Salt Typhoon: The Chinese Phone Hack

by Brian Dunning
February 4, 2025

In late 2024, news outlets worldwide reported that investigators had discovered a widespread Chinese cyberattack against American cell phone networks. Many described it as the largest such breach in history. When it was found that Donald Trump, JD Vance, Kamala Harris, and many of their staffers were included in the attack, a lot of people figured this was part of a coordinated scheme to influence the outcome of the US election. It also took place during the escalating trade war between the United States and China, and some interpreted that it was Chinese retaliation for the trade war. The hacker group was called Salt Typhoon, and today we're going to take a deep dive into it and see what it was really about, and not about.

Salt Typhoon is the name given by Microsoft security researchers to a large and versatile group of hackers in China. We don't know what they might call themselves, if anything; but they are known to be a Chinese contractor often used by China's Ministry of State Security. Salt Typhoon has infiltrated computer systems not just in the United States, but in dozens of countries. They sometimes steal corporate intellectual property and conduct lots of attacks against hotels to steal their data, but their main focus is on national counterintelligence systems, trying to find out what their international counterparts know about them. They are also known by other names given by other security companies: Earth Estrie, Ghost Emperor, Famous Sparrow; but Salt Typhoon is the most commonly used.

In non-technical language, here is basically how they did it. The hackers exploited vulnerabilities in certain network hardware devices, like firewalls or routers. Manufacturers of these devices constantly look out for such vulnerabilities, and when they find one, they issue a software update to patch it. But owners of the devices do not always apply these updates, leaving the devices open to a publicly-known vulnerability.

There are software programs known as penetration tools that will automatically search for certain vulnerabilities. If you own a website, it has been probed by these tools. Your server logs probably show that attempts were made to access common URLs of administrators' portals, like /login or /administrator, and many others. Common usernames and passwords, like admin and 123456, are submitted in bulk — pretty much everything from Wikipedia's list of 10,000 most common passwords. Obviously the vast majority of these fail, but occasionally one gets through. When it does, the hacker is notified, and now he can log into your system as an administrator and start poking around. This is a relatively dumb attack called a brute force.

But even when it does not succeed, there are other attacks the penetration tool can try. One of the most common is called an injection attack. A famous example of this was illustrated in the popular 2007 xkcd comic strip commonly known as "Little Bobby Tables." When you type information into a web form, such as your username and password on a login screen, you can append database commands to your input that a carelessly secured website might actually execute. Little Bobby Tables used this to delete the entire student database at his school. This technique can also be used to install a program on the server, a program which might do anything such as give the hacker access to gain full control over the server.

Another similar technique is called a buffer overflow attack, where so much data is submitted into the form that it can overwrite a poorly secured portion of the server's memory with program code that does whatever the hacker wants it to.

Another very common attack — which Salt Typhoon is known to have used in this case — is called spearphishing. This is where the hackers identify a specific person at a company who has the kind of access they want. The hackers then send that person counterfeit emails or texts that ask them to log into their system, which appear to be normal messages from the system. If it fools the person, they go to a website that looks familiar but is actually a copy, and they enter their username and password. But it doesn't go where they think it goes; those credentials are sent straight back to the hacker, who can then use them.

There are many such attacks; these are just a few that illustrate the general idea. A router or other network device has many of the same features as other servers; it can be remotely administered, so it has to have these basic features that allow hackers to make the types of attacks just discussed, or variations that are too complex to go into here, but it's the same basic idea.

Once the hacker has gained administrative access to the remote device, they can operate it from their own computer wherever they're located. There are also tricks they can employ to obfuscate their connection so it's not possible to retrace them back to their actual location. In the best case, they can use their access to do anything that an admin can do. They can search databases, they can download stuff, they can delete stuff. They can create new secret doorways through which they can continue to access the system even if the credentials or other access method they used initially are changed or blocked. And it should be stressed that nearly all of this can be automated and executed on a massive scale and at blinding speeds.

