Top FBI cyber official: Salt Typhoon ‘largely contained’ in telecom networks

The Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information,” the top FBI cyber official told CyberScoop.

But Brett Leatherman, new leader of the FBI Cyber division, said in a recent interview that doesn’t mean the hackers, known as Salt Typhoon, no longer pose a threat.

While there’s been some debate about whether Salt Typhoon should be getting more attention than fellow Chinese hackers Volt Typhoon — whom federal officials have said are prepositioned in U.S. critical infrastructure, poised for destructive action in the event of a conflict with the United States — Leatherman said the groups aren’t as different as some think.

“Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure,” he said. “You can pivot from access in support of espionage to access in support of destructive action.”

The number of telecommunications companies victimized in the United States stands at nine, according to Leatherman. But there have been additional revelations about victim companies as a result of the United States sharing information about breach specifics and Salt Typhoon tactics with nations in Europe and North America, he said.

As the head of the division, Leatherman said his priorities are consistent with those of the recent past: “prioritizing our assistance to victims while imposing costs on the bad actors, and that is both nation-state and criminal actors.”

He disputed criticisms about the federal government’s efforts to work with victims of Salt Typhoon’s efforts. “There is not one company I can think of who was victimized that we were not engaged with on a cadence that they preferred to be engaged with us,” Leatherman said.

The “imposing costs” step is still ahead.

“Right now we’re very focused on resilience and deterrence and providing significant support to victims,” Leatherman said. To go on offense, they need “additional attribution,” and that provides opportunities “to conduct joint sequenced operations,” he said.

Kicking the hackers out of the telecommunications networks is difficult, because the longer they have a foothold there, the more ways they can “create points of persistence” to hang on, Leatherman said.

Other threats are getting FBI attention, too, he said. The bureau has been part of law enforcement efforts to crack down on North Korean scam IT workers.

In monitoring their tactics, there hasn’t been much of a shift in response to the attention from authorities, Leatherman said. “It’s very common right now how they get in,” he said.

But there are a number of things that are worrisome about the threat, namely “the insider risk that that poses.” The fear for the future is “that they shift to more intellectual property theft,” or brokering access to China or others “to have follow-on effects to those networks.”