Chinese Cyber Espionage: Salt Typhoon in US Telecom Networks

CybersecurityData ProtectionEspionage
Written By Kris MILLER
Laptop of PLA APT hacker with Chinese flag in background

An Advanced Persistent Threat

The United States (US) Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) recently confirmed an ongoing case of cyber espionage against US commercial telecommunications providers and their infrastructure. The US government issued updated cybersecurity guidance for these providers as well as for other critical infrastructure organizations. 

The attack is attributed to Chinese advanced persistent threat (APT) actor Salt Typhoon, also codenamed GhostEmperor, FamousSparrow, or UNC2286. Salt Typhoon is a state-sponsored group known for its sophisticated infiltrations of major telecommunications systems and US counterintelligence operations since at least 2020. 

Still in US Networks

The intrusion is ongoing. To date, Salt Typhoon is still operating in at least eight (8) US telecommunications networks including Verizon and AT&T (T-Mobile says it was initially breached but it detected the attempted intrusion and no data has been compromised). State sponsored APTs have the luxury of patiently “doing dark” for a significant amount of time before moving again in target networks.

Salt Typhoon

Salt Typhoon conducts cyber espionage across North America and Southeast Asia. The APT intercepts network traffic and steals sensitive data. In this case, Salt Typhoon targeted the communications of high-profile people, such as the Trump campaign and senior US government officials. Investigators are still assessing the attack and its breadth.

This case of sophisticated, government-supported espionage highlights the security vulnerabilities within US communications networks and other critical infrastructure.

Image of Chinese hackers in large room

Interagency Guidance

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Canadian Cyber Security Centre (CCCS), and New Zealand’s National Cyber Security Centre (NCSC-NZ) recently issued joint guidance for network engineers and network defenders - Enhanced Visibility and Hardening Guidance for Communications Infrastructure.

The key elements from that guidance follow:

  1. Strengthening visibility.

  • Closely scrutinize and investigate any configuration modifications or alterations to network devices such as switches, routers, and firewalls.

  • Implement a strong network flow monitoring solution.

  • If feasible, limit exposure of management traffic to the Internet.

  • Monitor user and service account logins for anomalies that could indicate potential malicious activity.

  • Implement secure, centralized logging with the ability to analyze and correlate large amounts of data from different sources.

  • Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring.

  • Implement a monitoring and network management capability that, at a minimum, enforces configuration management, automates routine administrative functions, and alerts on changes detected within the environment, such as connections and user and account activity.

  1. Harden systems and devices.

  • Use an out-of-band management network that is physically separate from the operational data flow network.

  • Implement a strict, default-deny access control list (ACL) strategy to control inbound and egressing traffic.

  • Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs.

  • Harden and secure virtual private network (VPN) gateways by limiting external exposure, if possible, and limiting the port exposure to what is minimally required.

  • Ensure that traffic is end-to-end encrypted to the maximum extent possible.

  • As a management policy, control access to device Virtual Teletype (VTY) lines with an ACL to restrict inbound lateral movement connections.

  • Ensure all authentication, authorization, and accounting (AAA) logging is securely sent to a centralized logging server with modern confidentiality, integrity, and authentication (CIA) protections.

  • Disable Internet Protocol (IP) source routing.

  • Ensure that no default passwords are used.

  • Disable any unnecessary, unused, exploitable, or plaintext services and protocols.

  • Conduct port-scanning and scanning of known internet-facing infrastructure to ensure no additional services are accessible across the network or from the internet.

  • Ensure all networking configurations are stored, tracked, and regularly audited for compliance with security policies and best practices.

  • Monitor for vendor end-of-life (EOL) announcements for hardware devices, operating system versions, and software, and upgrade as soon as possible.

  • Implement a change management system that anticipates both routine and emergency patching.

  • As part of a broader password policy, store passwords with secure hashing algorithms.

  • Require phishing-resistant multi-factor authentication (MFA) for all accounts that access company systems, networks, and applications, including sensitive administrative access to routers.

  • As part of a broader identity and access management policy, use local accounts only for emergencies and change the passwords after each use. 

  • Limit session token durations and require users to reauthenticate when the session expires. 

  • Implement a Role-Based Access Control (RBAC) strategy that assigns users to a specific role with defined and inherited permissions to better control and manage what users can do.

  • Remove any unnecessary accounts and periodically review accounts to verify that they continue to be needed.

  1. Cisco-specific considerations.

  • Apply hardening best practices to all Cisco operating systems. These include disabling unnecessary services, securing management traffic, and updating configurations with recommended encryption standards.

Temple in Beijing

So What?

This most recent Salt Typhoon attack reminds us that US critical infrastructure is vulnerable. Government organizations and private entities must be proactive about cybersecurity and safeguarding information. 

What can your organization do, even if you are a small business?

  1. Use multi-factor authentication (MFA)

    • Ideally, use a hardware based security key like a YubiKey. The CEO of T-Mobile attributed his company’s resilience to this attack in part due to the use of YubiKeys by any employee who touched a T-Mobile information system (Wired).

    • At a minimum, use built-in or free tools like Google Authenticator, Microsoft Authenticator, or Okta Verify.

  2. Review and revise identity and access management (IAM) practices

    • Ensure you’ve deleted user accounts of people who are no longer employed.

    • Perform and audit of recent log-ins and look for anomalous activity.

  3. Use encryption

    • Revisit your encryption strategy. Consider encryption used on desktop machines, mobile devices, cloud storage, and messaging applications.

  4. Develop real-time monitoring

    • Invest in real-time monitoring, if you budget permits. If you’re just starting out, take advantage of tools already available in your existing systems, like Windows Event Viewer and Task Manager for basic real-time monitoring. For MacOS, use Activity Monitor for process and resource tracking. Eventually, you will want to engage respected vendors to begin using tools to identify suspicious activity and network intrusions.

Collectively, these technical practices will enable your business to develop a successful Zero Trust network architecture.

Image of hacker at computer terminal

Conclusion 

The public disclosure of recent infiltrations by Salt Typhoon highlights the vulnerability of US telecommunications providers. A national response is likely forthcoming, either through rulemaking or, ultimately, legislation. Some are already urging the Department of Defense to renegotiate agreements with telecommunications companies to demand more secure networks. Time will tell. 

Contact Us

If you want more information about the impact of data protection, privacy, and artificial intelligence on your business, please reach out for a free consultation. 1GDPA assists organizations that need professional advice on securing and leveraging their data in a responsible and legally compliant manner. We will be happy to help you create, update, and mature your data protection, privacy, and AI governance, risk, and compliance programs.

###

Kris MILLER
Next

Council of Europe Framework Convention on Artificial Intelligence