Federal cyber authorities on Tuesday said a wave of China-linked attacks on U.S. telecom networks is so widespread and actively evolving that officials still don’t know the full extent of damages caused by the global espionage campaign or what remains at risk.

The FBI began investigating Salt Typhoon, a China-affiliated threat group, and its successful compromise of multiple telecom and internet service providers’ networks in the late spring, a senior FBI official said Tuesday during a media briefing.

Salt Typhoon stole a large amount of records, including data about where, when and whom customers of the compromised networks are communicating with, officials said. This tranche of stolen data did not include audio or text and the broad collection of data mostly impacted users based in the greater Washington area, a senior FBI official said.

The threat group also compromised private communications, including audio and text content, of targeted individuals who are primarily involved in government or political activities. The FBI has notified people whose calls or text messages were directly intercepted by Salt Typhoon.

Officials declined to name any of the victim networks or quantify the number of people impacted by the China-sponsored threat group’s ongoing campaign.

The scope of Salt Typhoon’s activities confirmed by authorities thus far is expansive and the persistent threat posed by the group pointing to potential follow-on malicious activity is ongoing. The threat group is still embedded into multiple networks and has not been kicked out of any compromised network to date, officials said.

“We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing,” said Jeff Greene, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency.

“I have confidence that we are on top of it in terms of tracking them down and seeing what's going on, but we cannot, with confidence, say that we know everything, nor would our partners,” Greene said.

The implications of what federal officials have linked to the China-affiliated group’s activities to date are serious.

“Each victim is unique. These are not cookie-cutter compromises in terms of how deeply compromised the victim might be or what the actor has been able to do,” Greene said. “We're still figuring out just how deeply and where they've penetrated, so until we have a complete picture, it's hard to know the exact parameters of how to kick them off.”

Officials have not observed any novel techniques from Salt Typhoon, but rather activities that take advantage of existing weaknesses in network infrastructure.

Carriers urged to fortify defenses

CISA, the FBI, the National Security Agency and cyber authorities in Australia, Canada and New Zealand on Tuesday released hardening guidance designed to bolster the defenses of communications infrastructure and help telecom providers prevent or mitigate potential follow-on attacks.

Officials encouraged the use of encrypted communications applications and specifically called out the need for network engineers and defenders to address the risk of exploitation of Cisco devices, including specific Cisco features that have been targeted by the China-affiliated threat group’s activity.

The guidance did not mention specific vulnerabilities, but authorities advised organizations to refer to Cisco’s hardening guides for NX-OS software devices and IOS XE, the vendor’s operating system for networking devices. A pair of CVEs affecting Cisco IOS XE were the third and fourth most routinely exploited vulnerabilities last year.

The latest update from cyber authorities marks an escalation of the most prolific and far-reaching attack spree on critical infrastructure discovered this year. Officials were also reluctant to acknowledge the extent of damages, underscoring the real potential for more dire consequences as they learn more about Salt Typhoon’s activities.

The FBI and CISA launched a formal investigation into the China-linked attacks on telecom infrastructure in late October. By mid-November, officials described the compromise of global telecom networks as a “broad and significant cyber espionage campaign.”

Salt Typhoon is one of three highly motivated and active threat groups affiliated with China’s government, which cyber authorities have tracked with increasing concern this year.

In February, the Five Eyes warned that Volt Typhoon, as part of an extensive effort to maneuver in preparation for future attacks, already infiltrated numerous transportation, energy, communications, and water and wastewater systems. In September, the FBI disrupted a massive botnet linked to another China-linked threat group known as Flax Typhoon.