Skeptoid #974: Salt Typhoon: The Chinese Phone Hack
What really happened — and what didn't — in the 2024 telecom cyberattack. Learn about your ad choices: dovetail.prx.org/ad-choices
What really happened — and what didn't — in the 2024 telecom cyberattack. Learn about your ad choices: dovetail.prx.org/ad-choices
| Time | Text |
|---|---|
|
Injection Attacks Explained
00:07:18
|
|
| In late 2024, headlines reported that China had successfully executed a massive long-term hack into the American telecom network. | |
| But it came at a time when anti-Chinese sentiment was on the rise in the United States, and many were looking for charges to throw against them. | |
| Were these headlines just propaganda, or did this hack actually happen? | |
| We're going to find out today on Skeptoid. | |
| A quick reminder for everyone, you're listening to Skeptoid, revealing the true science and true history behind urban legends every week since 2006. | |
| With over a thousand episodes, we're celebrating 20 years of keeping it focused and keeping it brief. | |
| And we couldn't have done it without your curiosity leading the way. | |
| And now we're even offering a little bit more. | |
| If you become a premium member, supporting the show with a monthly micropayment of as little as $5, you get more Skeptoid. | |
| The premium version of the show is not only ad-free, it has extended content. | |
| These episodes are a few minutes longer. | |
| We get rid of the ads and we'll replace them with more Skeptoid. | |
| The extended premium show available now. | |
| Come to skeptoid.com and click Go Premium. | |
| You're listening to Skeptoid. | |
| I'm Brian Dunning from Skeptoid.com. | |
| Salt Typhoon, the Chinese phone hack. | |
| Welcome to the show that separates fact from fiction, science from pseudoscience, real history from fake history, and helps us all make better life decisions by knowing what's real and what's not. | |
| In late 2024, news outlets worldwide reported that investigators had discovered a widespread Chinese cyber attack against American cell phone networks. | |
| Many described it as the largest such breach in history. | |
| When it was found that Donald Trump, JD Vance, Kamala Harris, and many of their staffers were included in the attack, a lot of people figured this was part of a coordinated scheme to influence the outcome of the U.S. election. | |
| It also took place during the escalating trade war between the United States and China, and some interpreted that it was Chinese retaliation for the trade war. | |
| The hacker group was called Salt Typhoon, and today we're going to take a deep dive into it and see what it was really about and not about. | |
| Salt Typhoon is the name given by Microsoft security researchers to a large and versatile group of hackers in China. | |
| We don't know what they might call themselves, if anything, but they are known to be a Chinese contractor often used by China's Ministry of State Security. | |
| Salt Typhoon has infiltrated computer systems not just in the United States, but in dozens of countries. | |
| They sometimes steal corporate intellectual property and conduct lots of attacks against hotels to steal their data. | |
| But their main focus is on national counterintelligence systems, trying to find out what their international counterparts know about them. | |
| They are also known by other names given by other security companies. | |
| Earth Estri, Ghost Emperor, Famous Sparrow, but Salt Typhoon is the most commonly used. | |
| In non-technical language, here is basically how they did it. | |
| The hackers exploited vulnerabilities in certain network hardware devices, like firewalls or routers. | |
| Manufacturers of these devices constantly look out for such vulnerabilities, and when they find one, they issue a software update to patch it. | |
| But owners of the devices do not always apply these updates, leaving the devices open to a publicly known vulnerability. | |
| There are software programs known as penetration tools that will automatically search for certain vulnerabilities. | |
| If you own a website, it has been probed by these tools. | |
| Your server logs probably show that attempts were made to access common URLs of administrators' portals, like slash login or slash administrator, and many others. | |
| Common usernames and passwords, like admin and 123456, are submitted in bulk, pretty much everything from Wikipedia's list of 10,000 most common passwords. | |
| Obviously, the vast majority of these fail, but occasionally one gets through. | |
| When it does, the hacker's notified, and now he can log into your system as an administrator and start poking around. | |
| This is a relatively dumb attack called a brute force. | |
| But even when it does not succeed, there are other attacks the penetration tool can try. | |
| One of the most common is called an injection attack. | |
| A famous example of this was illustrated in the popular 2007 XKCD comic strip, commonly known as Little Bobby Tables. | |
| When you type information into a web form, such as your username and password on a login screen, you can append database commands to your input that a carelessly secured website might actually execute. | |
| Little Bobby Tables used this to delete the entire student database at his school. | |
| This technique can also be used to install a program on the server, a program which might do anything such as give the hacker access to gain full control over the server. | |
| Another similar technique is called a buffer overflow attack, where so much data is submitted into the form that it can overwrite a poorly secured portion of the server's memory with program code that does whatever the hacker wants it to. | |
