Arrow-right Camera
The Spokesman-Review Newspaper
Spokane, Washington  Est. May 19, 1883

China’s Typhoon hacks ahead of U.S. election spurred by elite competition

Trump campaign communications adviser Dan Scavino, left, captures cellphone imagery of audience members during a rally on July 27 in St. Cloud, Minnesota.  (Tom Brenner/For the Washington Post)
By Cate Cadell Washington Post

The China-linked hack of at least three major U.S. telecommunications providers that targeted high-level figures in the presidential campaign has sent a shock wave through Washington and, with days left before the election, raised questions about Beijing’s insistence that it intends to stay neutral.

Chinese hackers – dubbed Salt Typhoon by researchers at Microsoft – have breached the networks of Verizon, AT&T, Lumen Technologies and other firms and collected audio calls of U.S. politicians and their staffs, according to researchers and people familiar with the attack. The FBI and the Cybersecurity and Infrastructure Security Agency have launched an investigation into the intrusions.

The full scale of the hack is not yet known, though officials have said that information related to federal requests for wiretaps was targeted, as well as telephones used by former President Donald Trump, Sen. JD Vance, campaign workers in both the Kamala Harris and Trump campaigns, and members of Trump’s family. It’s not immediately clear whether the hackers were successful in gaining data from those people.

“Salt Typhoon’s recent infiltration isn’t just another hack – it’s a high-stakes escalation. It showcases China’s growing cyber-sophistication and relentless ambition to undermine U.S. infrastructure, laying bare the vulnerabilities in our systems,” said Craig Singleton, senior China fellow at the Foundation for Defense of Democracies.

The White House has formed an emergency response team to investigate the scope of the attack; the Department of Homeland Security’s Cyber Safety Review Board will also scrutinize the hack.

While sophisticated Chinese cyberattacks are on the rise, it’s the first time Beijing is known to have targeted presidential election candidates directly. U.S. authorities have said China – unlike Russia or Iran – has taken a more neutral stance in the presidential race but has increasingly sought to influence downballot races, targeting critics of Beijing in state and regional elections with online misinformation campaigns.

For Beijing, the breach becoming public so close to an election may be diplomatically uncomfortable, but it also shows that the country’s spy agencies have made significant gains in a years-long effort overseen by Xi Jinping to reshape a middling cyber-power into a streamlined ecosystem of elite private hacking groups.

Lawmakers have called for answers from telecommunications firms over their apparent failure to secure the systems put in place for federal wiretapping – a potential exploit that analysts say has probably been a high priority for Beijing’s hacking units.

“I’m sure somewhere in China, they’ve got all of the main systems in use by American ISPs [internet service providers]. They’ve got the people breaking down the firmware and analyzing it in incredible detail, setting up network attack simulation laboratories to map out possible avenues of attack,” said Joe McReynolds, a China security studies fellow at the Jamestown Foundation.

“They’ve come a long way from the olden days of anarchic hacker groups and that they struggle to control and co-opt,” he said.

Already this year, the FBI says it shut down a major Chinese government-backed effort by a group dubbed Volt Typhoon to hack U.S. water, communications, transport and energy facilities. In September, the FBI shut down a mass intrusion into hundreds of thousands of internet cameras and other devices that had been infiltrated by a group dubbed Flax Typhoon – which was traced to a Shanghai-listed government cyber-contractor. A separate leak of documents linked to Shanghai-based cyber-firm Anxun Information Technology, also called iSoon, gave unprecedented insights into how private Chinese firms are contracting with the government to lay online espionage traps globally.

The recent string of Typhoon attacks linked to China are known as advanced persistent threats (APTs), in which hackers gain prolonged access to systems. Such intrusions can allow attackers to conduct espionage over time or allow them access to attack or disable systems in the future.

Analysts and Chinese industry insiders say the growing number of these cyber-intrusions can be traced to a major shift in cyber-policy under Xi, which allows Beijing to stockpile potentially valuable software flaws discovered by its civilian hackers.

China’s government since around 2015 has sought to harness civilian talent through state-sponsored war game hacking competitions that have served as talent farms.

The government also introduced a law requiring companies to quietly deliver hackable flaws – like those exploited by Salt Typhoon – directly to state authorities within 48 hours.

Microsoft in a 2022 report said that the rule change was “a major step in the use of zero-day exploits as a state priority” and that the number of intrusions traced to China grew after the change, probably as a result of government agencies gaining access to more vulnerabilities.

Researchers have found an overlap between top firms involved in China’s competitive state hacking circuit and sophisticated APT threats that have targeted groups in the United States and elsewhere.

“The government, realizing the great talent of its own civilian hackers, decided to start tightening their grip on them,” said Eugenio Benincasa, a senior researcher at the Center for Security Studies in Zurich who recently released a report that traces the explosion of Chinese state-run hacking competitions. In 2014, there was not a single domestic hacking competition in China, according to Benincasa; today, there are around 50 a year – many of which are sponsored by Chinese police and state security agencies and bring in thousands of elite hackers to compete in simulated environments.

The report found around half of China’s annual hacking competitions are sponsored by or include technological support from Beijing Integrity Technology Group, the company under investigation by the FBI for its links to the Flax Typhoon attack. The company provides simulated hacking environments called “cyber rages” to Chinese police, military and state universities.

Leading Chinese cyber-firm Topsec – which was traced to the 2015 breach of U.S. insurance giant Anthem – is a sponsor of the Tianfu Cup, one of China’s top state-backed hacker competitions. Within the vast trove of leaked iSoon chats, employees said that zero-day exploits discovered during the 2021 Tianfu Cup were given to a police unit.

Two Chinese cybersecurity professionals who have attended state hacking events in China said these events focus on testing industry-specific scenarios, including attacking and defending against flaws in health care, police and military systems, as well as simulating attacks on large national infrastructure projects.

“Before, the goal was to find the best talent and recruit those people into some police or military unit. Now with the competitions, the goal is to showcase the talent of private companies and research teams … which contract with the government,” said one of the people who works at a Chinese cybersecurity firm and has participated in hacking competitions hosted by China’s Ministry of State Security, the country’s intelligence agency.

The person said that in at least one 2022 competition they participated in, Chinese police were given exclusive use of a zero-day exploit that won a top prize. They spoke on the condition of anonymity because they are not authorized to speak to foreign press.

At the same time Beijing’s state-linked hacking efforts are finding more success, the government has been grappling with how to handle the negative press associated with the leaks. Chinese agencies, officials and state media have accused the United States of strategically releasing new details on cyberattacks ahead of large political events.

In response to reports of the Volt Typhoon attack earlier this year, China’s national cyber response unit took the unusual step of releasing a three-part multilingual report titled “Lie to Me,” in which it claimed the United States had misattributed the hack to Beijing and chosen to strategically make details of the intrusion public – months after its discovery and ahead of a House committee meeting in which FBI Director Christopher A. Wray called for more funding for cyberdefense.

“The U.S. seems to be keen on creating various ‘typhoons’ recently,” said Foreign Ministry spokesman Lin Jian at a news conference in Beijing on Monday, responding to question about Salt Typhoon. He characterized U.S. reports of China’s cyberhacking as “a thief crying out ‘thief.’” After it was revealed Trump and Vance had become targets of the hack, the Chinese Embassy in Washington was quick to release a statement saying the Chinese side had no intention of interfering in the U.S. election.

“China has no intention to and will not interfere in the U.S. election. We hope that the U.S. side will not make accusations against China in the election,” said embassy spokesman Liu Pengyu.