Late last year, the FBI and the Cybersecurity and Infrastructure Security Agency had some curious advice for people about texting on their smartphones.
Sending texts between an iPhone and an Android device could no longer be considered private, and to be safe, the agencies warned, messages should be shared only over encrypted apps, such as Apple iMessage, Google Messages, WhatsApp, or Signal.
The fact that law enforcement agencies that for years have complained their pursuit of criminals is “negatively impacted by device and software encryption” were now advocating the use of end-to-end encryption for routine texts provided a jarring indication of just how deep Chinese hackers had penetrated the U.S. telecom network, including major carriers Verizon, AT&T, and T-Mobile.
It was also an indication of how China’s Ministry of State Security intelligence service, after spending years and millions of dollars, was able to assemble a team of highly trained and well-resourced hackers able to exploit the vulnerabilities of America’s antiquated telecommunications infrastructure to poke around undetected for more than two years.
Microsoft discovered the massive hacking operation in the fall and dubbed it “Salt Typhoon,” typhoon being the “family name” Microsoft assigns to cyber threats from China.
An earlier discovery in 2023 dubbed Volt Typhoon involved botnets that amounted to “cyber bombs” that surreptitiously embedded malicious software in vulnerable small business and small office routers that would lie in wait to cripple America’s water treatment plants, electrical grid, oil and gas pipelines, and transportation systems.
Salt Typhoon allowed the Chinese to monitor virtually every phone call, listen in at will, read unencrypted test messages, and geolocate mobile phone users.
The hackers were able to target senior government officials including President-elect Donald Trump and Vice President-elect J.D. Vance and, even more disturbingly, to figure out who the U.S. government was wiretapping under legal warrants, including suspected Chinese spies, which could tell Beijing which of its spies were compromised and needed to be replaced.
Senate Intelligence Committee Vice Chairman Mark Warner (D-VA), a former telecom venture capitalist, called it the “worst telecom hack in our nation’s history — by far.”
“I’m still astonished that more folks’ heads aren’t exploding around Salt Typhoon, where the Chinese are into our telecom networks on a cyberattack and candidly have the ability to listen to every one of us on a real-time basis,” Warner said at a Senate hearing last month.
China has been hacking the United States for years — just last month Chinese hackers remotely accessed several Treasury Department computers after obtaining a digital key to third-party software — but the level of sophistication has increased.
The reason this latest hack took so long to discover is that Chinese hackers are getting much better at covering their tracks.
“The Chinese were very careful about their techniques,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, told reporters last month when she announced a ninth telecom company has been added to the list of victims. “They erased logs … so, there are details likely that we will never know regarding the scope and scale of this.”
The major flaw in the U.S. telecom infrastructure is that much of it is so obsolete that it can’t be updated; it must be replaced.
Many systems don’t even have two-factor verification, the first line of defense against hackers, because companies can’t afford to replace old technology and start again from scratch.
“In one telecoms case, there was one administrator account that had access to over 100,000 routers,” Neuberger said. “So, when the Chinese compromised that account, they gained that kind of broad access across the network. That’s not meaningful cybersecurity to defend against a nation-state actor.”
The Biden administration is hoping the Federal Communications Commission will act this month to finalize a rule that would require telecom companies must put in place those basic cybersecurity practices that would make hacking “would make it harder, riskier, and costlier” for the Chinese.
That may not be enough, says David Sanger, who’s covered Chinese hacking for the New York Times.
“If you are really going to fix our telecom system, you would either have to go shut it down and rebuild it with something more modern. Well, no one’s going to do that. We need it every day,” Sanger said on The Daily podcast. “Or you’re going to begin to make incremental fixes and then build a parallel system to it that you can begin to shift over to.”
“Significant amounts of covered equipment and services remain in place today because of insufficient funding. The situation is dire,” Tim Donovan, president and CEO of the Competitive Carriers Association, which represents small carriers across the country, testified before a Senate subcommittee last month.
“Further, because the equipment cannot be properly maintained or upgraded, every day that passes increases the risk of catastrophic network failures,” Donovan said. “Because it is illegal to procure new equipment and services from untrusted vendors, carriers with this equipment cannot properly patch and upgrade software to defend against emerging threats or even perform basic maintenance.”
To help, Congress included in the 2025 National Defense Authorization Act $3.8 billion to fund a “rip-and-replace” program to facilitate small telecommunication providers replacing Chinese spyware from their networks.
But cybersecurity experts say better defense can only go so far. China, they say, needs to be deterred.
“So far, espionage has been penalty-free for China,” James Lewis of the Center for Strategic and International Studies testified before the same subcommittee. “Our response has been to give them a stern lecture and send a few strongly worded notes. … The signal this sends is that it is open season on the U.S.”
“Deterrence basically comes in two forms, deterrence through denial and deterrence through punishment,” James Mulvenon, chief intelligence officer of Pamir Consulting, told the panel. “The United States clearly is still in a very deep cyber deterrence hole with respect to China, and the hole appears to only be getting deeper.”
Trump’s incoming national security adviser agrees that the response of the Biden administration has been far too weak.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
“We need to start going on offense and start imposing higher costs and consequences to private actors and nation-state actors that continue to steal our data, that continue to spy on us, and that, even worse, with the Volt Typhoon penetration, that are literally putting cyber time bombs on our infrastructure, our water systems, our grids, even our ports,” Rep. Mike Waltz (R-FL), Trump’s incoming national security adviser, said on CBS last month.
“That is wholly unacceptable, and I think we need to take a much stronger stance,” Waltz said. “President Trump has indicated that as well. We need to start changing behaviors on the other side rather than just constantly having this kind of escalation of their offense and our defense.”