| Another very common attack, which Salt Typhoon is known to have used in this case, is called spearfishing. | |
| This is where the hackers identify a specific person at a company who has the kind of access they want. | |
| The hackers then send that person counterfeit emails or texts that ask them to log into their system, which appear to be normal messages from the system. | |
| If it fools the person, they go to a website that looks familiar, but is actually a copy, and they enter their username and password. | |
| But it doesn't go where they think it goes. | |
| Those credentials are sent straight back to the hacker, who can then use them. | |
| There are many such attacks. | |
| These are just a few that illustrate the general idea. | |
| A router or other network device has many of the same features as other servers. | |
| It can be remotely administered, so it has to have these basic features that allow hackers to make the types of attacks just discussed. | |
| Or variations that are too complex to go into here, but it's the same basic idea. | |
| Once the hacker has gained administrative access to the remote device, they can operate it from their own computer wherever they're located. | |
| There are also tricks they can employ to obfuscate their connection so it's not possible to retrace them back to their actual location. | |
| In the best case, they can use their access to do anything that an admin can do. | |
|
Obfuscating Hacker Connections
00:07:12
|
|
| They can search databases, they can download stuff, and they can delete stuff. | |
| They can create new secret doorways through which they can continue to access the system, even if the credentials or other access method they used initially are changed or blocked. | |
| And it should be stressed that nearly all of this can be automated and executed on a massive scale and at blinding speeds. | |
| Hey everyone, I want to remind you about a truly unique and once-in-a-lifetime adventure. | |
| Join me and Mediterranean archaeologist Dr. Flint Dibble for a skeptoid sailing adventure through the Mediterranean Sea aboard the SV Royal Clipper, the world's largest full-rigged sailing ship. | |
| This is also the only opportunity you'll have to hear Flint and I talk about our experiences when we both went on Joe Rogan to represent the causes of science and reality against whatever it is that you get when you're thrown into that lion pit. | |
| We set sail from Malaga, Spain on April 18th, 2026 and finished the adventure in Nice, France on April 25th. | |
| You'll enjoy a fascinating skeptical mini-conference at sea. | |
| You'll visit amazing ports along the Spanish and French coasts and Flint will be our exclusive onboard expert sharing the real archaeology and history about every stop. | |
| We've got special side quests and extra skeptical content planned at each port. | |
| This is a true sailing ship. | |
| You can climb the rat lines to the crow's nest, handle the sails. | |
| You can even take the helm and steer. | |
| This is a real bucket list adventure you don't want to miss. | |
| But cabins are selling fast and this ship does always sell out. | |
| Act now or you'll miss this once-in-a-lifetime opportunity. | |
| Get the full details and book your cabin at skeptoid.com slash adventures. | |
| Hope to see you on board. | |
| That's skeptoid.com slash adventures. | |
| By the end of 2024, it's estimated that SALT Typhoon had compromised some 100,000 hardware devices made by Fortinet and Cisco, just inside AT ⁇ T's network alone. | |
| In all, it's confirmed that SALT Typhoon breached nine U.S. telecom companies, including Verizon, AT ⁇ T, T-Mobile, and six others. | |
| All of this gave the Chinese access to the phone call records of virtually any American they wanted. | |
| Now, this is not really all that surprising, as any competent hacker can get that data. | |
| You don't have to be part of Salt Typhoon. | |
| As recently as January 2025, a 20-year-old American Army soldier was arrested for accessing and selling the call logs of both U.S. presidential candidates Donald Trump and Kamala Harris. | |
| Both had their cell phone call logs at AT ⁇ T, and neither had two-factor authentication set up. | |
| This tells us the soldier almost certainly got into AT ⁇ T through one of the common attack types discussed earlier. | |
| According to the logs analyzed by security researchers, SALT Typhoon mainly limited their call data theft to several dozen government officials, including campaign staffers of both presidential candidates in the 2024 election. | |
| However, the attack does not appear to have been tied to election-influencing efforts. | |
| China does a lot of that too, but those are very different projects. | |
| So it's a fact that China did get enormous amounts of data about who calls who, mainly this relatively small number of officials, and a lot of data about who stays at what hotels all around the world. | |
| The crown jewel of their hack, however, was the U.S. Department of Justice's database of wiretaps. | |
| This included all the phone numbers that any federal agency was tapping. | |
| This told China who the U.S. was investigating, for any reason. | |
| Perhaps suspected criminals, drug lords, and, most notably, suspected foreign agents. | |
| Assuming that China had spies in the United States, which of course they did and still do now, the wiretap data told them if any of their spies were under investigation. | |
| It also told China what spies from other nations the U.S. was investigating. | |
| From a counterintelligence perspective, this was an enormously successful attack. | |
| What else they might be planning to do with all this data is really a matter of speculation. | |
