Chinese hackers blamed for compromising U.S. telecommunications infrastructure and spying on American presidential campaigns and American officials are still entrenched in those systems, according to senior U.S. officials who warn it could be years before the hackers are kicked out.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday urged U.S. telecommunication companies and their customers to take additional precautions, saying the breach might go deeper than first thought.
“We cannot say with certainty that the adversary has been evicted because we still don’t know the scope of what they’re doing,” Jeff Greene, CISA’s executive assistant director for cybersecurity, said during a briefing with reporters.
“We cannot with confidence say that we know everything, nor would our partners,” Greene said. “We’re still trying to understand.”
A senior FBI official who also spoke with reporters was equally cautious.
“Understanding the scope of the adversary activity through our investigations, in a situation of this magnitude, is measured in years,” the official said, speaking on the condition of anonymity to discuss details of the breach investigation.
The Chinese-linked hackers have been coy, adjusting their behavior as more information about their activities becomes public.
“As more comes to light they change their TTPs [tactics, techniques and procedures] and their approach,” the official warned. “They may go dormant for a while to lower their profile.”
Word of the breach emerged in October, when the Chinese-linked cyber gang known as Salt Typhoon was linked to efforts to intercept communications for the presidential campaigns of U.S. President-elect Donald Trump and his Democratic challenger, Vice President Kamala Harris.
Less than a month later, CISA and the FBI warned that the Chinese efforts to spy on the Trump and Harris campaigns were just the start of “a broad and significant cyber espionage campaign” that penetrated multiple U.S. telecommunication companies.
China has repeatedly denied the U.S. allegations, accusing Washington of a smear campaign aimed at undermining Beijing.
“For quite some time, the US side has patched up all sorts of disinformation about threats of ‘Chinese hackers’ to serve its own geopolitical purposes,” Liu Pengyu, the spokesperson for the Chinese Embassy in Washington, told VOA in an email Tuesday regarding the latest allegations.
“China firmly opposes and combats all kinds of cyber attacks,” Liu said. “The US needs to stop its own cyberattacks against other countries and refrain from using cyber security to smear and slander China.”
But U.S. officials have repeatedly pushed back against Chinese denials, and now say the Chinese breach goes even further than initially thought, impacting telecommunication companies around the world, and that it appears to be part of a larger Chinese government effort to gather information about adversaries worldwide.
“Certainly, the way they went about it was very, very specific,” the senior FBI official said, noting the focus on telecommunications infrastructure and internet service providers. “But it fits into the cyber espionage bucket to really inform global goals for the Chinese.”
Neither CISA nor the FBI would say how many telecommunication companies or how many countries have been impacted.
But the agencies said the Chinese efforts in the U.S. fall into three categories: individual communications, customer call records and U.S. law enforcement requests pursuant to court orders.
The focus on individual communications appears to be on intercepting audio of phone calls and the content of text messages for a select number of high-profile U.S. government officials, such as individuals with the Trump and Harris campaigns.
The mass collection of customer call records appears to be more random.
“Essentially, they stole data about where, when and whom individuals were communicating with,” said the senior FBI official.
“We don’t believe that those were specifically targeted,” the official added. “We essentially think that they were essentially swept up by the adversary.”
The officials said the third category of intercepted information, related to law enforcement requests and court orders, also appears to have been targeted somewhat by chance.
Forensic analysis in two of the instances in which the Chinese hackers accessed law enforcement information “has indicated that the actors were on other parts of their network conducting reconnaissance before pivoting to the [law enforcement portal] and surrounding devices,” the FBI official said.
Just how far the Chinese hackers got, though, is not clear.
Officials said the hacked portal does include some court orders that relate to foreign intelligence collected under the Foreign Intelligence Surveillance Act but declined to say whether any of that information was taken by the China-linked hackers.
“We’re not prepared to answer that question today,” the senior FBI official said.
For now, the FBI and CISA are urging telecommunications companies to harden their defenses, issuing an advisory with cyber agencies in Canada, Australia and New Zealand on steps they can take to reduce the threat.
They also urged companies that think they may have been victimized to come forward.
“The companies that have worked closest with us are the furthest along and kicking the actors off their networks,” the senior FBI official said.
The FBI and CISA are likewise urging consumers to be more vigilant about security, whether that means keeping mobile phones and other devices current with security updates, or by using encrypted platforms for messaging and other communications.
“We are not seeing any novel techniques,” said CISA’s Greene, adding that the Chinese-linked hackers seem to have simply exploited known vulnerabilities in the telecommunications infrastructure environment.
“Encryption is your friend, whether it is on text messaging or if you have the capacity to use encrypted voice communications,” Greene said. “Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard for them, to detect it.”