ADVERTISEMENT

Company News

T-Mobile Engineers Spotted Hackers Running Commands on Routers

The T-Mobile headquarters in Bellevue, Washington. (David Ryder/Photographer: David Ryder/Bloomb)

(Bloomberg) -- Suspicious behavior on T-Mobile US Inc.’s network devices tipped off the company to a breach that was potentially part of a sprawling cyber-espionage campaign that has raised urgent questions about the exposure of a critical sector of the economy.

Jeff Simon, T-Mobile’s chief security officer, said in an interview with Bloomberg News that while the behavior wasn’t “inherently malicious,” it was unusual enough to draw the attention of the company’s network engineers. In recent weeks, the engineers had spotted unauthorized users running commands on the company’s network devices, seeming to probe the structure of the network, Simon said.

Upon discovery, the engineers booted the bad actors from the network before they got deeper into the network or accessed customer data. 

“That was what initially clued us into some suspicious behavior, discovery-type commands being run on some of our routers and commands that have been known to be related to Salt Typhoon,” he said. Salt Typhoon is the name of an alleged Chinese state-sponsored hacking group that is believed to be behind the campaign.

China has repeatedly denied involvement.

T-Mobile is the first carrier to publicly offer a profile of markers potentially associated with Salt Typhoon, a name given to the hacking group by Microsoft Corp. US officials have accused Chinese state-sponsored hackers of a “broad and significant” spying campaign that has breached multiple telecommunications companies, but the companies believed to be prime targets have said little themselves. 

The hackers, embedded in routers and burrowing deeper into communications networks for months, were able to access details of those subject to lawful surveillance targets - potentially exposing US efforts to track down foreign agents, according to two people familiar with the matter. They also spied on communications belonging to what the FBI has said is a “limited number” of people in government and politics, according to the US. That included President-Elect Donald Trump, Vice President-Elect JD Vance and staffers for Vice President Kamala Harris.

AT&T and Verizon were among the companies breached in the hacking campaign, according to the Wall Street Journal. T-Mobile said it, too, was breached with methods that appeared similar to those used by Salt Typhoon. However, T-Mobile said it was able to contain the intrusion before it left network routers and reached customers’ phones. The company said the threat originated from a “wireline” —- or non-wireless — provider’s network that connected to T-Mobile’s.

On Friday, the White House summoned leaders from the telecommunications industry to a meeting to try to address the series of intrusions that Senator Richard Blumenthal, a Connecticut Democrat, recently described as a “sprawling and catastrophic” infiltration. 

The meeting, which included representatives from AT&T, T-Mobile and Lumen Technologies Inc., lasted about two hours and focused on plotting a path forward with both the private and public sectors, according to participants.

“Telecommunications companies alone are not likely to have success with it if we don’t work together,” said Simon, who represented T-Mobile at the meeting.“And so that’s really what I came out with, is ‘Let’s find ways to work together, private-sector companies and public sector, to be able to combat this sophisticated threat.’”

AT&T Chief Executive Officer John Stankey and Lumen CEO Kate Johnson attended the meeting, according to representatives from both companies. Verizon didn’t respond to a request for comment Tuesday.

The industry has been sharing more information internally in recent months, Simon said, particularly when it’s details the companies can use to combat Salt Typhoon. Threat intelligence firms, security research companies and the US Cybersecurity and Infrastructure Security Agency have also shared intelligence, he said. 

“I can’t promise that absolutely every single one participates at the same level. But in general, we are sharing with them, they are sharing with us,” he said, specifically calling out Verizon as “a standout partner in sharing intelligence with the rest of the community.”

T-Mobile believes its network was less exposed to the threat partly because it’s the only carrier with an end-to-end 5G network, meaning traffic does not pass over older equipment from the 2G, 3G and 4G eras, and it has minimal contact with older wired infrastructure, like cable or copper networks. The 5G technology standard has enhanced encryption and privacy protections built into it, and the physical devices are also guaranteed to be newer.

“Most companies are not regularly, regularly refreshing their 2G infrastructure. They’re putting that money into the 5G or similar,” Simon said.

--With assistance from Katrina Manson and Jamie Tarabay.

©2024 Bloomberg L.P.