Chinese Salt Typhoon Hackers First Detected on Federal Networks Under a Different Alias: Cybersecurity Chief

The Chinese state-sponsored hacking group Salt Typhoon, which has attracted attention due to its infiltration of U.S. telecom companies, was initially detected on the federal network under a different alias, as stated by Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA).

“We identified it as a distinct operation, referred to by another quirky cyber title. Thanks to our visibility within the federal networks, we were able to connect some dots,” she explained during a panel discussion at the Foundation for Defense of Democracies on January 15.

The Salt Typhoon breaches reportedly compromised a significant number of Americans’ call logs, exposing them to Chinese espionage and alarming the U.S. intelligence community. In certain instances, hackers are said to have intercepted conversations among notable U.S. politicians and government officials. Some legislators have characterized these breaches as the most significant telecom hacks in U.S. history.

By December, it was revealed that nine American telecom companies had fallen victim to Salt Typhoon; however, the state-backed hacking group likely executed its espionage campaign “one to two years” prior to being uncovered, according to the CISA director.

The early identification under a different label allowed officials to make connections with the aid of tipsters from the private sector, which Easterly noted ultimately “led to kind of cracking open the larger Salt Typhoon piece.”

In a subsequent blog post on January 15, the CISA director described Beijing’s “sophisticated and well-resourced cyber program” as a threat to critical American infrastructure.

Related Stories

According to Easterly, while the administration has mitigated certain incursions by Chinese operatives, there remains a pressing need to enhance cybersecurity measures and awareness across both public and private sectors. In response, CISA has outlined three “lines of effort” aimed at addressing ongoing threats and reducing risks to American citizens.

The initial step focuses on removing Chinese cyber actors from victimized networks.

The second step involves establishing a joint cyber defense coalition among crucial information technology, communication, and cybersecurity industry stakeholders.

The third step encompasses services like CyberSentry, a CISA-managed threat detection initiative designed to lower risks posed by Chinese cyber actors. It also includes attack surface management services, which are a form of cyber defense that aids in recognizing and mitigating technological vulnerabilities that allow cyber threats to establish a foothold. As per Easterly, CISA has already extended this service to 7,000 critical service organizations.

‘Everything, Everywhere, All at Once’

The CISA director testified last year before the House Select Committee on the Chinese Communist Party. In her latest blog post, she emphasized the geopolitical backdrop of escalating cyber espionage against the United States, particularly from the Chinese government.

“I highlighted the very real risk that a crisis in Asia, triggered by a Taiwan invasion or a blockade of the Taiwan Strait, could significantly impact the safety and security of American citizens domestically,” Easterly explained.

Such an invasion, she noted, could trigger disruptive cyberattacks targeting “everything, everywhere, all at once,” impacting transportation nodes, telecommunications services, power grids, and water facilities.

Treasury Department Sanctions

On January 17, the U.S. Treasury Department announced sanctions against the Chinese cybersecurity firm Sichuan Juxinhe Network Technology Co. for its “direct involvement in the Salt Typhoon cyber group.”

“Chinese state-backed cyber operatives continue to be among the most significant and persistent threats to U.S. national security,” the Treasury Department indicated.

The Treasury also sanctioned Shanghai-based hacker Yin Kecheng, alleged to be behind a major breach of the department’s network in early December. This cyber actor is connected to China’s Ministry of State Security, according to the department.

Reuters contributed to this report.