CISA Gives Telecom Sector Advice on the Danger of Salt Typhoons

The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued guidelines to the industry on how to handle the threat due to concerns about the scale of China-backed Salt Typhoon's incursions into US telecom networks. The comprehensive suggestions were made this week while representatives of the attack's victims, who include Lumen, AT&T, and Verizon, said they were still trying to remove the threat actor from their networks.

CISA Gives Telecom Sector Advice on the Danger of Salt Typhoons

The FBI, the National Security Agency (NSA), and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued guidelines to the industry on how to handle the threat due to concerns about the scale of China-backed Salt Typhoon's incursions into US telecom networks. The comprehensive suggestions were made this week while representatives of the attack's victims, who include Lumen, AT&T, and Verizon, said they were still trying to remove the threat actor from their networks.


Still Attempting to Evict

In a press conference this week, Jeff Greene, executive assistant director for cybersecurity at CISA, stated, "We cannot say with certainty that the adversary has been evicted because we still don't know the scope of what they're doing." Greene stated, "I have confidence that we are on top of it in terms of tracking them down and seeing what's going on, but we cannot, with confidence, say that we know everything," and CISA provided Dark Reading with a transcript of the media call. It is "impossible" to forecast a timeline for when they would totally evict the threat actor, he said, given where the majority of victims are in their investigations.


In terms of size and extent, Salt Typhoon's attacks on US telecom infrastructure rank among the most heinous cyber espionage campaigns ever, according to a number of security specialists. Although the number of businesses the threat actor has hacked as part of the campaign is unknown, some of the largest are among the known victims. 

Numerous actions were made possible by the attacks, including the theft of numerous call detail records belonging to telecom customers, including the phone numbers of the caller and the recipient, the duration, the kind, and the location of the cell tower. In fewer cases, Salt Typhoon intercepted the calls and messages of targeted persons, including politicians and government officials, by using its presence on telecom provider networks. In addition, the threat actor gathered data on an unspecified number of people who were the targets of legitimate law enforcement and national security intercepts.

During this week's media call, an FBI officer stated on background, "The ongoing investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign." "We have discovered that cyber attackers with ties to the PRC have compromised networks of multiple telecom companies to enable multiple activities. 

Specific Suggestions

Recommendations for promptly identifying Salt Typhoon activity, enhancing visibility, minimizing current vulnerabilities, getting rid of frequent misconfigurations, and lowering the attack surface are all part of the updated guidance for dealing with the issue. The guidelines contain a section on hardening Cisco network equipment, which the authoring agency said was a common target for the ongoing campaign's attackers.

"Right now, the hardening guidance that we put out specifically would make the activities that we've seen across the victims much harder to continue," Greene stated. "In some cases, it might result in limiting their access." He explained that while Salt Typhoon offenders use a range of strategies to infiltrate victim networks, response and mitigation strategies will vary depending on the specific circumstances. "These are not your typical compromises in terms of how deeply compromised a victim might be, or what the actor has been able to do."

Use Services and Apps for Encrypted Messaging

Green and the FBI official on the media call suggested that people who are worried about the privacy of their communications on mobile devices use encrypted voice communications and encrypted messaging apps, such as WhatsApp and Signal. "People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing resistant MFA for email, social media, and collaboration tools," the official with the FBI stated.

According to the new guidelines, phishing-resistant multifactor authentication is something that companies should prioritize, according to Trey Ford, chief information security officer (CISO) of Bugcrowd. "Every action we can take to increase the expense and workload for bad actors and nation-state communities helps," he notes. He also recommends that organizations add encryption to all traffic crossing third-party communications infrastructure and leverage apps like WhatsApp and Signal where it makes sense. "Also, I would recommend adding a second factor of authentication, something stronger than SMS, such as Yubikeys, Apple's Secure Element, or pseudo-random code generators like Google Authenticator, Authy, [and] Duo, to all of your online accounts."

The CEO and founder of Blackcloak, Chris Pierson, believes that the new hardening guidelines will help assist telecom businesses in prioritizing their continuing assessment, repair, and control activities. As he points out, "From tips on using security messaging as opposed to text/SMS, reducing the likelihood of SIM swapping by using a SIM PIN, and implementing dual factor authentication on key accounts, the guidance makes it easier for key executives and highly targeted persons to protect themselves." The advice for business executives and individual consumers to protect against Salt Typhoon is also helpful.