T-Mobile detected network intrusion attempts and blocked them

T-Mobile reported recent infiltration attempts but pointed out that threat actors had no access to its systems and no sensitive data was compromised.

T-Mobile detected recent infiltration attempts but confirmed no unauthorized system access occurred, and no sensitive data was compromised.

The carrier is investigating reports that are linking it to “Salt Typhoon” cyberattacks tied to Chinese state actors.

“Like the entire telecommunications industry, T-Mobile has been closely monitoring ongoing reports about a series of highly coordinated cyberattacks by bad actors known as “Salt Typhoon” that are reported to be linked to Chinese state-sponsored operations. Many reports claim these bad actors have gained access to some providers’ customer information over an extended period of time – phone calls, text messages, and other sensitive information, particularly from government officials. This is not the case at T-Mobile.” reads the report published by the telecommunications company. “To clear up some misleading media reports, here is what we’re currently seeing, much of which we believe is different from what is being seen by other providers.”

The carrier determined that the attacks originated from a wireline provider’s network that was connected to its systems.

The U.S. Telecom giant is not aware of instances of prior attempts like this.

The company’s defenses safeguarded customer data and services, blocking the attack. Connectivity to a compromised provider was interrupted, and T-Mobile notified industry and government leaders. The telco firm lacks conclusive attribution to Salt Typhoon or other APT groups.

China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.

According to the Wall Street Journal, which reported the news exclusively, the security breach poses a major national security risk. The WSJ states that the compromise remained undisclosed due to possible impact on national security. Experts believe that threat actors are aimed at gathering intelligence.

“A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.” reported the WSJ.

“For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter, which amounts to a major national security risk.”

The Salt Typhoon group targeted surveillance systems used by the US government to investigate crimes and threats to national security, including activities carried out by nation-state actors.

The investigation into the breaches of the U.S. broadband providers is still ongoing, government experts are assessing its scope.

Experts suspect the state-sponsored hackers have gathered extensive internet traffic and potentially compromised sensitive data.

This attack is the latest incident linked to China’s expansive espionage strategies.

U.S. officials are increasingly concerned about Chinese cyber efforts to infiltrate critical infrastructure. Intelligence experts believe that security breaches like this could enable disruptive attacks during potential future conflicts.

The Salt Typhoon campaign is part of this broader strategy. Experts are still investigating the origins of the attack and whether threat actors compromised Cisco routers.

This week Wall Street Journal first reported that experts are investigating the security breaches to determine if the attackers gained access to Cisco Systems routers, which are core network components of the ISP infrastructures.

A Cisco spokeswoman confirmed the investigation and said that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity, the spokeswoman said.

“Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information, according to people familiar with the matter.” Wall Street Journal reported.

“The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing’s massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.”

China has long targeted global internet service providers and recent attacks are aligned with past operations linked to Beijing.

Intelligence and cybersecurity experts warn that Chinese nation-state actors have shifted from stealing secrets to infiltrate critical U.S. infrastructure, suggesting that they are now targeting the core of America’s digital networks.

The Salt Typhoon hacking campaign, linked to China, appears focused on intelligence gathering rather than crippling infrastructure, unlike the attacks carried out by another China-linked APT group called Volt Typhoon. Chris Krebs from SentinelOne suggested that the group behind Salt Typhoon may be affiliated with China’s Ministry of State Security, specifically the APT40 group, which specializes in intelligence collection. This group was publicly called out by the U.S. and its allies for hacking activities in July.

Last week, the US government’s Consumer Financial Protection Bureau (CFPB) advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon hackers breached major telecom providers.

The Consumer Financial Protection Bureau (CFPB) is a U.S. government agency created in 2011 to protect consumers in the financial sector, ensuring fair, transparent, and competitive financial markets

The agency has issued a directive to employees to reduce the use of their phones and invite them to use Microsoft Teams and Cisco WebEx for their meetings and conversations that involve nonpublic data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, T-Mobile)