WSJ 09/10/24

WASHINGTON—U.S. officials are racing to understand the full scope of a China-linked hack of major U.S. broadband providers, as concerns mount from members of Congress that the breach could amount to a devastating counterintelligence failure.

In letters to AT&T, Verizon and Lumen, lawmakers ask about proposed measures the companies will take to protect U.S. wiretap systems

By Dustin VolzFollow

 and Drew FitzGeraldFollow

Oct. 11, 2024 at 5:30 am ET

Sen. Ron Wyden (D., Ore.) said the companies involved in the hack were responsible for their own cybersecurity failures but that ‘the government shares much of the blame.’ PHOTO: WILL OLIVER/SHUTTERSTOCK

Federal authorities and cybersecurity investigators are probing the breaches of Verizon Communications, AT&T and Lumen Technologies. A stealthy hacking group known as Salt Typhoon tied to Chinese intelligence is believed to be responsible. The compromises may have allowed hackers to access information from systems the federal government uses for court-authorized network wiretapping requests, The Wall Street Journal reported last week.

Among the concerns are that the hackers may have essentially been able to spy on the U.S. government’s efforts to surveil Chinese threats, including the FBI’s investigations. 

The House Select Committee on China sent letters Thursday asking the three companies to describe when they became aware of the breaches and what measures they are taking to protect their wiretap systems from attack.

Spokespeople for AT&T, Lumen and Verizon declined to comment on the attack. A spokesman at the Chinese Embassy in Washington has denied that Beijing is responsible for the alleged breaches.

Combined with other Chinese cyber threats, news of the Salt Typhoon assault makes clear that “we face a cyber-adversary the likes of which we have never confronted before,” Rep. John Moolenaar, the Republican chairman of the House Select Committee Committee on China, and Raja Krishnamoorthi, the panel’s top Democrat, said in the letters. “The implications of any breach of this nature would be difficult to overstate,” they said. 

Cybersecurity investigators are probing the breaches of Verizon, AT&T and Lumen. PHOTO: JEENAH MOON/BLOOMBERG NEWS

Hackers still had access to some parts of U.S. broadband networks within the last week, and more companies were being notified that their networks had been breached, people familiar with the matter said. Investigators remain in the dark about precisely what the hackers were seeking to do, according to people familiar with the response.

The breaches are considered by some investigators to be a possibly catastrophic security lapse that could have enabled China to spy on U.S. domestic wiretapping efforts, but others have cautioned that it is too soon to know the severity of the intrusions. 

In separate letters also sent Thursday to the companies, Cathy McMorris Rodgers (R., Wash.), the chairwoman of the House Energy and Commerce Committee, and other lawmakers on Capitol Hill pressed for answers and requested briefings by the end of next week.

I Sen. Ron Wyden, a Democrat on the Senate Intelligence Committee and a leading voice in Congress on cybersecurity issues, said in his own dispatch Friday to the Justice Department and the Federal Communications Commission that the companies were responsible for their own cybersecurity failures but that “the government shares much of the blame.” 

The agencies for decades ignored warnings about vulnerabilities in systems required to comply with law enforcement surveillance requests, Wyden wrote. His office separately asked the FCC for security and integrity plans submitted by AT&T, Verizon, and Lumen under the Communications Assistance for Law Enforcement Act, the federal law that requires telecommunications firms to allow U.S. agencies access to data pursuant to a court order.

The alleged Salt Typhoon attack follows a string of recent telecom-security lapses. In July, AT&T revealed that a hacker had stolen call and text-message metadata covering nearly all of its cellular customers’ activity during a six-month span in 2022. The telecom giant said the breached system wasn’t used for any law enforcement purpose. It was also one of more than 100 customers of the software provider Snowflake attacked earlier this year.

After that hack, Wyden requested a briefing from the Justice Department concerning steps the department had taken to ensure AT&T was protecting the sensitive surveillance services it provides to the government. The DOJ ignored Wyden’s request, an aide to the senator said. A spokeswoman for the department said it was in touch with Wyden’s office.

The view of the Salt Typhoon hack in Washington has evolved since it was first disclosed publicly by the Journal two weeks ago, when many senior Biden administration officials—and the companies themselves in some cases—weren’t yet aware of the intrusions. 

Last week, the president’s daily brief—a classified daily compendium of security threats and issues produced by the nation’s spy agencies for President Biden—included information about the hack, according to people familiar with the matter. Staff on the congressional intelligence committees have also been briefed on the intrusions.

A customer looks at smartphones in a Verizon store in New York. PHOTO: VICTOR J. BLUE/BLOOMBERG NEWS

The hack is one of several ongoing cyber campaigns linked to Beijing’s intelligence services that have stunned U.S. officials both in terms of their sophistication and audacious intent.

Other recent hacks tied to China have focused on maintaining quiet but persistent access to vital infrastructure ranging from airports to energy providers and water treatment systems.

In contrast, the Salt Typhoon compromise is being treated by the Biden administration as a more traditional cyber-espionage threat.

In recent years, the federal government, often in close coordination with private-sector partners such as Microsoft and others, has become increasingly comfortable disclosing and discussing foreign hacking operations as a means to spread awareness of the threats, promote fixes to software vulnerabilities, and to name and shame the attackers.

That hasn’t been the case this time. The number of people being read into the breaches has remained small in both the government and in companies responding to them because of concerns about leaks and the sensitive nature of the compromises, according to current and former U.S. officials.

It remains unclear whether other U.S. surveillance programs were targeted by the hackers. Former U.S. officials said that while a breach of the court-authorized wiretapping systems that are governed under the Communications Assistance for Law Enforcement Act would be extremely significant, a far more dire scenario would involve the compromise of systems used for foreign intelligence collection under a separate law known as the Foreign Intelligence Surveillance Act, or FISA. 

SHARE YOUR THOUGHTS

How should U.S. lawmakers respond to the cyberattack tied to the Chinese government? Join the conversation below.

While the law enforcement wiretaps chiefly concerns surveillance within the U.S. that can be used in court proceedings, FISA surveillance generally points beyond U.S. borders and is seen as the most vital intelligence tool available to American spy agencies. It couldn’t be determined if systems that support foreign intelligence surveillance were also vulnerable in the breach.

“If Chinese intelligence operatives were able to get access to the government’s foreign-intelligence surveillance systems, either with the ability to identify all or a significant portion of the targets under collection, it would be a counterintelligence failure of the highest order,” said Jamil Jaffer, a former White House national security official and executive director of the National Security Institute at the George Mason University’s Scalia Law School.

Sarah Krouse and Aruna Viswanatha contributed to this article.

Write to Dustin Volz at dustin.volz@wsj.comand Drew FitzGerald at andrew.fitzgerald@wsj.com