US telecommunications giant T-Mobile has confirmed that it was targeted by Chinese cyber actors, part of a broader campaign aimed at stealing valuable information. The group behind the attack, identified as Salt Typhoon, launched a months-long operation to gain unauthorized access to sensitive communications, primarily focusing on high-value intelligence targets.
While the specifics of the data accessed remain unclear, T-Mobile stated that it has been closely monitoring the situation. A company spokesperson reportedly reassured the public, saying, "At this time, T-Mobile systems and data have not been significantly impacted, and we have no evidence that customer information was compromised." The company also noted that it is continuing to cooperate with industry partners and authorities as the investigation progresses.
T-Mobile’s breach adds to the growing list of major telecom companies, including AT&T, Verizon, and Lumen Technologies, that have been targeted in what appears to be a large-scale cyber espionage campaign. The U.S. government recently acknowledged the scope of the attacks, confirming that Chinese-affiliated hackers had infiltrated several telecom networks. The aim was to steal customer call records, access private communications of certain individuals involved in government and political activities, and obtain information under U.S. law enforcement orders.
Salt Typhoon, also known by other aliases like Earth Estries and FamousSparrow, has been linked to multiple global cyberattacks since at least 2020. Trend Micro researchers revealed that the group had targeted government and technology sectors across various countries, including the US, Taiwan, the Philippines, and Germany. The group uses a mix of legitimate and custom-developed tools to bypass defences and maintain persistent access to compromised networks.
The group's tactics include exploiting vulnerabilities in internet-facing services and remote management tools, with some attacks leveraging misconfigured QConvergeConsole installations. Salt Typhoon has been observed using malware like Cobalt Strike and custom-built payloads, including TrillClient, a Go-based stealer, and backdoors like HemiGate and Crowdoor. These tools are employed to steal credentials and exfiltrate data, often using anonymized services to avoid detection.
As the investigation into these breaches continues, cybersecurity experts are concerned about the increasing sophistication of such cyber espionage campaigns, which could further expand in scope. The ongoing efforts to safeguard telecom infrastructure are expected to evolve as new details emerge from the probe.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
