T-Mobile has an infamously poor reputation in cybersecurity due to a pattern of repeated security lapses. The wireless network operator publicly acknowledged eight data breaches between 2018 and early 2023.
One of those attacks, a massive data breach in 2021 that exposed personal data on more than 76 million people and resulted in a $500 million class-action settlement, was widely regarded as the largest carrier breach on record.
That record was challenged in the late spring and early summer when the threat group Salt Typhoon, sponsored by China’s government, infiltrated at least eight U.S. telecom companies. The revelations about the campaign, which came to light this week, resulted in the theft of a large amount of records, including metadata and some private communications, as part of a widespread and ongoing espionage campaign.
T-Mobile said it successfully stopped an attacker with striking similarities to Salt Typhoon’s known tactics from maneuvering deeper into its network, preventing the theft of sensitive customer data. In conversation with Cybersecurity Dive on Tuesday, T-Mobile CSO Jeff Simon credited the deterrence to, among other things, the network operator’s efforts to revamp its internal cybersecurity.
Simon spoke with Cybersecurity Dive as details emerged about the broad and unprecedented damages caused by Salt Typhoon’s global campaign.
Editor’s note: This interview has been edited for clarity and brevity.
CYBERSECURITY DIVE: Can you walk me through what happened here? In your blog post last week, you said the threat actor attempted to use their compromise of a wireline provider’s network to access T-Mobile’s systems. Is that what allowed the threat actor to access some of T-Mobile’s routers or was this two separate access vectors?
JEFF SIMON: Let me start a little bit further back in time, just so you get the complete timeline. We’ve obviously been tracking Salt Typhoon for some time, really since the summer of this year we started to get intelligence. It was one of the main threat actors on our radar. We started hunting for the tactics, techniques and procedures that they’re known to be using on our infrastructure.
And frankly, we saw nothing. It was almost surprising how little we were able to find of Salt Typhoon on T-Mobile infrastructure. We did not see evidence of them at all.
Then more recently, while just continuing our normal monitoring processes across our infrastructure, we detected suspicious activity on some of our routers that you’re referencing. That suspicious activity, to this day, we don’t know who was behind it, whether it was Salt Typhoon or another actor, but there were definitely some indications in the behavior we saw. … We don’t have any specific intelligence from our government or private sector partners saying definitely, this is Salt Typhoon.
We detected that activity and we were able to do it fairly quickly from the time that they started the activity. It was a single-digit number of days from them being active, trying to probe our infrastructure and do discovery type activity to us identifying it and being able to close the door.
We were able to track it back pretty quickly to that other telecom provider, the wireline provider, that was the source of the traffic into our network that was essentially targeting our edge routing infrastructure.
With the T-Mobile routers that were accessed, it sounded like more discovery there — the threat actor was trying to learn more about the network and perhaps leapfrog from there. Is that how they got access to T-Mobile routers, from this wireline provider’s network access to T-Mobile?
Mostly, yes is the answer to your question. I just might word it a little bit differently. The other provider doesn’t necessarily have access to T-Mobile. I would think of it more as a peering relationship between the two telecom operators, where we leverage their backhaul network for transport. That’s the relationship.
It’s not that the wireline provider had specific provisioned access into our environment. When you say access it sounds like there’s other human users at that other telco that we would expect to be logging into our systems. Not the case. This was a communications-type setup. We use them for backhaul-type communications.
Can you explain how they got access to T-Mobile’s routers? Did they exploit a vulnerability in T-Mobile’s routers? I’m still kind of hung up on that piece.
If I were you, I’d be asking the same question. I’m going to do my best to give you a robust answer, but please also understand that their behavior here was especially unique and it was rather recent. We believe this to be a valuable piece of intelligence that we’ve shared with our government and telecom partners. We don’t want them to know that we know some of their behavior and tactics.
Our understanding is that for other telecom providers, it’s likely the threat actor has been in their environment for some time, perhaps years. I don’t have firsthand knowledge of that. That’s just our understanding from public media reports and briefings.
In those cases, it’s very, very difficult to discover how the actor gained initial access, so you could have confidence that you evicted them or not, because they’ve kind of embedded themselves over that long period of time before they were discovered.
We have a unique case here where we were able to discover them quickly and find their access point and how they were able to do some unique things there that perhaps most companies aren’t thinking of. We think that’s valuable intelligence, so I don’t want to share too much detail there.
But, I can tell you, there wasn’t a vulnerability exploit in the T-Mobile case. There’s no CVE number that was exploited in order to gain this access. I would say they took advantage of how typical communications across networks works. And I’m sorry it’s a little cagey.
I get that and I appreciate the need to not give away too much. Can you say how many routers were ultimately compromised and have you replaced those routers? What was your process there to make sure everything’s cleaned up?
They attempted to access a very small portion of our router environment, certainly less than 1% of our infrastructure, just to give you a little bit of size and scale. That’s due to a few factors — the nature of our network is such that it’s not one big flat network, it’s layered.
You would need to move from our edge routing infrastructure that would be exposed to other telecoms to other internal networks to be able to access more of our environment. And frankly, that’s where we see them doing discovery. We assume that they’re trying to find ways to move through our layers of defense as they do discovery, and we caught them.
No, we have not replaced [the routers], and don’t see a need to, and our forensics partners don’t see a need to.
This all happened very recently, like you mentioned in the blog post too, just within the last few weeks. I was kind of picking up on your initial statement — not that you felt left out, but maybe a little bit concerned that you weren’t seeing this activity on your network until then.
