Tag Archives: Salt Typhoon cyberattack

Who Trusts Microsoft? The Locked-In

Leave a reply

In 2024, the Department of Homeland Security released a scathing report detailing Microsoft’s mistakes during a 2023 hack in which China stole thousands of emails from top government officials. Two years before that, China-linked cyberattackers compromised more than 250,000 Microsoft Exchange servers. In response to the 2024 report, Nadella, the CEO of Microsoft, promised to rededicate Microsoft to protecting its products and its customers from bad actors…

Shortly after Nadella took the reins, Microsoft eliminated the group that had companywide responsibility for Microsoft’s security work, pushing security decisions to the individual business units. Around the same time, Microsoft changed the way it developed software, laying off many of the test engineers charged with uncovering bugs before products ship to customers…

With regard to the July 2025 Microsoft hack, researchers said more than 400 SharePoint servers had been hacked—many of them belonging to government entities—and Microsoft had linked some of the attacks to the Chinese government

In previous episodes, such as the massive 2021 hack of the Microsoft Exchange email system, China pulled off impressive technical feats before being caught…

Regarding the 2025 SharePoint cyberattack, Eye Security researchers discovered, on July 18, 2025 an unauthorized script on a SharePoint server belonging to one of their customers. As the Eye team dug in, they started finding the same script on about 150 other SharePoint servers all over the internet…The script opened a back door to the SharePoint servers, creating an encryption key that could be used later to run commands on the machine. “It was just like a door key left on the street,” said Kerkhofs. “It was accessible for everybody. We just started scanning and we grabbed all the keys.”…Microsoft, learning that hackers were exploiting the bugs, called in its security team.

Eventually the Eye team discovered 80 infected organizations. European government agencies were compromised, as were U.S. federal agencies, municipalities and universities…

On July 20, 2025, the Energy Department confirmed that it was a victim… News of the compromise was reported by Bloomberg, which said that the National Nuclear Security Administration was specifically victimized.

Excerpt from Robert McMillan, A Failed Microsoft Security Patch Is the Latest Win for Chinese Hackers, WSJ, July 25, 2025

What is the Real Trump Card of China

Leave a reply

Chinese officials acknowledged in a secret December 2024 meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate. The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.  …The Chinese official’s remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan, a former U.S. official familiar with the meeting said.

Excerpts from Dustin Volz, In Secret Meeting, China Acknowledged Role in U.S. Infrastructure Hacks, WSJ, Apr. 10, 2025

The Under-the-Hood Cyberattacks

Leave a reply

The Biden administration sanctioned a Chinese company in January 2025  it said was behind the vast cyber intrusions into U.S. telecommunications networks that swept up phone calls of scores of U.S. government officials as well as those of incoming President Donald Trump.

The U.S. Treasury Department said that Sichuan Juxinhe Network Technology Co. was directly involved in the deep compromises of the telecommunications firms, which U.S. officials and lawmakers have said is a historically damaging espionage campaign carried out on behalf of the Chinese government. The firm is based in the Sichuan province of China and advertises itself as a technology-services and cybersecurity company.

Separately, U.S. authorities sanctioned a Shanghai-based hacker, Yin Kecheng, whom they allege was involved in an unrelated breach of sensitive systems within the Treasury Department itself. Neither Sichuan Juxinhe nor Yin Kecheng could immediately be reached for comment.

The sanctions… are the most direct public response to the telecom hacks, which were first revealed by The Wall Street Journal in 2024 and have been attributed to a hacking group dubbed Salt Typhoon. The sanctions will block U.S. transactions with Sichuan Juxinhe and allow for the seizure of any property or interests the firm has within the U.S. It couldn’t be immediately established whether the firm, for which little information was available online, had any U.S.-held assets or property.

Hackers compromised at least nine American telecommunications firms, scooping up enormous amounts of call-log data and the unencrypted texts and call audio from several dozen specific high-value targets. They also accessed wiretap-surveillance systems at victim companies Verizon Communications and AT&T in an apparent effort to learn how much the FBI and others understood about Beijing’s spies operating in the U.S. and internationally, according to investigators.

In the Treasury Department hack, China is believed to have accessed unclassified files located on compromised work computers of a range of senior officials, including Secretary Janet Yellen… The intrusion occurred through a hacked third-party software vendor called BeyondTrust, which was able to remotely access virtually any Treasury work computer, the people said. The department’s sanctions office itself—the same one that imposed penalties—was breached in the hack, as were other offices that possess sensitive nonpublic information. 

