T-Mobile security chief insists its defenses stood up to attacks linked to Salt Typhoon
No T-Mobile customers or services were affected after its security teams detected suspicious activity on their routers


T-Mobile was able to protect sensitive customer information and prevent disruption to its services after detecting malicious attempts to infiltrate its systems, according to its security chief.
Jeff Simon, chief security officer at T-Mobile, published an update on a string of recent cyber attacks targeting wireless companies, believed to be orchestrated by the Salt Typhoon group.
The update states that the attacks originated from the network one of T-Mobile’s wireline providers it was connected to, but Simon said connectivity to the provider’s network, which may still be compromised, was quickly severed.
Simon noted that unlike other providers, and despite media reporting, T-Mobile’s customer information was not impacted.
“Many reports claim these bad actors have gained access to some providers’ customer information over an extended period of time – phone calls, text messages, and other sensitive information, particularly from government officials. This is not the case at T-Mobile,” he wrote.
“Our defenses protected our sensitive customer information, prevented any disruption of our services, and stopped the attack from advancing. Bad actors had no access to sensitive customer data (including calls, voicemails or texts).”
Speaking to Bloomberg, Simon said T-Mobile’s network engineers discovered the attack after noticing suspicious behavior on some of the company’s network devices.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The behavior wasn’t “inherently malicious” but may have been used to gain a clearer understanding of the company's corporate network, with threat actors probing for potential lateral movement opportunities.
Simon stated that T-Mobile’s layered network design, featuring network segmentation and robust monitoring, partnerships with third-party cyber experts, and its swift response all helped to prevent the attackers from causing further damage.
Salt Typhoon is on a rampage
Although T-Mobile were unable to “definitively identify” the attacker’s identity, the behavior is consistent with previous attacks leveraged by the Salt Typhoon group.
Trend Micro published a report on 25 November detailing previous activity of Salt Typhoon, also known as Earth Estries, Ghost Emperor, or UNC2286).
The report stated the group has primarily targeted critical sectors such as telecommunications and government entities across the US, Asia, Middle East, and South Africa since 2023 and potentially even earlier.
“The group employs advanced attack techniques and multiple backdoors, such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, affecting several Southeast Asian telecommunications companies and government entities,” Trend Micro outlined.
RELATED WHITEPAPER
“Earth Estries exploits public-facing server vulnerabilities to establish initial access and uses living-off-the-land binaries for lateral movement within networks to deploy malware and conduct long-term espionage.”
According to the report, the group has compromised over 20 organizations in the telecommunications, technology, consulting, chemical, and transportation industries, as well as government agencies.
Reports of Salt Typhoon infiltrating internet service providers (ISPs) in the US came out in September 2024, with the Wall Street Journal confirming in October that major players Verizon Communications, AT&T, and Lumen Technologies were among a list of companies whose networks were breached.
Unnamed sources familiar with the matter told theWSJ that the access may have allowed the group to access information from systems the federal government uses for court-authorized wiretapping, describing the compromise as "potentially catastrophic”.
T-Mobile appears to have avoided the worst impacts of Salt Typhoon’s campaign, according to Simon, who added that he had recently attended a meeting of leaders at the White House to discuss how the industry can work together to mitigate the threats the group pose and avoid further damage.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s why
News Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
By Bobby Hellard
-
Simplifying Password Management eBook
Whitepaper
By ITPro
-
Living off the Land eBook
Whitepaper
By ITPro
-
The Public Sector's Guide to Privilege and Password Management
Whitepaper
By ITPro
-
Zero Standing Privilege: Automating Cybersecurity Without Disrupting Productivity
Whitepaper
By ITPro
-
‘We are now a full-fledged powerhouse’: Two years on from its Series B round, Hack the Box targets further growth with AI-powered cyber training programs and new market opportunities
News Hack the Box has grown significantly in the last two years, and it shows no signs of slowing down
By Ross Kelly
-
Cyber attacks against UK firms dropped by 10% last year, but experts say don't get complacent
News More than four-in-ten UK businesses were hit by a cyber attack last year, marking a decrease on the year prior – but security experts have warned enterprises to still remain vigilant.
By Emma Woollacott
-
Law enforcement needs to fight fire with fire on AI threats
News UK law enforcement agencies have been urged to employ a more proactive approach to AI-related cyber crime as threats posed by the technology accelerate.
By Emma Woollacott