The list of telecommunications victims in the Salt Typhoon cyberattack continues to grow. A new report names Charter Communications, Consolidated Communications, and Windstream among those breached by Chinese government snoops. AT&T, Verizon, and Lumen Technologies previously confirmed that their networks had been compromised by Beijing.
The White House stated that at least nine companies had been breached by Salt Typhoon in what the US government called a “significant cyber espionage campaign” against American operators. Over the weekend, the Wall Street Journal added Charter, Consolidated, and Windstream to the list of affected telecom companies. All three companies declined to comment on the breaches.
The article also mentions T-Mobile, but a spokesperson stated that “T-Mobile is not one of the nine being referenced by the government.”
The Salt Typhoon attackers reportedly exploited unpatched network devices from Fortinet and Cisco to gain entry to the networks. In at least one breach, the intruders took over a “high-level network management account” lacking multi-factor authentication. This granted them access to more than 100,000 routers.
This access, which allegedly occurred in AT&T’s network, possibly allowed the hackers to redirect traffic back to China and delete their digital tracks, the Wall Street Journal noted.
China-backed cyberattacks target US telecoms
AT&T, Cisco, and Fortinet did not respond to requests for comment.
This incident aligns with a Justice Department warning from January 2024 regarding another Chinese-government-linked group, Volt Typhoon. Volt Typhoon used malware-infected Cisco routers to break into US energy, water, and manufacturing facilities. Reports from the fall indicated that Volt Typhoon was again exploiting old Cisco routers to breach critical infrastructure networks and launch cyberattacks.
Chinese government-linked hackers have also exploited Fortinet vulnerabilities in previous cyberattacks. Alongside the Salt Typhoon intrusions, Chinese spies allegedly breached US Treasury Department workstations in late 2024. This capped a year marked by several targeted intrusions into American critical infrastructure networks.
It signals a shift from conventional espionage to preparing for potential disruptive operations. CrowdStrike Senior VP of Counter Adversary Operations, Adam Meyers, emphasized the severity of these intrusions. “Every organization should see this as notice that there are hostile nation-state entities targeting them,” Meyers noted.
“If you are involved in any business tied to the broader international ecosystem, or providing services crucial to critical infrastructure, you’re in the line of fire,” he warned.
