China Was Listening to America's Phone Calls

China Was Listening to America's Phone Calls

From The Bit Baker Quarterly Roundup — Q4 2024

PLUS: The US Treasury gets breached via a third-party tool, and the Internet Archive loses 31 million accounts

Good morning, Dave. The year ended the way it began — with a breach that made people question things they'd taken for granted. In Q1, it was healthcare payments. By Q4, it was something far more unsettling: the FBI and CISA publicly warned Americans to use encrypted messaging apps because Chinese hackers had compromised the wiretap infrastructure built into US telecom networks. Read that again. The government's own surveillance system was turned against it.

Salt Typhoon didn't hack AT&T, Verizon, and T-Mobile for money. This was espionage at a scale that suggests years of patient access, targeting political figures, intelligence operations, and lawful intercept systems across 80+ countries. The Treasury Department was breached through a third-party remote access tool. The Internet Archive lost 31 million accounts. And a supply chain ransomware attack disrupted Starbucks scheduling right before Thanksgiving. 2024 closed with a message: nobody is off-limits, and the threat actors aren't slowing down.

In this quarter's security Bit Baker:

• Salt Typhoon compromises US telecom wiretap systems
• Chinese hackers breach the US Treasury via BeyondTrust
• Internet Archive hacked — 31 million accounts exposed
• Blue Yonder ransomware disrupts Starbucks and UK retailers

Salt Typhoon Was Inside America's Wiretap Infrastructure

The Bit Baker: Chinese state-sponsored hackers known as Salt Typhoon infiltrated the networks of AT&T, Verizon, T-Mobile, and Lumen Technologies — compromising the lawful intercept systems that US law enforcement uses for court-authorized wiretaps and accessing metadata from over a million accounts.

Unpacked:

• The campaign, active since at least 2019, exploited vulnerabilities in routers, switches, and the CALEA-mandated wiretap systems that telecoms are legally required to maintain. Attackers accessed call records, geolocation data, IP addresses, and — most critically — the court-ordered surveillance requests that reveal who the FBI and DOJ are monitoring.
• Targets included the phone communications of Donald Trump and JD Vance during the 2024 presidential campaign, along with other political figures. The scope extended beyond the US — Salt Typhoon compromised telecom infrastructure in over 80 countries using malware like GhostSpider and unpatched vulnerabilities dating back to 2018.
• In an extraordinary move, the FBI and CISA publicly recommended that Americans use end-to-end encrypted messaging apps — effectively telling citizens that the telecom infrastructure the government mandates carriers to build is not secure enough to trust.

Bottom line: Salt Typhoon exposed the fundamental flaw in mandated backdoor access: any door the government can walk through, a sophisticated enough adversary can walk through too. The FBI recommending encrypted messaging is a remarkable admission that the surveillance architecture they've defended for decades is now a liability. This will reshape telecom security policy for years.

US Treasury Breached Through a Third-Party Remote Access Tool

The Bit Baker: In December, Chinese hackers (tracked as Silk Typhoon) breached the US Treasury Department by compromising BeyondTrust's Remote Support SaaS platform — stealing an API key that gave them access to unclassified Treasury workstations and documents.

Unpacked:

• BeyondTrust detected suspicious activity on December 2 and confirmed the compromise on December 5. Hackers had exploited two command injection vulnerabilities — CVE-2024-12356 (CVSS 9.8) and CVE-2024-12686 — to steal a SaaS API key, then used it to reset passwords and access Treasury workstations without needing to bypass Treasury's own authentication.
• The breach affected 17 BeyondTrust customers total, including Treasury's Departmental Offices. Attackers accessed unclassified data; no classified systems were reportedly impacted. Treasury disclosed the incident to Congress on December 30 and brought in CISA and the FBI for the investigation.
• BeyondTrust patched both vulnerabilities in mid-December. The US government sanctioned a Chinese national linked to the operation in January 2025, and Biden issued an executive order on January 15 tightening cybersecurity requirements for software vendors to federal agencies.

Bottom line: A FedRAMP-authorized vendor was the entry point into the US Treasury. That's the supply chain risk regulators keep warning about — and it happened to the department responsible for sanctions, financial policy, and economic security. Third-party access tools are becoming one of the most exploited attack surfaces in government.

