


Chinese hackers linked to Beijing’s intelligence services are engaged in large-scale global cyberattacks against critical infrastructure, according to a joint international report from the National Security Agency and security services from nine other nations.
The Chinese hacker group known as Salt Typhoon has been conducting cyber operations around the world since at least 2021, targeting networks related to telecommunications, government, transportation, lodging, military infrastructure and other sectors, the report said.
“This cluster of cyber threat activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom and other areas globally,” the report said.
The report, a cybersecurity advisory made public Wednesday, is based on intelligence reports from governments and industry in the United States, Canada, Australia, New Zealand, Britain, the Czech Republic, Finland, Germany, Italy and Japan.
The report contains technical details on how the Chinese hackers utilize security vulnerabilities to gain access to networks for stealing information or planting digital trap doors that could be used for future sabotage.
It is one of the first international efforts from the NSA and other agencies to expose China’s Salt Typhoon operations.
The group uses multiple companies in China, including the Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. as contract agents. The last company was sanctioned by the Treasury Department in January.
“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” the report said.
“The data stolen through this activity against foreign telecommunications and internet service providers, as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”
The hackers targeted and gained access to large “backbone routers” that are core elements of telecommunications company networks.
Once inside, the hackers have been able to use other compromised computers and trusted connections to branch out and gain access to other networks.
Also, Salt Typhoon hackers have been successful in modifying router systems to obtain long-term access to the targeted networks.
Brett Leatherman, FBI assistant director of the cyber division, said Salt Typhoon has been active since at least 2019 and engaged in significant cyberespionage by hacking telecommunications firms around the world.
“Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages,” Mr. Leatherman said.
The NSA report did not specify which companies and agencies were compromised by the group.
However, an internal Department of Homeland Security intelligence report from June said data theft by Salt Typhoon revealed expanded targeting, including the recent break-in of an Army National Guard network.
The compromise “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS report said.
At least two other U.S. state government agencies also were attacked, the report said.
“Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture as well as the personally identifiable information and work locations of state cybersecurity personnel — data that could be used to inform future cyber-targeting efforts,” the report said.
The Congressional Research Service stated in a recent report that Salt Typhoon hackers breached U.S. telecommunications firms and internet service providers and that it is not the first time the networks were compromised and reflects a pattern of Chinese targeting critical infrastructure and stealing data.
The report said the Chinese successfully broke into networks that provide court-approved access to communication systems used for both criminal and intelligence operations.
The Chinese Salt Typhoon hackers also sought access to systems and companies to access presidential candidate communications and are believed to have been successful, according to U.S. officials.
“With that access, they could potentially retrieve unencrypted communication (e.g., voice calls and text messages),” the CRS report said.
In addition to Salt Typhoon, a security code name used by Microsoft, other Chinese hacking operations have included groups labeled Volt Typhoon cyberattacks against critical infrastructure, and Flax Typhoon hackers targeting Taiwan and U.S. critical infrastructure.
• Bill Gertz can be reached at bgertz@washingtontimes.com.