← Back to Daily Briefing

State-sponsored actor Salt Typhoon (linked to China's MSS) compromised US telecommunications providers and FBI surveillance networks by exploiting unpatched edge networking devices, including Cisco routers. Adversaries leveraged lateral movement from provider edge (PE) and customer edge (CE) routers to access CALEA-compliant interception gateways. This allowed unauthorized exfiltration of court-authorized wiretap returns, pen register data, and trap-and-trace metadata for over one million users. The breach exposed sensitive PII and operational security (OPSEC) for FBI investigative targets and undercover assets. Persistence was maintained via the Demodex kernel rootkit and SparrowDoor backdoors, with C2 traffic routed through LightNode VPS.

  • Attack Vector: Edge Exploitation and Lateral Movement

    • Exploited known vulnerabilities in enterprise-grade edge routers and VPN concentrators, some of which lacked critical patches for over seven years.
    • Utilized compromised backbone routers to pivot from provider edge (PE) and customer edge (CE) segments into restricted management planes.
    • Targeted CALEA (Communications Assistance for Law Enforcement Act) interfaces to intercept lawful surveillance data directly from carrier gateways.
  • Technical Tooling and Persistence

    • Deployed the Demodex kernel rootkit and SparrowDoor/GhostSpider backdoors to maintain stealthy, low-signal persistence within carrier infrastructure.
    • Utilized Cobalt Strike for post-exploitation, routing command-and-control (C2) traffic through LightNode VPS and encrypted tunnels.
    • Exfiltrated sensitive data via legitimate web services, including GitHub, Gmail, AnonFiles, and File.io, to blend in with standard HTTPS traffic.
  • Impact Assessment: National Security and Law Enforcement

    • Compromised "pen register and trap and trace" returns, allowing a foreign intelligence service to identify active FBI investigative targets.
    • Intercepted unencrypted SMS, audio communications, and real-time geolocation data across nine major US telecommunications carriers.
    • Extended lateral movement into the US Army National Guard, exfiltrating administrative credentials and network diagrams across all 50 states.
  • Regulatory and Defensive Imperatives

    • The FCC proposed a Declaratory Ruling clarifying that CALEA Section 105 mandates a legal obligation for carriers to secure interception systems against unlawful access.
    • CISA and the NSA issued "Enhanced Visibility and Hardening Guidance" focusing on aggressive patching of PE routers and Zero Trust architecture adoption.
    • Federal authorities are urging a shift toward end-to-end encrypted (E2EE) messaging to mitigate the risk of metadata and content interception at the carrier level.

Related posts

  1. Cyber
  2. uvcyber.com — Threat Advisory: PRC-Nexus Dwell Time Statistics
  3. techjacksolutions.com — FBI Labels Surveillance System Data Breach 'Major Incident,' Notifies Congress, China-Linked Hackers Suspected
  4. Docs
  5. Beneschlaw
  6. Bleepingcomputer
  7. Centraleyes
  8. Guptadeepak
  9. Rapid7
  10. Alvarezandmarsal
  11. Nmfta
  12. Industrialcyber
  13. Media
  14. Therecord
  15. Tsa
  16. Nsa
  17. Nextgov
  18. Security Affairs — JDY Botnet Evolves After KV Takedown, Targets Military Networks
  19. feeds.feedburner.com — Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
  20. cyberscoop.com — FBI takes down massive China-based cybercrime network that caused $1.9B in losses
  21. News
  22. Cbsnews
  23. Newarab
  24. Voi
  25. Hivesecurity
  26. Industrialcyber
  27. Unit42
  28. Blog
  29. bleepingcomputer.com — FBI disrupts massive AI-powered phishing service using a million URLs
  30. Letsdatascience
  31. Aiweekly
  32. techjacksolutions.com — Operation Riptide Dismantles Outsider Enterprise: A Blueprint for AI-Powered Phishing-as-a-Service at Scale
  33. Expert In the Cloud — Massive AI‑Powered Phishing Service Using a Million URLs
  34. SecurityWeek — FBI, Google Dismantle ‘Outsider Enterprise’ Phishing Service

LINK COPIED TO CLIPBOARD