In a letter to the Department of Defense, senators Ron Wyden and Eric Schmitt are calling for an investigation into fallout from the Salt Typhoon espionage campaign.
Photograph: icholakov; Getty Images
US intelligence and law enforcement agencies are scrambling to contain the fallout from a far-reaching Chinese espionage campaign into US telecoms. That includes the Department of Defense; in a letter to the DOD inspector general on Wednesday, senators Ron Wyden of Oregon and Eric Schmitt of Missouri are calling on the Pentagon to investigate its own “failure to secure its unclassified telephone communications from foreign espionage.”
The FBI and the Cybersecurity and Infrastructure Security Agency confirmed publicly on November 13 that the China-linked hacking group known as Salt Typhoon has been embedded in major United States telecom companies for more than a year, running a sophisticated espionage operation that has reportedly targeted high-profile targets like president-elect Donald Trump and his campaign officials as well as subjects of interest on the US Justice Department’s “lawful intercept” wiretap list. Target companies include Verizon and AT&T along with a slew of other domestic and international telecoms; US officials have been investigating the situation since the spring.
CISA and FBI officials told reporters on Tuesday that telecom companies are still working to expel Salt Typhoon hackers from their networks and that the US government is actively helping victims clean house while also assisting them in hardening their defenses to prevent new compromise. But government departments like the DOD are also customers of those telecoms—and were themselves exposed.
“This successful espionage campaign should finally serve as a wake-up call to officials across the federal government who failed to shore up the government’s communications security, despite repeated warnings from experts and Congress,” Wyden and Schmitt wrote in their letter to the Defense Department.
The documents attached to the letter include two DOD white papers that the department sent to Congress in July 2024 and October 2024 in which the Pentagon acknowledged that the telecoms it has contracts with have security vulnerabilities that could be exploited by foreign entities for surveillance. The DOD said at the time that for its own use it had mitigated some of the exposures posed by the telecoms’ poor security by using encryption, but the department admitted that other vulnerabilities, like the potential for foreign actors to do location tracking on individual mobile devices, could only be fixed by the telecoms themselves.
In response to questions from Senator Wyden’s office in August, the DOD also said that using encrypted phone communication is “acceptable from a risk management perspective for transmitting (discussing) nonpublic unclassified information.”
The senators also provide evidence in their letter that US telecoms have worked with third-party cybersecurity firms to conduct audits of their systems related to the telecom protocol known as SS7 but have declined to make the results of these evaluations available to the Defense Department. “The DOD has asked the carriers for copies of the results of their third-party audits and were informed that they are considered attorney-client privileged information,” the department wrote in answer to questions from Wyden’s office.
The Pentagon contracts with major US carriers for much of its telecom infrastructure, which means that it inherits any potential corporate security weaknesses they may have but also the legacy vulnerabilities at the heart of their telephony networks.
AT&T and Verizon did not respond to multiple requests for comment from WIRED. T-Mobile was also reportedly breached in the Salt Typhoon campaign, but the company said in a blog post last week that it has seen no signs of compromise. T-Mobile has contracts with the Army, Air Force, Special Operations Command, and many other divisions of the DOD. And in June, it announced a 10-year, $2.67 billion contract with the Navy that “will give all Department of Defense agencies the ability to place orders for wireless services and equipment from T-Mobile for the next 10 years.”
In an interview with WIRED, T-Mobile chief security officer Jeff Simon said that the company recently detected attempted hacking activity coming from its routing infrastructure by way of an unnamed wireline partner that suffered a compromise. T-Mobile isn't certain that the “bad actor” was Salt Typhoon, but whoever it was, Simon says the company quickly stymied the intrusion attempts.
“From our edge routing infrastructure you can’t get to all of our systems—they’re somewhat contained there and then you need to try to move between that environment and another one in order to gain more access,” Simon says. “That requires them to do things that are rather noisy and that’s where we were able to detect them. We’ve invested heavily in our monitoring capabilities. Not that they’re perfect, they never will be, but when someone’s noisy in our environment, we like to think that we’re going to catch them.”
In the midst of the Salt Typhoon chaos, T-Mobile’s assertion that it did not suffer a breach in this instance is noteworthy. Simon says that the company is still collaborating with law enforcement and the telecom industry more broadly as the situation unfolds. But it is no coincidence that T-Mobile has invested so extensively in cybersecurity. The company had suffered a decade of repeated, vast breaches, which exposed an immense amount of customer data. Simon says that since he joined the company in May 2023, it has undergone a significant security transformation. As one example, the company implemented mandatory two-factor authentication with physical security keys for all people who interact with T-Mobile systems, including all contractors in addition to employees. Such measures, he says, have drastically reduced the risk of threats like phishing. And other improvements in device population management and network detection have helped the company feel confident in its ability to defend itself.
“The day we did the transition, we cut off a number of people’s access, because they hadn’t gotten their YubiKeys yet. There was a line out the door of our headquarters,” Simon says. “Every life form that accesses T-Mobile systems has to get a YubiKey from us.”
Still, the fact remains that there are fundamental vulnerabilities in US telecom infrastructure. Even if T-Mobile successfully thwarted Salt Typhoon’s latest intrusion attempts, the espionage campaign is a dramatic illustration of long-standing insecurity across the industry.
“We urge you to consider whether DOD should decline to renew these contracts,” the senators wrote, “and instead renegotiate with the contracted wireless carriers, to require them to adopt meaningful cyber defenses against surveillance threats.”
Additional reporting by Dell Cameron.
