Two U.S. security agencies listed mass media provider Comcast and data center giant Digital Realty among companies likely ensnared by a Chinese hacking group previously found inside major U.S. and global telecom operators, according to three people familiar with the matter.
The National Security Agency made the determination that Comcast had likely been impacted by the group, known as Salt Typhoon, according to two of the people. The Cybersecurity and Infrastructure Security Agency cataloged Digital Realty as being potentially compromised, the third person said. The people spoke on the condition of anonymity to discuss the matter’s sensitivity.
Salt Typhoon breached major telecom carriers in a global, multi-year espionage campaign uncovered last year. Over time, news trickled out about the scope and scale of the incident, which was first reported by The Wall Street Journal.
The hacking unit is part of a broader syndicate of state-backed groups tied to different military and intelligence arms of China’s central government. The “Typhoon” moniker comes from a Microsoft naming convention for Beijing-linked cyber actors.
Such intrusions, especially into a data center environment, could give the hackers a potentially far deeper foothold into infrastructure supporting the world’s information service providers than previously known. The agencies’ assessments have not been previously reported.
There’s uncertainty among officials about who was impacted by Salt Typhoon. Various agencies across the U.S. government are in possession of lists of confirmed or potential victims, but it’s not clear if the tallies are consistent with each other, adding to confusion about who may have been accessed, targeted or marked for investigation, one of the people said.
CISA, for instance, is in possession of a list of both telecom and information technology companies, but an FBI tabulation shows different entities, two of the people said.
Making investigations into the breach more complicated is that multiple telecom providers have invoked legal strategies to protect themselves from disclosing compromise by the hackers. Inside two major U.S. telecom operators, incident response staff have been instructed by outside counsel not to look for signs of Salt Typhoon, said one of the people, declining to name the firms because the matter is sensitive.
Having been assessed as likely victims, CISA representatives should have contacted Digital Realty and Comcast multiple times since December, one of the people said. It’s not clear if consistent back-and-forth communications were established. CISA tends to initiate outreach to potential victims when it’s believed their networks are compromised, according to another person familiar with the cyber defense agency’s notification process.
An intrusion into either provider could carry significant national security risks. Comcast facilitates internet access for millions of users and businesses, while Digital Realty hosts troves of physical infrastructure used by telecom operators, cloud providers and governments to route global web traffic.
“As a policy, we do not provide comment on individual entities,” a CISA spokesperson said. The NSA declined to comment, and the FBI did not respond to a request for comment. Comcast and Digital Realty did not return multiple requests for comment.
Nextgov/FCW reported in December that hundreds of organizations were notified of potential Salt Typhoon compromise. Last month, CyberScoop reported that CISA and the FBI devised a coordinated notification campaign to alert affected companies and help them deter the hacks, sometimes providing new data on an hourly basis.
The FBI concurred with other agency assessments that the Salt Typhoon attacks, broadly speaking, are the most egregious national security breach in U.S. history by a nation-state hacking group, one of the people said.
“This would confirm what many of us in the cybersecurity industry already suspected. The Salt campaign was broader than just telcos and we have low confidence the attackers have been evicted,” said Marc Rogers, a seasoned telecommunications cybersecurity expert.
Nextgov/FCW also obtained an internal CISA list of communications sector hardware and software products found to have been exploited by China-linked hacking groups. Of several listed, one of those vulnerabilities was found in MikroTik routers, and was first discovered in 2018. MikroTik, a Latvian firm, did not return a request for comment. Some of the software flaws exploited by Salt Typhoon were first disclosed in 2018, Nextgov/FCW previously reported.
“Something that isn’t being talked about enough is that the initial way in which these attackers used was almost mostly simple flaws like 8-year-old vulnerabilities and credential theft. Instead of talking about ‘ripping and replacing’ we should be looking at why we aren’t patching or maintaining our critical infrastructure,” Rogers said.
Chinese access into datacenter and colocation firms would provide the hackers with a different target set compared to messaging services operated by traditional carriers, said Eric Hanselman, the chief technology, media and telecommunications research analyst at S&P Global Market Intelligence.
“The additional risk would be gaining the ability to monitor intra-service and intra-application communications traffic that doesn’t normally traverse the internet backbone. That could include storage traffic moving from colocation environments into cloud or traffic moving from hosted environments into on-premises infrastructure,” he said in an email to Nextgov/FCW. “That traffic might have less robust protections, as it’s not traversing the open internet.”
Digital Realty has over 300 data centers across 25 countries and 50 metropolitan areas, according to a company marketing webpage, which lists Amazon Web Services, Google Cloud, IBM, Microsoft and Nvidia among its clients. The company is considered one of the largest data center colocation providers in the world, housing the physical systems where cloud and telecom networks exchange data.
“We can reasonably assume that these attackers already have sufficient access into internet infrastructure and are looking to expand the depth with which they can monitor other activities that are taking place within data center environments,” Hanselman said.
Comcast’s broadband and cable customer base is around 51 million, while its total wireless customer count totals about 8.1 million, according to recent earnings data.
It’s widely believed that Salt Typhoon hasn’t been excised from telecom systems, despite public statements from companies saying otherwise. On Thursday, Sen. Josh Hawley, R-Mo., said in a Senate Homeland Security Committee hearing that the hackers are still inside.
“If a foreign actor chose to concentrate on any member of the audience here — we were told behind closed doors, of course — but what we were told is that foreign actors basically have unlimited access to our voice messages, to our telephone calls,” he said.
President Donald Trump, Vice President JD Vance and a range of U.S. officials had their calls and texts directly targeted in the Salt Typhoon hacks. The cyberspies accessed providers’ “lawful intercept” systems, used to comply with government orders requiring access to communications metadata for law enforcement investigations.
“If these reports are accurate, they point to yet another serious and deeply concerning example of the Chinese Communist Party targeting America’s digital infrastructure,” a spokesperson for the House China Select Committee said in an email, noting the panel “has repeatedly warned about the CCP’s efforts to exploit access points into our communications networks, and this apparent breach reinforces the urgent need to harden our defenses.”
In March, House Homeland Security Committee chair Rep. Mark Green, R-Tenn, sent a request to DHS asking the agency to transmit internal documents about Salt Typhoon and another Chinese hacking unit, Volt Typhoon, Nextgov/FCW first reported.
“Every new detail that emerges surrounding the Salt Typhoon intrusions teaches us the lengths China-backed hackers will go to undermine the integrity of our critical infrastructure, U.S. sovereignty and the privacy of Americans,” Green said in a statement to Nextgov/FCW, referencing recent testimony from DHS Secretary Kristi Noem saying CISA is lacking detailed information about the telecom hacks.
“My colleagues and I on the committee share this concern, which is why we sent a letter in March to examine the previous administration’s response to the Volt and Salt Typhoon intrusions,” he added.
The Cyber Safety Review Board — a DHS body that was dismissed at the start of the Trump administration — was in the middle of investigating the Chinese telecom hacks. Lawmakers have called for it to be reinstated. CISA has also been mired in budget plans to slash significant parts of its workforce and operations.
“The bold actions of Salt Typhoon — and other state sponsored threat actors from China — demand that we continue to build analytic capacity at CISA and grow the pool of cyber defenders across the federal enterprise,” said Rep. Bennie Thompson, D-Miss., the top Democrat on the Homeland panel. “‘Doing more with less’ is a convenient rally cry for people who want slash spending — it is also a recipe for disaster that will leave us unaware and unprepared for the likes of Salt Typhoon.”