Do you have anything more to share on that? It does seem a bit odd. This group, and I know that you can’t confirm it was them for sure, but they were targeting, it seems, every network provider in the country and elsewhere.
I can’t speak to that they were targeting absolutely every other telecom, but certainly they have been publicly reported to target a number. I think the best way to answer your question is, this is why we perceive that we may be different. I don’t know, of course, with certainty.
There’s a lot that’s unknown about this actor and how they operate.
If you think about our network, it’s very, very different than most other telecommunications sources, especially the ones that have been reported to be impacted by Salt Typhoon. There’s a few big differences.
First, our network is only in the United States. We don’t own and operate networks outside of the United States. The other companies that have been reported to be impacted, they do. So that makes the environment a lot more simple to manage. It has a lot less exposure points, especially sitting out in other countries that may be more complex to manage security around.
We don’t operate a wireline network, unlike some of our competitors that have been named to be impacted in this event, that do operate very big and robust wireline networks.
We operate a 5G wireless network in the United States, and that 5G wireless network is a standalone 5G network, meaning it is essentially the latest technology in wireless communications. … With the other telecom providers you’re running on a 4G network. Even when it says you’re on 5G, the control plane traffic for your phone is on 4G. They don’t have a 5G core.
Your 4G infrastructure is going to be older, obviously, and our 5G infrastructure is much newer. So you kind of add these things up, our network is very different and it’s likely that those things help us against cyberattacks broadly: a smaller footprint, more easily managed and much more modern.
Federal officials have been warning about this threat for about a year, specifically citing telecom as a target of China-linked threat actors who are intruding networks. Early on, they talked about them effectively lying in wait for potential follow-up attacks in the future. Officials with the FBI and CISA held a media call this morning and said they still can’t say with certainty the scope of the impact of this campaign or if the threat group has been evicted from any network it already gained access to.
I share all that to ask, what gives you confidence that China-linked threat attackers did not intrude your systems? Is there a chance you missed something or the threat actor effectively hid their activities?
With our private and public-sector partners, we’ve been hunting for this adversary since we started seeing those threat briefings that you mentioned and the public communications about them.
Of course, critical infrastructure has been a target of cyberattacks for a very long time. It’s not a new topic for this industry.
This specific targeted attack by Salt Typhoon started over the summer, and we’ve worked with our partners to hunt for it in our environment. We’ve worked with our partners to look through their intelligence for where they’re seeing data coming out of telco networks or other signs of compromise from telco networks. And we just consistently have not seen activity.
What gives me confidence is that we’ve been looking as hard as anyone I think could possibly, looking with all the partners we could possibly hunt with, and we’re all seeing nothing. Now, of course and more recently as I mentioned, we saw some activity that may be related, but don’t know, it could be, and we shared that.
We have confidence that we were able to see what they did in the short time that they were attempting to move around and gain access to our environment. We have very robust logging from that period. We’ve gone through it. We’ve had third party partners go through it.
That’s what gives us confidence that we know where they were, we know what they were trying to do, and we have confidence that the actions we took evicted them.
Of course, with a sophisticated actor like this, it could all change tomorrow. If this really is a Chinese-government sponsored cyber campaign, that’s a very, very capable adversary that has access to things like zero-day vulnerabilities that we can’t possibly fix. There’s no patch for them. So if it is that adversary, and they’re going to be persistent, certainly what we know could change tomorrow.
The reality for our company or others could change tomorrow, and if that happens, we’ll keep our stakeholders apprised of it.
Underscoring what you were talking about with T-Mobile’s network infrastructure, it really is an outlier and unique in this space. That said, T-Mobile’s track record preventing attacks isn’t great. It’s been less than a year since T-Mobile disclosed the last major attack impacting customers. And a lot of that network infrastructure was already in place then.
Can you share more about the extent to which the company has changed and was able to prevent such a highly motivated nation-state threat group from causing more serious damage?
Yeah, and you’re absolutely right. T-Mobile has had a number of cybersecurity challenges in the past. The company has really undertaken a massive investment and commitment to improving cybersecurity, probably an unprecedented one.
I’ll give you some examples and how that might relate to the Salt Typhoon campaign that we see.
One of the things that is alleged to be a technique used by Salt Typhoon is credential theft. Multifactor authentication is particularly important in defending against this attack, and certainly that’s been widely known for many years in the industry that that’s a key control.
That’s a control T-Mobile didn’t have in place a few years ago. Multifactor authentication was not used broadly and we’ve done a complete 180 today at T-Mobile.
Every single human that accesses our system uses FIDO2 authentication to do it, and not just when they log in from the outside, but even internally. We use FIDO2 authentication wherever technically feasible.
The vast majority of our workforce does not even know their password, it’s 128 random characters and changes every week. …
When you look at the public reporting about some of the things that the Salt Typhoon actor is doing, like credential theft, well it kind of makes sense why credential theft is not a very effective way to attack T-Mobile.
T-Mobile’s been working on cybersecurity for some time. I can’t claim like I showed up 18 months ago and the whole world changed. But certainly, the last few years have been a dramatic and profound change to the cybersecurity capabilities of T-Mobile.
I’m not claiming that we are done in any way. There is a lot more work left to do.
The adversaries are going to keep getting more difficult — I mean, you see that in this case.
What this actor is alleged to be doing, it’s one of the most sophisticated campaigns that’s likely been seen by private industry in the United States. So we’re going to have to keep upping our game, we’re committed to doing that, and we’re going to do our best to outpace the adversary every day.