{ "id": "1eb7bdbc-6916-4c1f-b6ac-5c7ff021a762", "created_at": "2026-04-06T00:19:59.355735Z", "updated_at": "2026-04-10T03:34:44.521925Z", "deleted_at": null, "sha1_hash": "2fe65084edc159054d0fae5f7b9c7a70e29f893b", "title": "Chinese hackers breached T-Mobile's routers to scope out network", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2227325, "plain_text": "Chinese hackers breached T-Mobile's routers to scope out network\r\nBy Sergiu Gatlan\r\nPublished: 2024-11-27 · Archived: 2026-04-05 20:12:34 UTC\r\nT-Mobile says the Chinese \"Salt Typhoon\" hackers who recently compromised its systems as part of a series of telecom\r\nbreaches first hacked into some of its routers to explore ways to navigate laterally through the network.\r\nHowever, the company says its engineers blocked the threat actors before they could spread further on the network and\r\naccess customer information.\r\nAlso tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286, this Chinese state-sponsored threat group\r\nhas been active since at least 2019 and typically focuses on breaching government entities and telecommunications\r\ncompanies in Southeast Asia.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nJeff Simon, the company's Chief Security Officer, shared in a blog post published on Wednesday that the threat actors' attack\r\n—originating from a connected wireline provider's network—was stopped by T-Mobile's cyber defenses, including proactive\r\nmonitoring and network segmentation.\r\nThe company discovered the breach after detecting suspicious behavior, including commands usually used in the\r\nreconnaissance stage of cyberattacks being run on some of its routers and commands matching indicators of compromise\r\npreviously linked to Salt Typhoon, as Simon told Bloomberg.\r\n\"Many reports claim these bad actors have gained access to some providers' customer information over an extended period\r\nof time – phone calls, text messages, and other sensitive information, particularly from government officials. This is not the\r\ncase at T-Mobil,\" Simon said.\r\n\"Our defenses protected our sensitive customer information, prevented any disruption of our services, and stopped the attack\r\nfrom advancing. Bad actors had no access to sensitive customer data (including calls, voicemails, or texts).\r\n\"We quickly severed connectivity to the provider's network as we believe it was – and may still be – compromised.\"\r\nT-Mobile's CSO added that the company no longer sees any attackers active within its network and has shared its findings\r\nwith the government and industry partners.\r\nBreached in recent Salt Typhoon telecom attacks\r\nT-Mobile's statement from today follows the company's announcement two weeks ago that its systems were compromised in\r\na recent wave of Salt Typhoon telecom breaches.\r\nCISA and the FBI confirmed the breaches in late October following reports that the Chinese threat group breached multiple\r\nbroadband providers, including AT\u0026T, Verizon, and Lumen Technologies.\r\nThe two federal agencies later revealed that the attackers compromised the \"private communications\" of a \"limited\r\nnumber\" of government officials, stole customer call records and law enforcement request data, and gained access to\r\nthe U.S. government's wiretapping platform.\r\nEven though it's unknown when the telecom giants' networks were first breached, the Chinese hackers had access \"for\r\nmonths or longer,\" according to a WSJ report. This allowed them to collect and steal vast amounts of \"internet traffic from\r\ninternet service providers that count businesses large and small, and millions of Americans, as their customers,\" according\r\nto people familiar with the matter.\r\nCanada also revealed last month that many of the country's agencies and departments, including federal political parties, the\r\nSenate, and the House of Commons, were targeted in broad network scans linked to unnamed Chinese state hackers.\r\nIn similar, although likely unrelated attacks, the Volt Typhoon Chinese threat group tracked and hacked multiple ISPs and\r\nMSPs in the United States and India after hacking their corporate networks using credentials stolen by in Versa Director\r\nzero-day attacks.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/chinese-hackers-breached-t-mobiles-routers-to-scope-out-network/" ], "report_names": [ "chinese-hackers-breached-t-mobiles-routers-to-scope-out-network" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434799, "ts_updated_at": 1775792084, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2fe65084edc159054d0fae5f7b9c7a70e29f893b.pdf", "text": "https://archive.orkl.eu/2fe65084edc159054d0fae5f7b9c7a70e29f893b.txt", "img": "https://archive.orkl.eu/2fe65084edc159054d0fae5f7b9c7a70e29f893b.jpg" } }