Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

The Chinese state-sponsored cyberattack threat managed to infiltrate the lawful intercept network connections that police use in criminal investigations.

The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.
According to unnamed sources
speaking to the Wall Street Journal
, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.
In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.
The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon, sources told the WSJ. It appeared to be geared toward intelligence collection.
Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.
The news comes about a week after
Salt Typhoon was outed
as hacking into
major telecom networks
for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.
No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as GhostEmperor, notes that clearly the threat actor performed extensive reconnaissance.
Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks, he tells Dark Reading. One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to
law enforcements’ networks
in order for authorities to be able to operate and stream the gathered data in a very secure method.
This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook, he adds.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report