{ "id": "45a3d9ff-80d1-4794-94a8-a3d7ea3e7095", "created_at": "2026-04-06T00:11:51.793914Z", "updated_at": "2026-04-10T03:34:28.280281Z", "deleted_at": null, "sha1_hash": "81d3b6c0a1e527c302c48b3a54616a8ce334a87c", "title": "At least 8 US telcos, dozens of countries impacted by Salt Typhoon breaches, White House says", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 957147, "plain_text": "At least 8 US telcos, dozens of countries impacted by Salt Typhoon\r\nbreaches, White House says\r\nBy Jonathan Greig\r\nPublished: 2024-12-04 · Archived: 2026-04-05 12:56:13 UTC\r\nThe scope of the Chinese government hacking campaign came into further focus on Wednesday, as senior White\r\nHouse officials revealed that eight telecommunications giants in the U.S. were breached and that companies in\r\nmultiple other countries were also hacked.\r\nThe breaches are part of the Salt Typhoon campaign, which first came to light after threat actors intercepted the\r\ncorrespondence of senior officials within both presidential campaigns, including from President-elect Donald\r\nTrump and his running mate JD Vance.\r\nAnne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, reiterated to\r\nreporters on Wednesday that Chinese actors are still inside the breached systems. \r\nNeuberger said President Joe Biden has been briefed on the incident several times, and the White House has\r\ncreated a Unified Coordination Group that meets daily to discuss the issue. \r\nThe campaign “has been underway … likely one to two years” and has compromised telecoms in the Indo-Pacific\r\nregion, Europe and elsewhere.\r\n“Our understanding is that a couple dozens of countries were impacted,” she said. “We believe this is intended as\r\na Chinese espionage program focused, again, on key government officials, key corporate IP, so that will determine\r\nwhich telecoms were often targeted, and how many were compromised as well.”\r\nNeuberger added that the “Chinese access was broad in terms of potential access to communications of everyday\r\nAmericans” but she said the hackers only targeted prominent individuals. \r\n“As you know, the communications of US government officials relies on these private sector systems, which is\r\nwhy the Chinese were able to access the communications of some senior US government and political officials. At\r\nthis time, we don't believe any classified communications have been compromised,” she said.\r\nAs the Cybersecurity and Infrastructure Security Agency (CISA) and FBI said Tuesday, the companies have not\r\nbeen able to fully remove the hackers from their systems so, Neuberger said, “there is a risk of ongoing\r\ncompromises to communications until U.S. companies address the cybersecurity gaps.”\r\nThe agencies published guidance to help engineers and network defenders identify and remove Salt Typhoon\r\nactors. They told reporters that one complicating factor is that the hackers likely breached companies through\r\ndifferent vectors, and also had broad aims and targets.\r\nRead More: Cyber incident board’s Salt Typhoon review to begin within days, CISA leader says\r\nhttps://therecord.media/eight-telcos-breached-salt-typhoon-nsc\r\nPage 1 of 5\n\nOfficials with the National Security Council did not respond to several questions about how senior officials are\r\ncommunicating with one another safely if Chinese actors are still in each network, or whether telecommunications\r\ncompanies will notify every American who may have had their data caught up in the incident. \r\nBut Neuberger said the agency believes “a large number of Americans' metadata was taken as part of a campaign\r\nto identify the specific individuals that the Chinese government was really interested in actually gaining particular\r\naccess to individual calls, listening to those calls, etc.\"\r\nShe urged the affected telecom giants — which allegedly include Verizon, AT\u0026T, T-Mobile, Lumen and others —\r\nto work together and share information they may be seeing in systems both in the U.S. and abroad. \r\nAt a recent meeting with the heads of those companies, senior U.S. officials stressed that each of them needed to\r\ntake a range of steps to further harden their systems against compromise and “make real changes to architect\r\ntelecom networks to be able to look for the unexpected and reduce the blast radius of events,” Neuberger said. \r\nShe noted that several departments within the government, most notably the Commerce Department, are\r\ncoordinating to help telecom companies respond to the incident.