- T-Mobile explains how Salt Typhoon gained access to its routers
- It explained the hacker’s methods and how they were spotted
- T-Mobile’s CSO emphasizes that hackers have not stolen any data
T-Mobile revealed that the hackers who recently targeted its infrastructure executed commands on the routers, but stressed that its defenses worked as intended and no major damage was caused.
The statement follows recent news of an incident in which Salt Typhoon, a notorious Chinese state-sponsored threat actor, breached T-Mobile’s network on behalf of the country’s government in a cyber espionage campaign.
The FBI also recently confirmed that the group had successfully accessed networks and private communications of members of the US government.
Working as intended
Now, T-Mobile’s Chief Security Officer, Jeff Simon, told the story Bloomberg The attackers were spotted executing commands, typically used in the reconnaissance phase of a cyber attack, on corporate routers. Some commands used matching indicators of compromises previously linked to Salt Typhoon, he added.
At the same time, Simon published a blog post saying that the company’s defenses worked as intended, preventing Salt Typhoon from causing significant damage or stealing sensitive customer or company information.
“Many reports claim that these bad actors gained access to some carriers’ customer information – phone calls, text messages and other sensitive information, especially from government officials – over an extended period of time. This is not the case with T-Mobile,” Simon said.
“Our defenses protected our sensitive customer information, prevented any disruption to our services and stopped the attack from progressing. Bad actors did not have access to sensitive customer data (including calls, voicemails, or text messages).”
Simon also said the attack came from a landline carrier’s network connected to T-Mobile. “We quickly disconnected connectivity to the provider’s network as we believe it was – and may still be – compromised.”
After blocking access, T-Mobile said it is now seeing no additional attacker activity, indicating Salt Typhoon has left the initiative. In any case, the information was shared with partners from government and the business community.