Chinese hacked U.S. telecom a year before known wireless breaches

Japan Times

05-06-2025

Corporate investigators found evidence that Chinese hackers broke into an American telecommunications company in the summer of 2023, indicating the country's attackers penetrated the U.S. communications system earlier than publicly known.
Investigators working for the telecommunications firm discovered last year that malware used by Chinese state-backed hacking groups was on the company's systems for seven months starting in the summer of 2023, according to a document and two people familiar with the matter. The document, an unclassified report sent to Western intelligence agencies, doesn't name the company where the malware was found and the people familiar with the matter declined to identify it.
The 2023 intrusion at an American telecommunications company came about a year before U.S. government officials and cybersecurity companies said they began spotting clues that Chinese hackers had penetrated many of the country's largest phone and wireless firms. The U.S. government has blamed the later breaches on a Chinese state-backed hacking group dubbed Salt Typhoon.
It's unclear if the 2023 hack is related to that foreign espionage campaign and, if so, to what degree. Nonetheless, it raises questions about when Chinese intruders established a foothold in the American communications industry.
"We've known for a long time that this infrastructure has been vulnerable and was likely subject to attack,' said Marc Rogers, a cybersecurity and telecommunications expert. "What this shows us is that it was attacked, and that going as far back as 2023, the Chinese were compromising our telecom companies.'
A representative of the Chinese government embassy in Washington emphasized in a statement the difficulty of determining the origins of hacks, and said the U.S. and its allies have been responsible for cyberattacks on China. "The relevant party needs to stop using cybersecurity to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats,' said spokesperson Liu Pengyu.
Representatives of the U.S. Central Intelligence Agency, National Security Agency, Federal Bureau of Investigation, and Cybersecurity and Infrastructure Security Agency all declined to comment.
In the Salt Typhoon compromises, U.S. officials have said, hackers infiltrated AT&T, Verizon and seven other U.S. telecommunications companies, vacuuming up the personal data of millions of Americans and targeting the phones of the presidential candidate Donald Trump, his running mate JD Vance and then-Vice President Kamala Harris.
Those hacks were part of a "multi-year operation' that "breached multiple layers of major telecom networks,' Laura Galante, director of the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence from 2022 until January, said in written testimony to Congress in April.
It was as the government and telecommunication industry was racing to counter those hacks in the fall of 2024 that cybersecurity investigators found evidence of the 2023 breach. That discovery followed a tip from U.S. intelligence agencies, said one of the people.
At various points during the response to the Salt Typhoon hacks, U.S. intelligence services advised companies to look for a specific piece of Chinese malware, known as Demodex, according to that person and two others familiar with the matter. They all spoke on condition that they not be identified discussing the sensitive information.
Demodex is a "rootkit' that gives hackers deep and secretive access to an infected machine. Several cybersecurity companies have said in public reports that Demodex has been used by a Chinese hacking group that's targeted telecommunication companies and governments in Southeast Asia.
The malware has also been tied to the Salt Typhoon attackers, as well as other hacking groups, and was used in attacks on telecommunications firms in Thailand, Afghanistan and Indonesia, said Allan Liska, a threat analyst at the security firm Recorded Future.
The malicious program was developed by employees of companies that work for the Chinese Ministry of State Security, said Michael Freeman, the head of threat intelligence at cybersecurity firm Armis. Freeman said his firm has spent years tracking the work of one of the developers.
In the 2023 U.S. telecommunications breach, hackers accessed the computers of IT administrators at the company, the two people said. The investigation found that the malware had been on the firm's systems until late winter of 2024, according to the report, which was sent to American and other Western intelligence agencies last October.
The report only identifies the company where the malware was found as being "known for providing services to the defense, travel and logistics industries.'
It's unclear what the hackers did once they were inside the breached machines because Demodex is designed to leave few digital traces, the people said. The malware includes code that temporarily terminates a common Microsoft security program, Defender, according to the report. While that safeguard is down, the report states, the program takes steps to hide itself and future activity.
A spokesperson representing Microsoft, Michelle Rose Micor, declined to comment.