Recently, Chinese advanced persistent threat activity dubbed “SALT TYPHOON” was linked to intrusions that accessed major U.S. broadband providers such as ATT&T and Verizon Communications, among others.  Per reporting, the threat actors appeared to have maintained access for several months, though there has been very little information as to how these actors gained initial entry.  SALT TYPHOON has been active since at least July 2020, and has been associated with other cyber espionage and data theft activities targeting government and telecommunications entities around Southeast Asia.  The group has advanced capabilities, and initial indications are that its affiliated with China’s principal intelligence agency, the Ministry of State Security (MSS) whose security departments  have been linked to other Chinese APT groups such as APT 10 and  APT 31. 

This major revelation comes at a time when other notable China-linked cyber espionage activity has garnered significant media attention, and the United States government has escalated its talk about the Chinese cyber threat.  In early 2024, the Department of  Homeland Security published an advisory on VOLT TYPHOON, a moniker assigned to extensive Chinese cyber reconnaissance designed to compromise critical infrastructure networks in order to maintain access that could be used for further exploitation or disruption.  Other affiliated activity of note dubbed GINGHAM TYPHOON has been expanding operations in the South Pacific, and FLAX TYPHOON, a Chinese linked crew, has been running a large botnet operation.  While China has long been suspected of conducting rampant cyber espionage and intellectual property theft for years, its perceived evolution to compromising networks of “no apparent intelligence value” has spurned fear that such exploitation was prepositioning for more disruptive results.

Therefore, it is unsurprising that the recent revelation of SALT TYPHOON has garnered much concern from government and national security experts because it highlighted yet another incident of suspected Chinese government linked threat actors exploiting U.S. critical infrastructure.  But perhaps more interestingly about this particular activity is that this intrusion may have given these actors access to systems that “support foreign intelligence surveillance.”  Should these actors have successfully exploited these systems, they could ostensibly have access to the U.S. court wiretap system that is vital for the authorities imparted to law enforcement and national security agencies.  The sensitivities behind this type of information are extreme as they could expose confidential investigations going on and provide insights into how the U.S. not only conducts its surveillance operations, but against whom they are conducting them.

To be fair, it is unclear if this was the primary motive behind China’s compromise of these Internet Service Providers or a byproduct of it.  However, given the evolution of how China conducts cyber espionage, the diversity and range of its operations, as well as its appetite for collecting all sorts of information, it appears that this fits into Beijing’s wheelhouse.  The potential exploitation of court wiretap system is certainly a novel form of intelligence collection that indicates Beijing is thinking outside the data collection box.  Per the newspaper that broke the story, “It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.”  While it’s not clear exactly what types of information those systems hold, reporting suggests that it could provide insight into those individuals being targeted by surveillance, how the surveillance is being conducted as well as what devices could be at risk of such monitoring.  As one site put it, “if there is a means to access a customer’s data, the phone companies and internet providers must provide it.”  It would follow that China could know the identities of those individuals they are trying to recruit and may be monitored by U.S. law enforcement and national security entities.  Such an understanding would prove beneficial to Beijing and could be leveraged for its intelligence advantage.

Perhaps more alarming, and what deserves closer scrutiny, is the fact that this “legally required backdoor” was allowed to exist in the first place, not that a foreign adversary would seek to exploit it.  As one online cybersecurity periodical points out, the security community did not approve of such backdoors, citing the extreme difficulty in securing them and highlighting the fact that their compromise could be easily abused by threat actors, especially those that are technically sophisticated in their own rights.  Backdoors are backdoors for a reason, and they are agnostic about who uses them.  As such, an independent review of their utility should be undergone to see if their benefits outweigh the costs of their discovery and misuse.

One of the arguments levied against China cyber operations is that its recent intrusion efforts against critical infrastructures go beyond traditional intelligence collection.  This is an interesting claim given that there is no international “agreed” upon requirements for what constitutes acceptable cyber espionage activities, given that governments will typically do what they believe is in their national security interests to do.  Nevertheless, while focus is placed on the possible disruption such access could provide, the value of being able to operationalize this intelligence may be a bigger concern for the United States law enforcement and intelligence communities.  China has long waged an all-out intelligence campaign against the United States, steadily shifting its collection focus to support more long-term, strategic goals, and truly maximizing data it has collected via these clandestine means.  The extent with which China was able to get information from the wiretap system may not be felt immediately but is still a win in the intelligence battle between Beijing and Washington as loss of any amount of that wiretap data could complicate further surveillance efforts.

But the biggest kick in the teeth is not that China possibly compromised a high-profile network; it’s that it used the very access created by its opponent to use for its own exploitation purposes.