US Cybersecurity Agency Issues Guidance Against Chinese Hackers Targeting Telecoms

In a significant move to bolster network security across the United States, the Cybersecurity and Infrastructure Security Agency (CISA) has released guidance aimed at helping organizations fortify their defenses against cyber attacks. This advisory comes in the wake of recent breaches allegedly orchestrated by the Salt Typhoon, a notable Chinese threat group that successfully infiltrated several major global telecommunications providers earlier this year, including industry giants like AT&T, T-Mobile, Verizon, and Lumen Technologies.

The alarming breaches, which came to light in late October, exposed vulnerabilities not only in corporate networks but also compromised the private communications of select government officials. Reports indicate that the attackers managed to access sensitive data related to the U.S. government’s wiretapping platform and unlawfully extracted customer call records along with law enforcement request information. According to sources, the hackers maintained access to these networks for an extended period, potentially spanning several months, which allowed them to siphon off substantial amounts of internet traffic potentially affecting millions of Americans and numerous businesses who rely on these broadband services.

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing. We’re still trying to understand that, along with those partners,” a senior official from CISA remarked during a press briefing, underscoring the ongoing nature of the threat. However, T-Mobile’s Chief Security Officer indicated that their internal investigations revealed no signs of active attackers within their network at present.

The Salt Typhoon group, also known by various monikers including Earth Estries and FamousSparrow, has reportedly been targeting telecommunications and government entities across Southeast Asia since at least 2019. The National Security Agency (NSA) has shed light on the tactics employed by these attackers, emphasizing their focus on exposed services, unpatched devices, and under-secured environments, underscoring the importance of vigilance in cybersecurity practices.

The joint advisory released today, in collaboration with the FBI, NSA, and international partners, not only highlights the potential risks posed by sophisticated cyber attackers but also provides crucial recommendations to help organizations bolster their security posture. Key measures include hardening devices and network infrastructure to reduce potential exploits and enhancing the visibility of system administrators to understand more comprehensively the traffic and user activities within their networks.

Fortifying networks involves implementing logging protocols to monitor configuration changes and alerting on unexpected management connections, particularly regarding network perimeters. Additionally, organizations are advised to conduct thorough monitoring of traffic from trusted partners, as illustrated by T-Mobile’s experience, which linked the breach back to a connected wireline provider rather than vulnerabilities within their own devices.

Dave Luber, the NSA’s Cybersecurity Director, stressed the importance of constant vigilance in network defenses stating, “Always have eyes on your systems and patch and address known vulnerabilities before they become targets.” The landscape of cybersecurity continues to evolve, and these breaches serve as a stark reminder of the importance of proactive defense strategies in an era where cyber threats are becoming increasingly sophisticated. As organizations navigate these challenges, adopting the guidance from CISA and other cybersecurity agencies will be crucial in protecting sensitive information in the telecommunications sector and beyond.