Chinese government hackers infiltrated a major U.S. telecommunications company in summer 2023, almost a full year earlier than previously disclosed, raising serious concerns about national security and the extent of compromised American communications infrastructure.
At a Glance
- Chinese state-backed hackers breached a U.S. telecom company in summer 2023, nearly a year before the publicly known Salt Typhoon campaign
- Hackers deployed the Demodex rootkit, providing deep system access while maintaining their presence for approximately seven months
- The compromised company remains unnamed, but reports have been shared with Western intelligence agencies
- The breach targeted IT administrator systems, potentially exposing sensitive telecommunications data
- China denies involvement, instead accusing the U.S. and allies of conducting cyber operations against Chinese systems
Earlier Breach Discovered
Corporate investigators have uncovered evidence that Chinese government-backed hackers breached a U.S. telecommunications company’s security systems in summer 2023, significantly earlier than previously believed.
This infiltration occurred nearly a year before the public disclosure of the Salt Typhoon espionage campaign, which later compromised multiple American telecom entities including industry giants AT&T and Verizon. The discovery fundamentally alters the timeline of China’s digital infiltration into critical U.S. communications infrastructure and suggests a more extensive compromise than initially understood by intelligence officials.
The US is in the early stages of an investigation into potential Chinese hacking of American telecommunications companies, according to a top intelligence official https://t.co/DwC3Ni8mqB
— Bloomberg Technology (@technology) October 7, 2024
The malware remained active on the company’s systems for approximately seven months, from summer 2023 until late winter 2024. While the specific telecommunications company targeted has not been publicly identified, the investigation report has been forwarded to Western intelligence agencies for further assessment and response. This extended timeline raises serious questions about how much sensitive information may have been compromised during the prolonged unauthorized access period.
NSA Investigating If Chinese Hackers Breached US Telecom Firms https://t.co/zPFufPnAIy
— DCI CyberSec News (@DCICyberSecNews) October 7, 2024
Advanced Malware Deployment
The hackers deployed a sophisticated rootkit called Demodex, which security researchers have linked to Chinese hacking collectives. This particularly dangerous type of malware provides attackers with deep-level access to compromised systems, often operating below the detection threshold of standard security measures. The same technology was identified in the subsequent Salt Typhoon operations, suggesting a consistent methodology across multiple telecommunications breaches orchestrated by Chinese state-backed hackers.
The attackers specifically targeted IT administrators’ computers at the telecommunications company, potentially giving them privileged access to critical systems and sensitive customer data. This strategic approach maximized the value of the breach by compromising accounts with elevated permissions within the organization’s network architecture. The persistence of the malware until late winter 2024 provided the attackers with an extended window to extract valuable intelligence and potentially establish additional backdoors into the system.
Wyden proposes bill to secure US telecoms after Salt Typhoon hacks – @sergheihttps://t.co/rVuqTjIipAhttps://t.co/rVuqTjIipA
— BleepingComputer (@BleepinComputer) December 10, 2024
Chinese Government Response
The Chinese government has firmly denied involvement in these cyber operations, following their standard protocol of rejecting attribution for state-sponsored hacking activities. Officials from Beijing have instead accused the United States and its allies of conducting similar cyber operations against Chinese systems, characterizing the allegations as unfounded and part of a broader pattern of unfair targeting of China. They have called for an immediate end to what they describe as the spread of misinformation regarding Chinese hacking activities.
This discovery underscores the ongoing and escalating cybersecurity threats facing American telecommunications infrastructure. The revelation that system vulnerabilities were exploited earlier than previously known highlights potential gaps in detection capabilities within critical infrastructure sectors. The sophistication of these attacks, coupled with their prolonged undiscovered presence in vital communications systems, presents a serious challenge to national security officials tasked with protecting America’s digital infrastructure from foreign adversaries.
— Bryan Daugherty (@BWDaugherty) February 14, 2025