By the end of 2024, it's estimated that Salt Typhoon had compromised some 100,000 hardware devices made by Fortinet and Cisco just inside AT&T's network alone. In all, it's confirmed that Salt Typhoon breached nine US telecom companies, including Verizon, AT&T, T-Mobile, and six others.

All of this gave the Chinese access to the phone call records of virtually any American they wanted. This is not really all that surprising, as any competent hacker can get that data; you don't have to be part of Salt Typhoon. As recently as January 2025, a 20-year-old American Army soldier was arrested for accessing and selling the call logs of both US Presidential candidates Donald Trump and Kamala Harris. Both had their cell phone call logs at AT&T, and neither had two-factor authentication set up. This tells us the soldier almost certainly got into AT&T through one of the common attack types discussed earlier.

According to the logs analyzed by security researchers, Salt Typhoon mainly limited their call data theft to several dozen government officials, including campaign staffers of both Presidential candidates in the 2024 election. However, the attack does not appear to have been tied to election influencing efforts. China does a lot of that too, but those are very different projects.

So it's a fact that China did get enormous amounts of data about who calls who, mainly this relatively small number of officials, and a lot of data about who stays at what hotels all around the world. The crown jewel of their hack, however, was the US Department of Justice's database of wiretaps. This included all the phone numbers that any federal agency was tapping. This told China who the US was investigating for any reason: perhaps suspected criminals, drug lords, and most notably, suspected foreign agents. Assuming that China had spies in the United States, which of course they did and still do now, the wiretap data told them if any of their spies were under investigation. It also told China what spies from other nations the US was investigating. From a counterintelligence perspective, this was an enormously successful attack.

What else they might be planning to do with all this data is really a matter of speculation. It's assumed they use artificial intelligence engines to analyze all this data, looking for patterns, building social connection maps, possibly figuring out who's aligned with who in Washington and what kinds of projects are getting the most attention.

So: claims that the 2024 telecom hack was an election interference attempt are not true. Claims that it pertained to the US-China trade war are also not true. And there's one more thing about it…

Generally when I pick a topic for Skeptoid, I like for it to be a settled issue, which makes it possible for me to be more comprehensive and have the benefit of hindsight. However, as of the date of this show, which is February 2025, we have some breaking news on this particular cyberattack. When it was originally reported in late 2024, it was announced that the investigation would be led by the Cyber Safety Review Board within the US Department of Homeland Security. The CSRB is intended to be like the NTSB, the National Transportation and Safety Board, best known for sending the world's most experienced investigators out to the sites of plane crashes, train crashes, and such, in order to find what went wrong and prevent it from happening again. That's exactly what the CSRB had been doing for the few months following the discovery of the cyberattack. But then, once President Trump took office in January 2025, among his first actions was to fire everyone on the CSRB — all career professional experts. The ranking member of the House Committee on Homeland Security said "I am troubled that the president's attempt to stack the CSRB with loyalists may cause its important work on the Salt Typhoon campaign to be delayed."

His use of the term loyalists was a likely reference to a famously impartial member of the CSRB, Brian Krebs, who in late 2020 was the director of the Cybersecurity and Infrastructure Security Agency, and was fired by Trump for his agency's finding that Trump's claim that voting machines had been tampered with, contributing to Trump's election loss, was false.

There are still other law enforcement agencies on the job working to track down Salt Typhoon and prosecute them, but the CSRB was the US government's defense strategists for preventing the next such attack. Apologies if this explanation sounded partisan or was offensive to some — that's not what Skeptoid is about — but it was necessary to expound how and why the United States is unlikely to construct a timely defense against Salt Typhoon, or the next group to follow in their footsteps.

And so there you have it. When you hear something in the news that sounds sensational, as this did, your first response should always be skepticism. When you see wild assertions on social media claiming what it was really about, you should be skeptical. And when you are, you'll go to primary sources — non-politically biased sources, always — and get the straight dope. And do one better. When the subject matter requires a specific expertise to really understand it, in this case cybersecurity; go to subject matter specific websites — cybersecurity websites for this event — and find out what the real subject matter experts have to say. Because as often as not, you'll find the media has sold you a little bit short.

By Brian Dunning
Follow @BrianDunning