Get USNI News updates delivered to your inbox