\r\nNeuberger went on to compare the incident to the ransomware attack on Colonial Pipeline and said it should spur\r\na similar regulatory push for minimum cybersecurity standards that telecommunications companies must abide\r\nby. \r\n“To prevent ongoing intrusions, we need to require similar minimum cybersecurity practices at telecoms … That’s\r\nwhat other countries are doing, from Australia to the UK, mandating cybersecurity practices for the most critical\r\ncompanies to defend against Chinese and other sophisticated cyber programs,” she said. \r\n“We believe that if the companies had in place minimum practices — secure configurations, up-to-date patching,\r\narchitecting to monitor for anomalous behavior that would have detected this earlier, managing administrator\r\naccounts with multi-factor authentication — that would make it far riskier, harder and costlier for the Chinese to\r\ngain access and maintain access.”\r\nThe international community also needs to come together to have “open, honest discussions about the PRC’s\r\n[People’s Republic of China] destabilizing behavior in cyberspace and steps the global community can take to\r\nstrengthen its defenses and ultimately influence the PRC to end its destabilizing behavior.”\r\n‘No accountability’\r\nAlso on Wednesday, a swath of agencies briefed senators on the incident. Director of National Intelligence Avril\r\nHaines spoke alongside the FBI, Federal Communications Commission, NSC and the Cybersecurity and\r\nInfrastructure Security Agency, after which several senators criticized the Biden administration for not having\r\nenough answers on the incidents. \r\n“There's no accountability. We have not heard a plan of how they're going to fix it. That's unacceptable,” said Sen.\r\nRick Scott (R-FL).\r\nhttps://therecord.media/eight-telcos-breached-salt-typhoon-nsc\r\nPage 2 of 5\n\nSen. Ron Wyden (D-OR) told reporters that he is now working on legislation to address the Salt Typhoon\r\ncampaign but declined to explain what would be in the bill or how it would address the cybersecurity of telecom\r\ncompanies. \r\nWyden and another senator sent a letter on Wednesday asking the Defense Department’s top watchdog to\r\nscrutinize how the agency is shoring up its communications against spying in light of the Salt Typhoon breaches. \r\nMike Rounds (R-S.D.), who is expected to lead the Senate Armed Services Committee's cyber sub-panel next\r\nCongress, said one difficulty is that the country’s telecommunications systems were “built for efficiency.”\r\n“They were not built for security necessarily,” he said, adding that it will take “months” for the government to\r\ngive direction on the changes that need to be made. \r\nHe backed calls for cybersecurity standards governing the telecoms industry but said senators are still working out\r\nthe best way for them to be enacted in a feasible way. \r\n“The challenge is, how do we go about affecting that with private telecom companies and how quickly can they\r\nput those security measures in place?” he said. “We are not talking about a short period of time because of the\r\namount of work it's going to take to actually go through and to impact stuff. It's not like getting a new phone. It's a\r\nstructure that these cell phone systems have been built on.”\r\nAs he walked out of the briefing room, Senate Intelligence Committee Chair Mark Warner (D-VA), a former\r\ntelecommunications executive, told reporters the incident is “far and away the worst telecom hack.”\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/eight-telcos-breached-salt-typhoon-nsc\r\nPage 3 of 5\n\nJonathan Greig\r\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nhttps://therecord.media/eight-telcos-breached-salt-typhoon-nsc\r\nPage 4 of 5\n\nMartin Matishak\r\nis the senior cybersecurity reporter for The Record. Prior to joining Recorded Future News in 2021, he spent more\r\nthan five years at Politico, where he covered digital and national security developments across Capitol Hill, the\r\nPentagon and the U.S. intelligence community. He previously was a reporter at The Hill, National Journal Group\r\nand Inside Washington Publishers.\r\nSource: https://therecord.media/eight-telcos-breached-salt-typhoon-nsc\r\nhttps://therecord.media/eight-telcos-breached-salt-typhoon-nsc\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/eight-telcos-breached-salt-typhoon-nsc" ], "report_names": [ "eight-telcos-breached-salt-typhoon-nsc" ], "threat_actors": [ { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434311, "ts_updated_at": 1775792068, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/81d3b6c0a1e527c302c48b3a54616a8ce334a87c.pdf", "text": "https://archive.orkl.eu/81d3b6c0a1e527c302c48b3a54616a8ce334a87c.txt", "img": "https://archive.orkl.eu/81d3b6c0a1e527c302c48b3a54616a8ce334a87c.jpg" } }