AT&T, Verizon, and Lumen Technologies confirmed that Chinese government-backed snoops accessed portions of their systems earlier this year, while the White House added another, yet-unnamed telecommunications company to the list of those breached by Salt Typhoon.

The digital intrusion, which has been called the​ “worst telecom hack in our nation’s history,” gave Beijing-backed spies the “capability to geolocate millions of individuals” and “record phone calls at will,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters.

In a statement emailed to The Register, AT&T said the foreign spies compromised “a small number” of its customers in the espionage campaign and added that the PRC-backed crew had since been kicked out of its networks.

“We detect no activity by nation-state actors in our networks at this time,” an AT&T spokesperson said. 

“Based on our current investigation of this attack, the People’s Republic of China targeted a small number of individuals of foreign intelligence interest,” the statement added. “In the relatively few instances in which an individual’s information was impacted, we have complied with our notification obligations in cooperation with law enforcement.”

AT&T continues to monitor its networks and work with government officials, other telecom firms, and cybersecurity experts on the investigation, the spokesperson said.

Verizon also confirmed that the Chinese intruders had accessed “a small number of high-profile customers in government and politics.” A spokesperson told The Register that it notified these customers, and has since “contained the cyber incident brought on by this nation-state threat actor.”

An unnamed, “highly respected” cybersecurity company has also confirmed the containment, the Verizon spokesperson added.

According to the operator’s chief legal officer, Verizon partnered with federal law enforcement, national security agencies, other telecom partners, and security firms upon detecting the network activity.

“We have not detected threat actor activity in Verizon’s network for some time, and after considerable work addressing this incident, we can report that Verizon has contained the activities associated with this particular incident,” Verizon’s Chief Legal Officer Vandana Venkatesh told The Register.

Finally, Lumen Technologies, another one of the firms reportedly breached in the attack, told us that it has also booted the Chinese attackers out of its systems, and said it found “no evidence” that customer data was accessed.

“An independent forensics firm has confirmed Salt Typhoon is no longer in our network,” a spokesperson told The Register. “In addition, our federal partners have not shared any information that would suggest otherwise.”

T-Mobile’s security boss previously spoke to The Register about the espionage campaign and said it thwarted successful attacks on its systems “within a single-digit number of days.”

9 telecom firms compromised, White House says

The companies’ admissions come as a top White House official added another unnamed firm to the breach, bringing the total thus far to nine. Neuberger previously said eight had been compromised. Only three — AT&T, Verizon, and T-Mobile US — have confirmed the intrusion.

We believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts

“The Chinese gained access to networks, essentially had broad and full access,” Neuberger told reporters. “We believe that’s why they had the capability to geolocate millions of individuals, to record phone calls at will, because they had that broad access.”

In one instance, the spies broke into an admin account that then gave them access to more than 100,000 routers, she added. “So, when the Chinese compromised that account, they gained that kind of broad access across the network,” Neuberger said. “That’s not meaningful cybersecurity to defend against a nation-state actor.” 

The White House doesn’t yet have a number on how many total people were affected by the breach, she added. 

“We believe a large number of individuals were affected by geolocation and metadata of phones; a smaller number around actual collection of phone calls and texts,” Neuberger said. “And I think the scale we’re talking about is far larger on the geolocation; probably less than 100 on the actual individuals.”

Following the intrusion, the White House emphasized the inadequacy of voluntary cybersecurity measures against nation-state threats. The Federal Communications Commission (FCC) launched a public rule proposal requiring basic cybersecurity practices for telecom carriers. The commissioners are expected to vote on the rule by January 15.

In addition to the FCC’s own efforts, US Senator Ron Wyden (D-OR) has also proposed legislation that would require the FCC to issue binding rules for telecom systems.

Plus, according to Neuberger, all of the nine telecom CEOs whose companies were hacked have signed on to the government’s 60-day Enduring Security Framework.

This public-private effort aims to put in place minimum cybersecurity practices that have been agreed upon by intelligence officers, CISA, the FBI, and telecom security experts. ®