The list of telecommunications victims in the Salt Typhoon cyberattack continues to grow as a new report names Charter Communications, Consolidated Communications, and Windstream among those breached by Chinese government snoops.

AT&T, Verizon, and Lumen Technologies previously confirmed to The Register that their networks had been compromised by Beijing in what the US government has called a “significant cyber espionage campaign” against American operators. 

The White House last week said at least nine companies had been breached by Salt Typhoon.

In a report over the weekend, the Wall Street Journal added Charter, Consolidated, and Windstream to the list of telecom companies that were compromised.

Charter, Consolidated, and Windstream declined to comment.

The WSJ article also lists T-Mobile among organizations whose networks were compromised by the Chinese spies. However, a spokesperson last week told The Register that “T-Mobile is not one of the nine being referenced by the government.”

Previously, the mobile carrier’s security boss spoke to The Register about the espionage campaign that he said appeared to be “consistent” with Salt Typhoon’s snooping attempts.

Cisco, Fortinet gear used to gain entry

Additionally, the WSJ report says the PRC spies exploited unpatched network devices from Fortinet and Cisco to gain entry to the networks. In at least one of the breaches, the intruders took over a “high-level network management account” that didn’t have multi-factor authentication enabled, and this gave the intruders access to more than 100,000 routers.

This access, which allegedly occurred in AT&T’s networks, “may have allowed the hackers to copy traffic back to China and delete their own digital tracks,” the newspaper noted.

This follows a Justice Department warning from January 2024 that another Chinese-government-linked crew Volt Typhoon had infected Cisco routers with malware so that the devices could be used to break into US energy, water, and manufacturing facilities as far back as 2021.

And in the fall, reports emerged that Volt Typhoon was, once again, compromising old Cisco routers to break into critical infrastructure networks and kick off cyberattacks.

Chinese government-linked snoops have also exploited Fortinet vulnerabilities in previous cyberattacks.

AT&T did not immediately respond to The Register‘s request for comment. Neither did Cisco or Fortinet.

In addition to the Salt Typhoon intrusions, Chinese spies also allegedly compromised US Treasury Department workstations in late 2024 — capping a year marked by several very targeted intrusions into American critical infrastructure networks. 

These digital break-ins signaled a change in Chinese cyber campaigns from spying as usual to prepping for destructive attacks.

“Every organization should look at this as being put on notice that there are hostile nation state entities,” CrowdStrike Senior VP of Counter Adversary Operations Adam Meyers told The Register in an earlier interview. 

“If you are involved in any degree of business that ties into the broader international ecosystem, or you’re providing services that are of logistical importance for critical infrastructure, you’re in the line of fire,” Meyers warned. ®