T-Mobile security chief insists its defenses stood up to attacks linked to Salt Typhoon

T-Mobile was able to protect sensitive customer information and prevent disruption to its services after detecting malicious attempts to infiltrate its systems, according to its security chief.

Jeff Simon, chief security officer at T-Mobile, published an update on a string of recent cyber attacks targeting wireless companies, believed to be orchestrated by the Salt Typhoon group.

The update states that the attacks originated from the network one of T-Mobile’s wireline providers it was connected to, but Simon said connectivity to the provider’s network, which may still be compromised, was quickly severed.

Simon noted that unlike other providers, and despite media reporting, T-Mobile’s customer information was not impacted.

“Many reports claim these bad actors have gained access to some providers’ customer information over an extended period of time – phone calls, text messages, and other sensitive information, particularly from government officials. This is not the case at T-Mobile,” he wrote.

“Our defenses protected our sensitive customer information, prevented any disruption of our services, and stopped the attack from advancing. Bad actors had no access to sensitive customer data (including calls, voicemails or texts).”

Speaking to Bloomberg, Simon said T-Mobile’s network engineers discovered the attack after noticing suspicious behavior on some of the company’s network devices.

The behavior wasn’t “inherently malicious” but may have been used to gain a clearer understanding of the company's corporate network, with threat actors probing for potential lateral movement opportunities.

Simon stated that T-Mobile’s layered network design, featuring network segmentation and robust monitoring, partnerships with third-party cyber experts, and its swift response all helped to prevent the attackers from causing further damage.

Salt Typhoon is on a rampage

Although T-Mobile were unable to “definitively identify” the attacker’s identity, the behavior is consistent with previous attacks leveraged by the Salt Typhoon group.

Trend Micro published a report on 25 November detailing previous activity of Salt Typhoon, also known as Earth Estries, Ghost Emperor, or UNC2286).

The report stated the group has primarily targeted critical sectors such as telecommunications and government entities across the US, Asia, Middle East, and South Africa since 2023 and potentially even earlier.

“The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and government entities,” Trend Micro outlined.

“Earth Estries exploits public-facing server vulnerabilities to establish initial access and uses living-off-the-land binaries for lateral movement within networks to deploy malware and conduct long-term espionage.”

According to the report, the group has compromised over 20 organizations in the telecommunications, technology, consulting, chemical, and transportation industries, as well as government agencies.

Reports of Salt Typhoon infiltrating internet service providers (ISPs) in the US came out in September 2024, with the Wall Street Journal confirming in October that major players Verizon Communications, AT&T, and Lumen Technologies were among a list of companies whose networks were breached.

Unnamed sources familiar with the matter told theWSJ that the access may have allowed the group to access information from systems the federal government uses for court-authorized wiretapping, describing the compromise as "potentially catastrophic”.

T-Mobile appears to have avoided the worst impacts of Salt Typhoon’s campaign, according to Simon, who added that he had recently attended a meeting of leaders at the White House to discuss how the industry can work together to mitigate the threats the group pose and avoid further damage.