The China-linked threat group known as Salt Typhoon has hacked into the networks of several major broadband providers in the United States, potentially compromising wiretap systems, according to The Wall Street Journal. 

The publication reported last month that Salt Typhoon had compromised the systems of unnamed ISPs in the US in search of sensitive information. Salt Typhoon is believed to be a Chinese state-sponsored APT. 

The WSJ had a follow-up article (paywalled) over the weekend, revealing — based on information from people familiar with the matter — that the threat actor breached the networks of major American telecom companies such as Verizon, AT&T and Lumen Technologies, as well as some service providers outside the US.

The attackers may have gained access to systems used by the targeted ISPs to work with government agencies in response to court-authorized wiretapping requests. The incident has raised concerns of national security risks because these systems enable investigations into criminal and national security matters. 

The WSJ’s sources said the systems used for domestic information may have been impacted and it’s unclear if systems used for foreign intelligence surveillance were also exposed.

The hackers may have also gained access to more generic internet traffic, the WSJ reported.

SecurityWeek has reached out to Verizon, AT&T and Lumen for comment. Lumen was the only company that responded by press time, but it declined to comment. 

It’s worth pointing out that the Black Lotus Labs team at Lumen Technologies has been tracking sophisticated threat actors linked to China, including the ones tracked as Volt Typhoon and Flax Typhoon. It would not be surprising if the company soon issues a report on Salt Typhoon activities as well. 

Microsoft and other cybersecurity firms are also investigating the Salt Typhoon attacks, according to the WSJ. 

Salt Typhoon is tracked by other companies as FamousSparrow and GhostEmperor.

In 2021, ESET described FamousSparrow as a cyberespionage group that has been active since at least 2019. The security firm reported at the time that the threat actor had been mainly observed targeting hotels, but also government organizations, law firms, and international companies in Brazil, Canada, Israel, Saudi Arabia, Taiwan, the UK and other countries. 

The GhostEmperor name was given to the threat group by Kasperksy, which described it in 2021 as a highly skilled and stealthy actor mostly targeting telecommunications and government entities in Southeast Asia. The group was not seen again until late 2023, when Sygnia spotted attacks delivering a rootkit.  

Related: Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China

Related: China-Linked Hackers Target Drone Makers

Related: China’s Volt Typhoon Hackers Caught Exploiting Zero-Day in Servers Used by ISPs, MSPs