{ "id": "f01859a0-0ccb-42f0-8879-95e590b0eec1", "created_at": "2026-04-06T00:21:11.231933Z", "updated_at": "2026-04-10T13:12:35.951983Z", "deleted_at": null, "sha1_hash": "a4532b411950a0d3d154f9b18108a635119aef2c", "title": "AT\u0026T, Verizon reportedly hacked to target US govt wiretapping platform", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3117885, "plain_text": "AT\u0026T, Verizon reportedly hacked to target US govt wiretapping\r\nplatform\r\nBy Ionut Ilascu\r\nPublished: 2024-10-07 · Archived: 2026-04-05 21:28:49 UTC\r\nMultiple U.S. broadband providers, including Verizon, AT\u0026T, and Lumen Technologies, have been breached by a Chinese\r\nhacking group tracked as Salt Typhoon, the Wall Street Journal reports.\r\nThe purpose of the attack appears to be intelligence collection as the hackers might have had access to systems used by the\r\nU.S. federal government for court-authorized network wiretapping requests.\r\nIt is unclear when the intrusion occurred, but WSJ cites people familiar with the matter, saying that \"for months or longer,\r\nthe hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for\r\ncommunications data.\"\r\nhttps://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nSalt Typhoon is the name that Microsoft gave to this particular China-based threat actor. Other cybersecurity companies are\r\ntracking the adversary as Earth Estries (Trend Micro), FamousSparrow (ESET), Ghost Emperor (Kaspersky), and UNC2286\r\n(Mandiant, now part of Google Cloud).\r\nCapturing sensitive traffic\r\nAccording to the WSJ, the attack was discovered in recent weeks and is being investigated by the U.S. government and\r\nsecurity experts in the private sector.\r\nThe impact of the attack - amount and type of observed and exfiltrated data - is still being assessed, people with information\r\nabout the intrusion told WSJ.\r\n“The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count\r\nbusinesses large and small, and millions of Americans, as their customers” - Wall Street Journal\r\nApart from breaching service providers in the U.S. Salt Typhoon may have hacked similar entities in other countries, too.\r\nSalt Typhoon has been active since at least 2019 and is considered a sophisticated hacking group focusing on government\r\nentities and telecommunications companies typically in the Southeast Asia region.\r\nSecurity researchers also found that the threat actor attacked hotels, engineering companies, and law firms in Brazil, Burkina\r\nFaso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.\r\nThe hackers usually obtain initial access to the target network by exploiting vulnerabilities, such as the ProxyLogon\r\nvulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-\r\n27065).\r\nIn previous attacks attributed to Salt Typhoon/Ghost Emperor, the threat actor used a custom backdoor called SparrowDoor,\r\ncustomized versions of the Mimikatz tool for extracting authentication data, and a Windows kernel-mode rootkit Demodex.\r\nInvestigators are still looking for the initial access method for the recent attack. The WSJ says that one avenue being\r\nexplored is gaining access to Cisco routers responsible for routing internet traffic.\r\nHowever, a Cisco spokesperson told WSJ that the company was looking into the matter but had received no indication that\r\nCisco networking equipment was involved in the breach.\r\nBleepingComputer contacted AT\u0026T about the alleged breach and was told they \"are not commenting on the WSJ report.\"\r\nLumen also declined to comment.\r\nVerizon has not responded to our emails, and we will update the story if we receive a reply.\r\nChinese APT hacking groups have been increasingly targeting U.S. and European networking devices and ISPs in\r\ncyberespionage attacks.\r\nIn August, cybersecurity researchers at Lumen's Black Lotus Labs disclosed that the Chinese threat actors known as \"Volt\r\nTyphoon\" exploited a zero-day flaw in Versa Director to steal credentials and breach corporate networks. During these\r\nattacks, the threat actors breached multiple ISPs and MSPs in the U.S. and India, which is not believed to be related to the\r\nrecent breaches.\r\nIn September, Black Lotus Labs and law enforcement disrupted a massive Chinese botnet named \"Raptor Train\" that\r\ncompromised over 260,000 SOHO routers, IP cameras with malware. This botnet was used by the \"Flax Typhoon\" threat\r\nactors for DDoS attacks and as a proxy to launch stealthy attacks on other organizations.\r\nWhile these attacks have been attributed to different Chinese hacking groups, they are believed to operate under the same\r\numbrella, commonly sharing infrastructure and tools.\r\nhttps://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/\r\nhttps://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform/" ], "report_names": [ "atandt-verizon-reportedly-hacked-to-target-us-govt-wiretapping-platform" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "09031838-56db-4676-a2b2-4bc50d8b7b0b", "created_at": "2024-01-23T13:22:35.078612Z", "updated_at": "2026-04-10T02:00:03.519282Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "Storm-0919" ], "source_name": "MISPGALAXY:Flax Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "86c7abc2-1b71-4665-b9e3-1594d6d15a4a", "created_at": "2023-09-07T02:02:47.367254Z", "updated_at": "2026-04-10T02:00:04.698935Z", "deleted_at": null, "main_name": "Flax Typhoon", "aliases": [ "Ethereal Panda", "RedJuliett" ], "source_name": "ETDA:Flax Typhoon", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "JuicyPotato", "LOLBAS", "LOLBins", "Living off the Land", "Metasploit", "Mimikatz", "SinoChopper", "SoftEther VPN" ], "source_id": "ETDA", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "ea4726a4-3b7c-45db-a579-2abd4986941c", "created_at": "2025-11-01T02:04:53.002048Z", "updated_at": "2026-04-10T02:00:03.764362Z", "deleted_at": null, "main_name": "BRONZE FLAXEN", "aliases": [ "Ethereal Panda ", "Flax Typhoon " ], "source_name": "Secureworks:BRONZE FLAXEN", "tools": [ "Bad Potato", "Juicy Potato", "Metasploit", "Mimikatz", "SoftEther VPN" ], "source_id": "Secureworks", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434871, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4532b411950a0d3d154f9b18108a635119aef2c.pdf", "text": "https://archive.orkl.eu/a4532b411950a0d3d154f9b18108a635119aef2c.txt", "img": "https://archive.orkl.eu/a4532b411950a0d3d154f9b18108a635119aef2c.jpg" } }