The group’s activity made headlines last September when it was discovered they had penetrated major U.S. companies like AT&T and Verizon. This intrusion allowed access to the private communications of senior U.S. government officials and other influential political figures. Alarmingly, they also hacked systems used by law enforcement for court-authorized data collection, potentially gaining sensitive information about individuals under U.S. surveillance, particularly those linked to China.

Recorded Future has chosen not to disclose the names of the latest victims but confirmed they include a U.S. affiliate of a major U.K. telecommunications provider, an American internet service provider, and several telecommunications firms located in Italy, South Africa, and Thailand. The group conducted reconnaissance on various infrastructure assets operated by Myanmar’s Mytel, suggesting a methodical approach to targeting their next moves.

To facilitate their hacking efforts, Salt Typhoon exploited two significant vulnerabilities in Cisco devices, identified as CVE-20232-0198 and CVE-2023-20273. Over 1,000 Cisco devices worldwide were attacked, with a particular focus on those associated with telecommunications networks. This points to Salt Typhoon’s strategic priority of undermining telecom infrastructure essential for national security.

Moreover, researchers noted that the group also targeted devices connected to academic institutions like the University of California and Utah Tech. This suggests a malicious intent to access critical research linked to telecommunications and technology advancements.

In response to these breaches, the U.S. Treasury Department has sanctioned entities connected with Salt Typhoon. In January, the department specifically targeted Sichuan Juxinhe Network Technology, a cybersecurity firm alleged to have ties to the hacking group. Despite these actions, experts from Recorded Future assert that Salt Typhoon is likely to persist in its efforts against telecommunications firms both in the U.S. and around the globe.

The continued operation of Salt Typhoon serves as a stark reminder of the vulnerabilities present in critical telecommunications infrastructure and the ongoing cyber threats from nation-state actors. As technology and cyber warfare evolve, the imperative for robust security measures becomes ever more critical for organizations in this space. It is essential for the telecommunications sector to remain vigilant and invest in superior security protocols to mitigate the threat posed by sophisticated hacking groups like Salt Typhoon.

The alarming breaches, which came to light in late October, exposed vulnerabilities not only in corporate networks but also compromised the private communications of select government officials. Reports indicate that the attackers managed to access sensitive data related to the U.S. government’s wiretapping platform and unlawfully extracted customer call records along with law enforcement request information. According to sources, the hackers maintained access to these networks for an extended period, potentially spanning several months, which allowed them to siphon off substantial amounts of internet traffic potentially affecting millions of Americans and numerous businesses who rely on these broadband services.

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing. We’re still trying to understand that, along with those partners,” a senior official from CISA remarked during a press briefing, underscoring the ongoing nature of the threat. However, T-Mobile’s Chief Security Officer indicated that their internal investigations revealed no signs of active attackers within their network at present.

The Salt Typhoon group, also known by various monikers including Earth Estries and FamousSparrow, has reportedly been targeting telecommunications and government entities across Southeast Asia since at least 2019. The National Security Agency (NSA) has shed light on the tactics employed by these attackers, emphasizing their focus on exposed services, unpatched devices, and under-secured environments, underscoring the importance of vigilance in cybersecurity practices.

The joint advisory released today, in collaboration with the FBI, NSA, and international partners, not only highlights the potential risks posed by sophisticated cyber attackers but also provides crucial recommendations to help organizations bolster their security posture. Key measures include hardening devices and network infrastructure to reduce potential exploits and enhancing the visibility of system administrators to understand more comprehensively the traffic and user activities within their networks.

Fortifying networks involves implementing logging protocols to monitor configuration changes and alerting on unexpected management connections, particularly regarding network perimeters. Additionally, organizations are advised to conduct thorough monitoring of traffic from trusted partners, as illustrated by T-Mobile’s experience, which linked the breach back to a connected wireline provider rather than vulnerabilities within their own devices.

Dave Luber, the NSA’s Cybersecurity Director, stressed the importance of constant vigilance in network defenses stating, “Always have eyes on your systems and patch and address known vulnerabilities before they become targets.” The landscape of cybersecurity continues to evolve, and these breaches serve as a stark reminder of the importance of proactive defense strategies in an era where cyber threats are becoming increasingly sophisticated. As organizations navigate these challenges, adopting the guidance from CISA and other cybersecurity agencies will be crucial in protecting sensitive information in the telecommunications sector and beyond.