In January, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against Sichuan Juxinhe Network Technology, a Chinese cybersecurity firm believed to be directly involved in the Salt Typhoon telecom breaches. The FBI has asked the public for information on Chinese Salt Typhoon hackers behind widespread breaches of telecommunications providers in the United States and worldwide. China's Salt Typhoon Chinese cyber-espionage group (also tracked as Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286) has been breaching government entities and telecom companies since at least 2019. In October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other telecom companies in dozens of countries. On Thursday, the FBI issued a public service announcement seeking tips that could help identify and locate the Salt Typhoon hackers who targeted US telecommunications infrastructure. Cisco has also revealed that the Chinese hackers use a custom JumbledPath malicious tool to stealthily monitor network traffic and likely capture sensitive data from compromised U.S. telecommunication providers' networks. "FBI maintains its commitment to protecting the US telecommunications sector and the individuals and organizations targeted by Salt Typhoon by identifying, mitigating, and disrupting Salt Typhoon's malicious cyber activity. The FBI also reminded that the U.S. Department of State is offering a reward of up to $10 million through its Rewards for Justice (RFJ) program for information about government-linked foreign hackers linked to malicious cyber activities against U.S. critical infrastructure. This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests," the FBI said. These additional breaches include a U.S. internet service provider (ISP), a U.S.-based affiliate of a U.K. telecommunications provider, an Italian ISP, a South African telecom provider, and a large Thai telecommunications provider. As revealed at the time, while they had access to the U.S. telecoms' networks, the attackers also accessed the U.S. law enforcement's wiretapping platform and gained access to the "private communications" of a "limited number" of U.S. government officials. Between December 2024 and January 2025, it breached more telecommunications companies worldwide by exploiting privilege escalation and Web UI command injection vulnerabilities in unpatched Cisco IOS XE network devices. "Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 25 Apr 2025 09:35:07 +0000