Chinese Threat Actor Activity Drives US Government Recommendation for Encrypted Communications

On December 3, 2024, officials from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) recommended that all users move to encrypted communications on their mobile devices. The recommendation was triggered by reports of an ongoing intrusion at AT&T, Verizon, Lumen, and other telecommunications providers by the Salt Typhoon threat actor. This activity was first reported in October 2024, but security recommendations were updated on December 4, 2024. Salt Typhoon is the name given to a Chinese state-affiliated threat actor who has repeatedly made headlines in 2024 for compromising global telecommunications and internet infrastructure companies.

In the latest intrusions at AT&T, Verizon, and Lumen, the threat actor reportedly targeted call records (phone numbers and times of calls) for the Washington, D.C. area, the actual phone calls of targeted users, and the systems the companies use to intake and provide responses to law enforcement requests. US government officials assess the campaign as purely espionage and have no timeline for when Chinese access will be removed from the providers’ networks.

What’s Notable and Unique

• Salt Typhoon’s latest intrusions join earlier Volt Typhoon intrusions at internet infrastructure companies identified during the summer of 2024. Combined, these two Chinese-affiliated threat actors are demonstrating persistent, multi-year dedication to widespread access to US internet and telecommunications networks for espionage purposes.
• This is not the first telecommunications provider compromise. AT&T notably announced several compromises earlier this year. However, combined Salt Typhoon and Volt Typhoon activity represents a sustained attempt to access these providers, access that has not and may never be fully removed due to the sophistication of their techniques, which leaves user communications at continuous risk.
• Although specific individuals were the reported targets of the Salt Typhoon intrusions, Chinese-affiliated threat actors are authorized to use their access, downtime, and skills for financial gain. On December 10, 2024, the US Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned one such Chinese national for using access to support Chinese espionage operations and launch Ragnarok ransomware attacks in 2020.

Analyst Comments

The recommendation for end users to use encrypted communications came alongside guidance CISA issued to network engineers and network defenders. The combined guidance reflects the two primary potential victims of Salt Typhoon activity: the initial targets and customers of those targets. All US government intelligence community assessments in the last ten years have assessed that China will continue to intrude in US networks. By leveraging encrypted communications, users and enterprises can better protect their data from espionage and other collateral damage, like ransomware attacks.

Sources

• U.S. officials urge Americans to use encrypted apps amid unprecedented cyberattack
• Joint Statement from FBI and CISA on the People’s Republic of China (PRC) Targeting of Commercial Telecommunications Infrastructure
• <Enhanced Visibility and Hardening Guidance for Communications Infrastructure
• PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
• Volt Typhoon targets US critical infrastructure with living-off-the-land techniques
• Treasury Sanctions Cybersecurity Company Involved in Compromise of Firewall Products and Attempted Ransomware Attacks
• US sanctions Chinese firm for hacking firewalls in ransomware attacks