Salt Typhoon attacks may have hit more US firms than previously thought

Flag of the People's Republic of China overlaid with a technological network of wires and circuits.

(Image credit: Shutterstock)

More victims of Salt Typhoon attack unveiled by WSJ
The extent of the damage caused by the attack is still unknown
Some telecoms providers have removed the attackers from their systems

The recent Salt Typhoon cyberattacks may have breached more telecommunications providers than previously thought, with Charter Communications, Consolidated Communications, and Windstream all now believed to also have been affected.

The fresh list of victims comes from a new report by the Wall Street Journal, who cited people familiar with the matter.

The attack also exploited Fortinet network devices that did not have up-to-date security software installed, as well as vulnerable Cisco large network routers.

Attack may have started in 2023

The attack against US telecoms providers was first publicized in a joint statement by the Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) on October 25, 2024 - however, the WSJ report states the attack is believed to have started as far back as fall of 2023 - around the same time US National Security Advisor Jake Sullivan was briefing telecom and tech executives on the depth and breadth of Chinese penetration into US critical infrastructure.

Salt Typhoon is now known to have successfully breached the networks of AT&T, Verizon, Lumen Technologies, and T-Mobile in the attack, but little is known about what data the China-affiliated group was able to access.

Both Lumen and T-Mobile have said that they successfully stopped the group from accessing sensitive customer information, with Verizon confirming that the data of a limited number of high-profile individuals involved in politics was targeted in attacks.

Salt Typhoon also gained access to a ‘lawful interception’ channel used by law enforcement agencies to perform court-ordered wiretaps for national security purposes, with China repeatedly denying any involvement in the attacks and accusing the US of spreading misinformation. China even went so far as to label Volt Typhoon - a similar group believed to be associated with Beijing - as a CIA asset set up to discredit the US’ rivals across the Pacific.

Both Fortinet and Cisco did not comment on the WSJ report, but both organizations have been in the cross hairs of cyber attacks from a range of cyber criminal groups.

Network routers with outdated firmware have been a favorite target as an initial access point for attackers and botnets for several years. Fortinet has also experienced a spate of attacks on its Windows VPN service and Fortigate VPN systems.

These are the best endpoint protection services around
Take a look at our guide to the best business VPN
Could AI soon make dozens of billion-dollar nuclear stealth attack submarines more expensive and obsolete?

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.