If you’ve used a mobile smartphone in the United States in the past year, chances are Beijing may have monitored your calls and texts. Likewise, Chinese threat actors have been reported to have targeted a major U.S. organization as part of a four-month-long intrusion into some exchange servers.
Researchers at the Symantec Threat Hunter Team warned that the Chinese hackers had gathered intelligence by harvesting emails. The particular company that was impacted wasn’t disclosed, but the researchers said it had a significant presence in China.
“One group the attackers were particularly interested in is ‘Exchange servers,’ suggesting the attackers were attempting to target mail servers to collect and possibly exfiltrate email data,” Symantec warned.
The attackers reportedly engaged in credential theft but also executed malicious DLL files, which were used to target Microsoft Exchange servers. A threat actor hasn’t been named in this particular attack.
“It will be interesting to see what, if any, action is taken by the victim,” said Evan Dornbush, former NSA cybersecurity expert.
“We saw after Operation Aurora was disclosed in 2010, Google scaled back its operations in China, added encryption and zero trust mechanisms to its systems, and invested more heavily into its Threat Analysis Group (TAG) specifically to investigate state-sponsored activities,” Dornbush told ClearanceJobs.
“As to the question of ‘was this Apple,’ the original news noted the attackers came in from Exchange servers – a Microsoft competitor to Apple’s mail system,” Dornbush added. “It was implied the attackers used DLL injection. This is a Windows-only technique as macOS systems do not have DLLs. They also noted WMI and PowerShell, both Windows operating system utilities. If Apple, then likely a third party supplier?”
Smartphones Under Attack
The disclosure that a U.S. firm may have been infiltrated for months comes as reports emerged that a Chinese hacking group dubbed “Salt Typhoon” may have engaged in a cyber-espionage campaign that targeted American mobile phones.
It isn’t clear if the two incidents are related, but China hackers have increasingly targeted American enterprises. What is known is that the threat actors had gained access to U.S. telecommunications infrastructure and the hacking was ongoing. It could take months for it to be resolved.
“We believe a large number of Americans’ metadata was taken,” said the official, who spoke with reporters on condition of anonymity.
The scope of the attack is unknown, but vast. At least eight telecommunication providers and telecom infrastructure firms were reported to have been targeted.
“We do not believe it’s every cellphone in the country, but we believe it’s potentially a large number of individuals that the Chinese government was focused on,” the official added.
Voice and Data Compromised
The Chinese hackers may have gained access to telephone audio intercepts as well as a large tranche of call record data. It may have been possible to identify when calls were made and from where.
However, the problem may go far deeper warned Chris Proctor, senior advisor and associate director of cybersecurity consulting firm NCC Group.
“Telecommunications has an ever-increasing role in society beyond just voice and messaging. They enable our ever-connected society from smart homes to operational technology in critical national infrastructure sectors such as utilities and transport,” Proctor told ClearanceJobs. “This greater connectivity provides many benefits to society but that brings with it an increasing threat landscape from a wider range of threat actors with varying motivations, whether that be for extortion, espionage fraud, or disruption of the telecommunication operators or those that they connect.”
The underlying technologies that the sector uses, and will continue to use for a while yet – including the signaling protocol SS7 – were developed at a time when security was not as much a priority as it is today.
“Telecoms companies over the years have moved from more proprietary technology to more standard compute-based applications which opens the environment to less specialized threat actors who can use more readily available tools to undertake attacks,” added Proctor.
Salt Typhoon – What Do We Know?
Also known as GhostEmperor, FamousSparrow, King of World, or UNC2286, Salt Typhoon is an advanced persistent threat actor that is reported to work at the best of Beijing – and is affiliated with China’s Ministry of State Security.
The efforts have been described as a component of “China’s 100-year strategy.”
Microsoft researchers branded the group “Salt Typhoon,” but it is unknown how the group is designated in China. It has targeted telecommunications and government entities, across the U.S., Asia-Pacific, Middle East, and South Africa since 2023.
Is Enough Being Done to Counter These Threats?
This is far from the first attack that Chinese threat actors have conducted against U.S. interests, and it certainly won’t be the last. The question is how Washington can respond.
“Governments around the world have recognized this increased threat landscape and potential greater societal impact. As a result, many have increased the security requirements on operators through greater regulation, whether that be the EU expanding the Network and Information Systems Directive to include Telcos under the latest version (NIS2) or the Telecommunications Security Act in the UK,” said Proctor.
He told ClearanceJobs that the U.S. should take these most recent attacks extremely seriously.
“As in any industry there is a range of abilities in the sector to respond to this threat by building the appropriate defenses and having the ability to respond to an incident,” Proctor added. “The telecoms sector is putting greater resources into this area, as witnessed by the greater prevalence of security at the Mobile World Congress event in Barcelona earlier this year, but there is much work to be done, which is why the NCC Group Global Telecoms Practice is providing support to operators across the world.”
While there will be no easy solution, Americans – especially those who work with classified materials – may seek to harden their mobile security.
“There are options for users who might be concerned to ensure that their communication is safe,” said Proctor, “whether that is in the context of privacy by using end-to-end encrypted message applications, protecting their devices using security applications, or ensuring resilience of their connection by using more than one operator.”
