T-Mobile Says Customer Data Was Not Exposed in Recent Cyberattack

• T-Mobile unveiled being hit by a cyberattack recently but underscored customer information was not accessed.
• The telco announced that it managed to cut off the attackers, preventing calls, voicemails, or texts from being exfiltrated.
• The attackers’ techniques are similar to Salt Typhoon, but no definitive links have been established between them.

T-Mobile announced on Wednesday that they successfully thwarted a recent cyberattack, preventing unauthorized access to sensitive customer data. T-Mobile says it severed the connection to the compromised network, halting the attackers’ progress and protecting customer information. 

Jeff Simon, T-Mobile's Chief Security Officer, confirmed in a blog post that the company detected malicious activity originating from an unspecified wireline provider's network, which was connected to T-Mobile's systems. Simon noted, "Bad actors had no access to sensitive customer data, including calls, voicemails, or texts."

The announcement follows reports linking Chinese-backed cyberespionage group Salt Typhoon (aka Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) to recent attacks on major telecom providers, including AT&T, Verizon, and Lumen. 

These hackers reportedly exfiltrated sensitive customer call records, intercepted private communications, and accessed information directed to law enforcement under court orders. 

However, while T-Mobile identified similarities in the attackers’ techniques, no definitive links have been established between this incident and Salt Typhoon.

Further complicating the situation, the FBI and CISA have been investigating what is described as a “broad and significant cyberespionage campaign” by Chinese-affiliated actors. This campaign reportedly disrupted communications for political figures and infiltrated devices linked to campaign personnel ahead of the 2020 U.S. presidential election.

Additionally, Simon represented T-Mobile at a recent White House meeting to discuss national-level cyber threats, further underscoring the company’s role in safeguarding critical infrastructure.

Other major players like AT&T and Verizon reportedly suffered breaches, emphasizing the growing need for collaboration among telecom firms to combat these large-scale attacks, which first surfaced when hackers accessed sensitive customer data stored on Snowflake accounts that lacked adequate protection. 

In other news, security investigators are trying to identify a notorious hacker known as “Kiberphant0m,” believed to be behind significant data theft and extortion schemes targeting cloud storage platform Snowflake customers, including AT&T and more. Recent evidence strongly suggests that Kiberphant0m might be a U.S. Army soldier who is or was recently stationed in South Korea.

Salt Typhoon, which has been active since at least 2019, is known for its focus on breaching government and telecommunication entities in Southeast Asia. The group is now linked to recent breaches in North America. 

In parallel, Chinese government-backed cyber espionage group Volt Typhoon has been identified in similar infiltration activities involving internet service providers in the United States and India. 

Lumen Technologies Inc.’s unit Black Lotus Labs' security researchers announced in October that they suspect Volt Typhoon to be behind the cybercriminal campaign that started on June 12.