On Wednesday, Bloomberg reported that American investigators have discovered evidence showing that Chinese hackers secretly infiltrated a U.S. telecommunications company in the summer of 2023. This discovery reveals an earlier infiltration by Chinese hackers than previously known.
Citing sources familiar with the matter and a document, it was revealed that security investigators working for the telecommunications company discovered that a malicious software used by a Chinese government-backed hacker group had been present in the company’s system since the summer of 2023 for 7 months. The document, a non-classified report submitted to Western intelligence agencies, redacted the company’s name where the malicious software was discovered, and the sources refused to disclose their identities.
It wasn’t until 2024 that the U.S. government and cybersecurity firms started paying attention to Chinese hackers penetrating several large telephone and wireless network companies in America. The government attributed the intrusion to a Chinese hacker organization called “Salt Typhoon.”
Representatives from the CIA, NSA, FBI, and the Cybersecurity and Infrastructure Security Agency all declined to comment on the matter.
In the Salt Typhoon intrusion, Chinese hackers breached AT&T, Verizon, and seven other American telecom companies, stealing millions of Americans’ personal information and targeting the phones of then-presidential candidate Trump (Donald Trump), his running mate Pence, and the vice-presidential candidate at the time, Harris.
Laura Galante, the director of the Office of the Director of National Intelligence’s Cyber Threat Intelligence Integration Center from 2022 to January 2025, stated in written testimony to Congress in April that this hacker attack had been active for several years, “breaking through the multiple layers of protection of several major telecom networks.”
An insider disclosed that multiple operators only detected the presence of Chinese hackers in their networks after being tipped off by U.S. intelligence agencies.
During the response to the Salt Typhoon hacker attacks, U.S. intelligence agencies recommended that companies search for a specific Chinese malware called Demodex. Two other sources confirmed this information.
This type of malware allows hackers to secretly access infected machines. Several cybersecurity firms have reported that Chinese hacker groups have used Demodex viruses to target telecom companies and governments in Southeast Asia.
Allan Liska, a threat analyst at security company Recorded Future, mentioned attacks on telecom companies in Thailand, Afghanistan, and Indonesia involving this virus, linking them to Chinese hacker organizations like Salt Typhoon.
Michael Freeman, the threat intelligence director at cybersecurity company Armis, confirmed that the malicious program was developed by employees working for the Chinese Ministry of State Security. Freeman stated that his company had been tracking one of the developers for years.
In the 2023 infiltration of the U.S. telecommunications company, hackers accessed the company’s IT administrator’s computer. According to reports submitted to U.S. and other Western intelligence agencies, the investigation revealed that the malicious software lurked in the company’s system until the end of winter 2024.
Due to the almost untraceable nature of this Demodex virus, it remains unclear what actions the hackers took after infiltrating the machines.
The report indicated that the malware included code that could temporarily disable Microsoft’s common security program, Defender. During this period of shutdown, the malware would take steps to conceal itself and its subsequent activities.
Representatives from Microsoft declined to comment.
The Chinese government has consistently denied involvement in this hacking operation, instead accusing the U.S. of misinformation and claiming to be the victim of cyberattacks.
(Partially based on Bloomberg’s report)