Security researchers have warned for years about the increasing sophistication of state-sponsored hacking groups, particularly those from China. On the radar of Congress.gov’s Congressional Record is the infamous Typhoon family: Volt Typhoon, Flax Typhoon, and Salt Typhoon—actively targeting government agencies, critical infrastructure, and telecommunications operators in the U.S.
One school of thought suggests that the Salt Typhoon hacktivist group, given its penchant for telecom providers, may be the group behind telecom-related gift card scams. This widespread financial fraud involves the unauthorized access to internal customer records, including account balances.
Meet the Typhoon Family: Members of China’s Cyber Espionage Team
· Volt Typhoon: The Stealth Operator
Volt Typhoon is a state-backed cybercrime group that most often targets U.S. critical infrastructure, including communications, energy, and transport sectors. Instead of spreading malware, their modus operandi is living-off-the-land (LOTL), which utilizes built-in network administration tools, such as PowerShell and Windows Management Instrumentation (WMIC), to remain undetected by masking activity as typical Windows system and network behavior, thereby evading detection. Their end-game strategy seems to be pre-positioning themselves on IT networks to facilitate lateral movement to OT assets for crippling cyberattacks in the event of rising geopolitical tensions.
· Flax Typhoon: The Silent Observer
Flax Typhoon targets long-term espionage, not just critical infrastructure but also a wide array of organizations, including government institutions and commercial entities. They take over thousands of internet-connected devices such as cameras, video recorders, and storage devices, to form a botnet that they use to help compromise systems and steal sensitive information. Their attacks are commonly found using known vulnerabilities in enterprise applications. Their low-and-slow strategy allows the group to maintain long-term access without being detected by security teams, indicating that the group is silently building for future cyber disruptions.
· Salt Typhoon: The Telecom Intruder
Salt Typhoon is the most relevant group in this case. Unlike Volt and Flax, Salt Typhoon specifically targets U.S. telecommunication providers. It has been able to breach almost every major U.S. telecom company, including those handling mobile and broadband services, primarily by exploiting vulnerabilities in network hardware such as routers and switches.
Salt Typhoon also breached America’s legally sanctioned interception networks linked to the Communications Assistance for Law Enforcement Act of 1994 (CALEA). Under this regulation, telecom companies must design their networks to facilitate wiretapping of suspicious targets under active surveillance as mandated by CALEA. This includes call records that provide the timing, length, and parties involved in conversations, along with geolocation information used for tracing calls and travel patterns.
Salt Typhoon successfully breached CALEA systems at several major telecom companies, granting them the ability to see which phone numbers were currently under surveillance, intercept phone calls and text messages from chosen targets, access metadata tracking the times calls or texts were made and to whom, identify the cell tower from which a communication originated, revealing a targets approximate location.
While Salt Typhoon’s primary objective appears to be espionage, its access to internal customer databases raises concerns about potential financial fraud. If Salt Typhoon successfully infiltrated not just Comcast Xfinity but also AT&T and Spectrum, it could have extracted customer account balances, allowing scammers to impersonate service representatives and manipulate victims into participating in fraudulent transactions.
The Comcast Gift Card Scam: A Coordinated Cyber Attack?
The Comcast gift card scam involves scammers contacting subscribers and claiming they qualify for a discount promotion. Victims are asked to purchase gift cards and to read the card number back to a service representative in order to claim their prize. Once they obtain the gift card numbers, however, the scammers cash them out, and the victims lose money.
The larger question here is how scammers obtained such sensitive internal customer information. The crooks had complete information about customers’ accounts, including plans and balances, something that is possible only through insider knowledge or by accessing internal networks. Considering Salt Typhoon’s reported penetration of U.S. telecom operators, it is possible that they exploited unpatched vulnerabilities, breaching customer databases?
Salt Typhoon is known to employ credential theft techniques, allowing it to move laterally within networks. Once inside Comcast’s infrastructure, they could have accessed customer service portals to retrieve account balances and personal details. The extracted Comcast customer data could have been sold to scammers, enabling them to target victims with precise account details (such as last four payments made and upcoming charges) thereby easily facilitating their fraud operations.
How Companies Can Defend Against Such Attacks
To mitigate risks from Salt Typhoon and similar APT groups, telecom providers must:
• Implement Zero Trust security: Limit access to private data, allowing only approved staff to see customer account information. Segregate critical systems to keep attackers from traversing the network. Employ micro-segmentation to contain the spread of an attack within internal networks.
• Enhance network visibility: Deploy advanced threat detection systems such as AI-driven anomaly detection and behavioral analytics to identify unusual activity within internal databases.
• Patch vulnerabilities promptly: Salt Typhoon targets known security vulnerabilities, so keeping systems patched regularly is critical. Implement CISA-recommended security patches for telecommunications infrastructure. Create end-of-life strategies for technologies outside the manufacturer’s supported lifecycle to keep systems secure.
• Strengthen authentication mechanisms: Implement MFA for all internal systems processing customer information. Implement MFA solutions that can resist phishing to further secure accounts. Rotate administrative credentials regularly to keep attackers from using stolen credentials for lateral attacks.
• Educate customers about scams: Telecom providers should warn customers about fraudulent schemes and should advocate human risk management and security awareness training for their corporate customers to help identify and recognize telltale signs of social engineering and phishing attempts.
Conclusion: A Plausible Theory Worth Investigating
While definitive proof connecting Salt Typhoon to telecom gift card scams is currently lacking, circumstantial evidence makes for a persuasive case. Salt Typhoon has already breached many telcos, and their expertise in network intrusion and data extraction positions them as prime suspects. If Salt Typhoon is indeed responsible, it marks a dangerous new direction for state-sponsored cybercrime in which hackers facilitate financial fraud and not merely espionage. As cybersecurity threats continue to evolve, consumers and businesses alike must remain watchful, keeping sensitive information out of reach from adversarial nation-state actors.