Internet Archive Hacked — 31 Million User Accounts Exposed

The Bit Baker: In October, the Internet Archive — home of the Wayback Machine — disclosed a breach that exposed email addresses, screen names, and bcrypt-hashed passwords for 31 million registered users, compounded by simultaneous DDoS attacks that took the site offline for days.

Unpacked:

• Attackers stole a 6.4 GB SQL database file containing user authentication data. The breach was shared with Have I Been Pwned on September 30 and publicly confirmed on October 5 when a JavaScript defacement on the Archive's own site alerted users directly.
• The DDoS campaign ran in parallel, with a hacktivist group called SN_BLACKMETA claiming credit for the denial-of-service attacks — though they likely weren't behind the data theft itself. An unverified report suggested that credentials for the Archive's Azure servers had appeared in an infostealer log on the dark web before the breach.
• The Wayback Machine resumed read-only service on October 13, with Archive-It following on October 17. Full services were gradually restored over the following weeks, though the organization — a nonprofit already operating on thin margins — faced significant recovery costs.

Bottom line: The Internet Archive is one of the internet's most important public institutions, and it runs on a nonprofit budget. The breach highlighted how vulnerable mission-critical infrastructure becomes when it operates without the security resources that for-profit companies can afford. 31 million accounts is bad; losing the Wayback Machine — even temporarily — would be worse.

Blue Yonder Ransomware Disrupts Starbucks Before Thanksgiving

The Bit Baker: On November 21, the Termite ransomware group hit Blue Yonder — a Panasonic-owned supply chain management platform — days before Thanksgiving, knocking out workforce scheduling for Starbucks and warehouse management for UK grocery chain Morrisons.

Unpacked:

• Blue Yonder provides supply chain software to thousands of companies. The attack hit their managed services hosted environment, forcing clients like Starbucks to fall back on manual processes for scheduling employees and tracking hours during one of the busiest retail weeks of the year.
• Morrisons saw its warehouse management systems for fresh food disrupted, slowing the flow of produce and perishables to stores during peak pre-holiday shopping. Other clients including Sainsbury's, Kroger, and Albertsons also reported issues.
• Blue Yonder's Azure public cloud was unaffected — the attack targeted their legacy managed services infrastructure. The Termite group later claimed to have exfiltrated 680 GB of data. Most customer systems were restored by late 2024.

Bottom line: Hitting a supply chain platform right before a major holiday isn't accidental — ransomware groups time their attacks for maximum leverage. Blue Yonder is the latest example of a single vendor failure cascading across dozens of companies. When your scheduling software goes down and you can't pay baristas correctly, the abstraction layer between "supply chain SaaS" and "real-world operations" disappears fast.

The Shortlist

Snowflake breach suspect Alexander "Connor" Moucka was arrested in Canada in November, charged in connection with the credential-based attacks that compromised 165 Snowflake customer environments earlier in the year.

Palo Alto Networks patched additional critical PAN-OS vulnerabilities in Q4, including an authentication bypass in the management interface that allowed unauthenticated access — continuing a rough year for firewall vendors and their zero-day exposure.

Krispy Kreme confirmed a cyberattack in late November that disrupted online ordering systems across the US, demonstrating that no industry — not even doughnuts — is immune from operational disruption by ransomware.

Romania annulled its presidential election in December after intelligence agencies determined that a coordinated cyber operation — including social media manipulation and infrastructure attacks — had influenced the first-round results, marking one of the first elections officially overturned due to cyber interference.

References

1. 2024 global telecommunications hack (Salt Typhoon)
2. Salt Typhoon hack shows there's no security backdoor that's only for good guys
3. Salt Typhoon telecommunications threat
4. 2024 United States Department of the Treasury hack
5. BeyondTrust Remote Support SaaS service security investigation
6. US Treasury Department workstations breached in attack attributed to China
7. Internet Archive suffers data breach and DDoS
8. Internet Archive hacked — data breach impacts 31 million users
9. Internet Archive services update 2024-10-21
10. Ransomware supply chain attack on Blue Yonder before Thanksgiving
11. Blue Yonder ransomware attack breaks systems at UK retailers