2 weeks Ago By Dan Goodin
The FBI is offering $10 million for information about the China-state hacking group tracked as Salt Typhoon and its intrusion last year into sensitive networks belonging to multiple US telecommunications companies. Salt Typhoon is one of a half-dozen or more hacking groups that work on behalf of the People’s Republic of China. Intelligence agencies and private security companies have concluded the group has been behind a string of espionage attacks designed to collect vital information, in part for use in any military conflicts that may arise in the future.
A broad and significant cyber campaign The agency on Thursday published a statement offering up to $10 million, relocation assistance, and other compensation for information about Salt Typhoon. The announcement specifically sought information about the specific members of Salt Typhoon and the group's compromise of multiple US telecommunications companies last year. “Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale,” FBI officials wrote.
“This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.” Salt Typhoon is one of several names the government and private researchers use to track the group, which they say has been active since at least 2019. Other tracking names include RedMike, Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286.
Over the years, Salt Typhoon has been behind multiple compromises of telecommunications companies around the world, including many in the US. About a year ago, the group stepped up those activities. One of the most damaging attacks attributed to Salt Typhoon was detailed last October by The Wall Street Journal .
The news outlet, citing people familiar with the matter, reported that group members breached networks belonging to Verizon, AT&T, and Lumen/CenturyLink in a campaign of “vast collection of Internet traffic from ISPs that served businesses and millions of their American customers.” As part of those incursions, The Washington Post said, Salt Typhoon may have gained access to systems used for court-authorized wiretaps of communications networks. The sources had no positive proof, but said evidence suggested US wiretapping systems had been penetrated.
The FBI's reward announcement seems to confirm the access. In December, officials in the Biden administration told reporters Salt Typhoon had breached telecom companies in dozens of countries, including eight US telecom providers, doubling the previously known number. The attacks, the officials said, had likely been underway for one to two years.
The officials said they didn’t know if the hackers had been fully evicted from the breached networks. Researchers at Recorded Future’s Insikt Group said in February that Salt Typhoon’s campaigns had continued through the new year, with a string of attacks targeting Internet-facing Cisco network devices used by telecom operators. The two primary vulnerabilities exploited in that campaign were CVE-2023-20198 and CVE-2023-20273 , both of which had received patches more than a year before Salt Typhoon exploited them.
The FBI has created a site on the dark web ( he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion ) and established a Signal number (+1-202-702-7843) that can receive tips, a likely attempt to make things easier for people in the heavily Internet-censored PRC to submit them. Tipsters can also contact the agency here .
.