Excerpt from The U.S. Sanctions Beijing Firm Behind Major ‘Salt Typhoon’ Telecom Hacks, WSJ, Jan. 17, 2025

When Phones Become Useless: the Attack on US Telecommunications Infrastructure

Leave a reply

The Consumer Financial Protection Bureau  has issued a directive to employees to reduce the use of their phones for work matters because of China’s recent hack of U.S. telecommunications infrastructure. In an email to staff sent November 7, 2024, the chief information officer at the Consumer Financial Protection Bureau warned that internal and external work-related meetings and conversations that involve nonpublic data should only be held on platforms such as Microsoft Teams and Cisco WebEx and not on work-issued or personal phones.

“Do NOT conduct CFPB work using mobile voice calls or text messages,” the email said, while referencing a recent government statement acknowledging the telecommunications infrastructure attack. “While there is no evidence that CFPB has been targeted by this unauthorized access, I ask for your compliance with these directives so we reduce the risk that we will be compromised,” said the email, which was sent to all CFPB employees and contractors.

The alert is the latest demonstration of concerns within the federal government about the scale and scope of the hack, which investigators are still endeavoring to fully understand and have attributed to a group dubbed Salt Typhoon.  The hackers are said to have compromised data about calls and in some cases recorded phone audio from certain high-value targets, including individuals affiliated with both the Trump and Harris presidential campaigns… A directive to avoid cellphone use in response to a specific threat is rare for a government agency and reflects the level of concern among investigators about the severity of the breaches of telecommunications companies, including Verizon and AT&T…U.S. investigators believe hackers tied to a Chinese intelligence agency are responsible for the breaches and that they have targeted an array of senior national security and policy officials across the U.S. government in addition to politicians.

Excerpts from Anna Maria Andriotis and Dustin Vole, US Agency Warns About Chinese Phone Hacks, WSJ, Nov. 8, 2024

How to Create Panic? China’s Typhoons

Leave a reply

Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in 2024 in pursuit of sensitive information…The hacking campaign, called Salt Typhoon by investigators, hasn’t previously been publicly disclosed and is the latest in a series of incursions that U.S. investigators have linked to China in recent years. The intrusion is a sign of the stealthy success Beijing’s massive digital army of cyberspies has had breaking into valuable computer networks in the U.S. and around the globe.

In Salt Typhoon, the actors linked to China burrowed into America’s broadband networks. In this type of intrusion, bad actors aim to establish a foothold within the infrastructure of cable and broadband providers that would allow them to access data stored by telecommunications companies or launch a damaging cyberattack…Investigators are exploring whether the intruders gained access to Cisco Systems routers, core network components that route much of the traffic on the internet, according to people familiar with the matter. Microsoft is investigating the intrusion and what sensitive information may have been accessed, people familiar with the matter said.

China has made a practice of gaining access to internet-service providers around the world. But if hackers gained access to service providers’ core routers, it would leave them in a powerful position to steal information, redirect internet traffic, install malicious software or pivot to new attacks.

In September 2024, U.S. officials said they had disrupted a network of more than 200,000 routers, cameras and other internet-connected consumer devices that served as an entry point into U.S. networks for a China-based hacking group called Flax Typhoon. And in January 2024, federal officials disrupted Volt Typhoon, yet another China-linked campaign that has sought to quietly infiltrate a swath of U.S. critical infrastructure. “The cyber threat posed by the Chinese government is massive,” said Christopher Wray, the Federal Bureau of Investigation’s director, speaking earlier this year at a security conference in Germany. “China’s hacking program is larger than that of every other major nation, combined.”

U.S. security officials allege that Beijing has tried and at times succeeded in burrowing deep into U.S. critical infrastructure networks ranging from water-treatment systems to airports and oil and gas pipelines. Top Biden administration officials have issued public warnings over the past year that China’s actions could threaten American lives and are intended to cause societal panic. The hackers could also disrupt the U.S.’s ability to mobilize support for Taiwan in the event that Chinese leader Xi Jinping orders his military to invade the island….

Excerpts from Sarah Krouse et al., China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack, WSJ, Sept. 26, 2024