Key Points:
– T-Mobile has confirmed it was targeted by Chinese threat actors known as Salt Typhoon (also called Earth Estries, FamousSparrow, GhostEmperor, and UNC2286)
– Other major telecommunications companies affected include AT&T, Verizon, and Lumen Technologies
– T-Mobile claims no significant system impact or evidence of customer data compromise
Attack Details:
1. Campaign Objectives:
– Harvest cellphone communications of high-value intelligence targets
– Access customer call records
– Compromise private communications of government/political individuals
– Copy U.S. law enforcement request information
2. Technical Aspects:
– Active since 2020
– Uses both legitimate and custom tools
– Main attack vectors:
* Exploits vulnerabilities in external services
* Targets Microsoft Exchange servers
* Employs multiple backdoors (HemiGate, Crowdoor, Zingdoor)
* Utilizes custom malware (TrillClient, Cryptmerlin)
3. Attack Methodology:
– Initial access through vulnerable services
– Lateral movement using PSExec
– Data exfiltration via SMTP and file-sharing services
– Persistence through scheduled tasks
– Traffic concealment using proxy servers
Impact:
The U.S. government describes this as a “broad and significant” hack by China, with potential for expanded scope as investigations continue.
Security Implications:
The sophisticated nature of these attacks demonstrates the threat actor’s advanced capabilities and strategic approach to maintaining long-term access to compromised systems.