T-Mobile Spotted Chinese Salt Typhoon Hackers Attacking Its Routers

T-Mobile revealed how it successfully blocked attempts by the Chinese hacking group Salt Typhoon to infiltrate its network.

This announcement follows reports from earlier this month about Salt Typhoon’s successful breaches of wiretap systems managed by major U.S. telecom companies, including AT&T, Verizon, and Lumen Technologies.

Jeff Simon, T-Mobile’s Chief Security Officer, revealed that the company’s network engineers detected suspicious activities on their network devices. While these actions were not inherently malicious, they were unusual enough to warrant further investigation. The engineers observed unauthorized users executing commands on network devices, probing the network’s structure.

The hackers, believed to be backed by the Chinese government, gained initial access through a compromised wireline provider’s network connected to T-Mobile’s systems. However, T-Mobile’s defense mechanisms prevented the attackers from advancing deeper into the network or accessing sensitive customer data.

Simon emphasized that unlike other telecom providers reportedly affected, T-Mobile successfully protected its customers’ sensitive information, including calls, voicemails, and text messages. The company swiftly severed connectivity to the compromised provider’s network upon detection of the threat.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

The company implemented additional security measures, including multi-factor authentication for its entire workforce, network segmentation, comprehensive logging and monitoring, accelerated patching, and regular security testing.

While T-Mobile has successfully repelled this attack, the incident underscores the persistent and sophisticated nature of cyber threats facing the telecommunications industry. The Salt Typhoon group, also known as “Earth Estries,” has been active since at least 2019, primarily targeting government entities and telecommunications companies.

Malware used by Salt Typhoon

• GhostSpider: A newly discovered backdoor used in recent attacks.
• Masol RAT: A Linux backdoor that has evolved since 2019 to target different operating systems1.
• Demodex: A Windows kernel-mode rootkit used for long-term persistence.
• SnappyBee: A modular backdoor shared among Chinese APT groups.
• ShadowPad: A malware platform used for espionage and system control.

Salt Typhoon’s diverse and evolving toolkit, combined with its sophisticated tactics, makes it one of the most aggressive and advanced Chinese APT groups currently in operation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

The post T-Mobile Spotted Chinese Salt Typhoon Hackers Attacking Its Routers appeared first on Cyber Security News.