T-Mobile rebuffed breach attempts by hackers likely connected to China’s Salt Typhoon

T-Mobile recently detected attempts to infiltrate its systems by hackers believed to be linked to the China-backed Salt Typhoon hacking campaign.

In a blog post and in comments to Recorded Future News, the company explained that the intrusion attempts “originated from a wireline provider’s network” connected to T-Mobile.

“We quickly severed connectivity to the provider’s network as we believe it was – and may still be – compromised,” the company said. 

“We do not see these or other attackers in our systems at this time. We cannot definitively identify the attacker’s identity, whether Salt Typhoon or another similar group, but we have reported our findings to the government for assessment.”

A spokesperson declined to name the affected company and said they “cannot be certain of threat actor activity within the other provider's environment.” 

“[We] are taking a conservative approach and not reconnecting our systems to theirs until we can gain a high level of confidence in the security of their network and systems,” they said.

T-Mobile was one of several major telecommunication giants invited to the White House last week for a meeting centered around the Salt Typhoon campaign, which has alarmed senior officials due to revelations that Chinese actors gained access to call record data and potentially recordings of calls made by President-elect Donald Trump and Vice President-elect JD Vance. 

The hackers attacked systems at ​​AT&T, Verizon and Lumen and also targeted the systems U.S. law enforcement agencies use for wiretaps. 

A T-Mobile spokesperson confirmed that chief security officer Jeff Simon attended the meeting and said the company has offered its assistance to help the industry address the campaign but noted that they were asked to keep the contents of the White House meeting confidential. 

T-Mobile’s blog post, written by Simon, reiterates that while Salt Typhoon hackers gained access to phone calls, text messages and other sensitive information from government officials over an extended period of time, the company’s own systems were not impacted. 

Other than the detected attempts to infiltrate their systems over the last few weeks, T-Mobile found no evidence of breaches prior to this. T-Mobile’s defense systems “prevented any disruption of our services, and stopped the attack from advancing.”

“Bad actors had no access to sensitive customer data (including calls, voicemails or texts),” Simon wrote, adding that they shared what they learned with other providers and government officials. 

“As we all have a mutual goal to protect American consumers, we felt it was important to communicate more about what we’ve seen with providers who may still be fighting these adversaries.”

Part of why T-Mobile was prepared for these attacks, Simon said, is because of the company’s lengthy history of cyberattacks and breaches that have exposed troves of customer information.

The company was forced to invest heavily in cybersecurity in order to address those incidents, turning to layered defense mechanisms, more robust monitoring and better rapid response capabilities. Multifactor authentication is required for the company’s entire workforce, and Simon noted that they have segmented their network so any attacker would have difficulty moving beyond the initial compromised system. 

Despite the improvements, Simon was frank about the future, noting that the entire telecom industry is “now seeing activity from the most sophisticated cyber criminals we've ever faced,” adding that they “can't make any promises with absolute certainty.”

A spokesperson for T-Mobile told Recorded Future News that everything they learned about Salt Typhoon’s tactics was shared with both the private and public sector “so that they can use this intelligence to defend their own systems.”

For months, U.S. law enforcement agencies have warned that Salt Typhoon managed to burrow deep inside the networks owned by the country’s largest telecoms, giving them wide access to customer information. 

The hackers reportedly focused their information gathering on about 150 high-profile targets like Trump, Vance and staff members of Vice President Kamala Harris, as well as other senior government leaders like Senator Chuck Schumer (D-N.Y.).

Politico first reported that Salt Typhoon hackers gained access to Call Detail Records, which provide granular data on who a person spoke to, when, for how long, and where they were when they took the call. 

According to The New York Times, the Chinese hackers used their access to the wiretap system at several telecoms to see which of their spies had been identified by U.S. officials. They have also allegedly been able to access emails through their breach of several companies. 

Sen. Mark Warner (D-VA) told The Washington Post last week that the incident is the “worst telecom hack in our nation’s history — by far.” Warner said the hackers are believed to still be inside some telecom systems, and kicking them out may require a herculean effort of replacing thousands of routers and compromised devices. 

The campaign is so alarming to U.S. officials that President Joe Biden reportedly raised it during a meeting with Chinese President Xi Jinping in Peru last week. 

Salt Typhoon has also targeted telecommunications companies in Southeast Asia.