| It's assumed they use artificial intelligence engines to analyze all this data, looking for patterns, building social connection maps, possibly figuring out who's aligned with who in Washington, and what kinds of projects are getting the most attention. | |
| So, claims that the 2024 telecom hack was an election interference attempt are not true. | |
| Claims that it pertained to the U.S.-China trade war were also not true. | |
| And there's one more thing about it. | |
| Generally, when I pick a topic for Skeptoid, I like for it to be a settled issue, which makes it possible for me to be more comprehensive and have the benefit of hindsight. | |
| However, as of the date of this show, which is February 2025, we have some breaking news on this particular cyber attack. | |
| When it was originally reported in late 2024, it was announced that the investigation would be led by the Cyber Safety Review Board within the U.S. Department of Homeland Security. | |
| The CSRB is intended to be like the NTSB, the National Transportation and Safety Board, best known for sending the world's most experienced investigators out to the sites of plane crashes, train crashes, and such, in order to find out what went wrong and prevent it from happening again. | |
| That's exactly what the CSRB had been doing for the few months following the discovery of the cyber attack. | |
| But then, once President Trump took office in January 2025, among his first actions was to fire everyone on the CSRB, all career professional experts. | |
| The ranking member of the House Committee on Homeland Security said, I am troubled that the president's attempt to stack the CSRB with loyalists may cause its important work on the SALT Typhoon campaign to be delayed. | |
| His use of the term loyalists was a likely reference to a famously impartial member of the CSRB, Chris Krebs, who in late 2020 was the director of the Cybersecurity and Infrastructure Security Agency and was fired by Trump for his agency's finding that Trump's claim that voting machines had been tampered with, contributing to Trump's election loss, was false. | |
| There are still other law enforcement agencies on the job working to track down SALT Typhoon and prosecute them, but the CSRB was the U.S. government's defense strategists for preventing the next such attack. | |
| Apologies if this explanation sounded partisan or was offensive to some. | |
|
Skepticism as Medicine
00:03:54
|
|
| That's not what Skeptoid is about. | |
| But it was necessary to expound how and why the United States is unlikely to construct a timely defense against SALT Typhoon or the next group to follow in their footsteps. | |
| And so, there you have it. | |
| When you hear something in the news that sounds sensational, as this did, your first response should always be skepticism. | |
| When you see wild assertions on social media claiming what it was really about, you should be skeptical. | |
| And when you are, you'll go to primary sources, non-politically biased sources, always, and get the straight dope. | |
| And do one better. | |
| When the subject matter requires a specific expertise to really understand it, in this case, cybersecurity, go to subject matter-specific websites, cybersecurity websites for this event, and find out what the real subject matter experts have to say. | |
| Because as often as not, you'll find the media has sold you a little bit short. | |
| We continue with more on presidential security in recent administrations in the ad-free and extended premium feed. | |
| To access it, become a supporter at skeptoid.com slash go premium. | |
| A great big skeptoid shout out to our premium supporters, including Willie from Calgary, Charles Ullman, Robert McKelvey, and the Hopkins, Minnesota Larson Family Skeptics. | |
| Hello to the Larsons. | |
| Come join in the discussion of this episode in our private Discord channel. | |
| Just visit skeptoid.com slash discord. | |
| Teachers, want something cool for your classroom? | |
| Check out our 40-minute movie, Principles of Curiosity, that teaches the basics of scientific skepticism and critical thinking in a far-ranging journey that takes you from the depths of Death Valley to the highest points in space. | |
| It's free on YouTube, and you can download complete lesson plans at principlesofcuriosity.com. | |
| Skeptoid is a production of Skeptoid Media. | |
| Director of Operations and Tinfoil Hat Counter is Kathy Reitmeyer. | |
| Marketing guru and Illuminati liaison is Jake Young. | |
| Production Management and All Things Audio by Will McCandless. | |
| Music is by Lee Sanders. | |
| Researched and written by me, Brian Dunning. | |
| Listen to Skeptoid for free on Apple Podcasts, Spotify, Amazon Music, or iHeart. | |
| You're listening to Skeptoid, a listener-supported program. | |
| I'm Brian Dunning from Skeptoid.com. | |
| Hello, everyone. | |
| This is Adrian Hill from Skookum Studios in Calgary, Canada, the land of maple syrup and mousse. | |
| And I'm here to ask you to consider becoming a premium member of Skeptoid for as little as $5 per month. | |
| And that's only the cost of a couple of Tim Horton's double doubles. | |
| And that's Canadian for coffee with double cream and sugar. | |
| Why support Skeptoid? | |
| If you are like me and don't like ads, but like extended versions of each episode, premium is for you. | |
| If you want to support a worthwhile nonprofit that combats pseudoscience, promotes critical thinking, and provides free access to teachers to use the podcast in the classroom via the teacher's toolkit, then sign up today. | |
| Remember that skepticism is the best medicine. | |
| Next to giggling, of course. | |
| Until next time, this is Adrienne Hill. | |
| From PRX. | |