By Richard Forno, University of Maryland, Baltimore County; The Conversation
Salt Typhoon exploited technical vulnerabilities in some of the cybersecurity products like firewalls used to protect large organizations. (Pixabay Photo)
Cyberattacks linked to the Chinese government that compromised large portions of the American telecommunications network have the U.S. government sounding the alarm. The chair of the Senate Intelligence Committee, Sen. Mark Warner (D-VA), has called it the “worst telecom hack in our nation’s history” and noted that it makes prior cyberattacks by Russian operatives look like “child’s play” by comparison.
The complex cyberattack, carried out by a group of Chinese hackers dubbed Salt Typhoon, began as far back as 2022. Its purpose, according to U.S. officials, was to give Chinese operatives persistent access to telecommunications networks across the U.S. by compromising devices like routers and switches run by companies like AT&T, Verizon, Lumen and others.
This attack comes on the heels of reports that the FBI and Cybersecurity and Infrastructure Security Agency were assisting telephone companies with countering other China-connected compromises of their networks. The earlier hacking was part of an attack targeting people in the Washington area in government or political roles, including candidates for the 2024 presidential election.
But Salt Typhoon is not just targeting Americans. Research from security vendor Trend Micro shows that attacks by Salt Typhoon compromised other critical infrastructure around the world in recent years. U.S. officials have confirmed these findings as well – and their level of concern is noteworthy.
Chinese officials have denied the allegations that they’re behind this operation, as they have in response to allegations about previous cyberattacks.
As a cybersecurity researcher, I find this attack is indeed breathtaking in its scope and severity. But it’s not surprising that such an incident took place. Many organizations of all sizes still fail to follow good cybersecurity practices, have limited resources, or operate IT infrastructures that are too complex to effectively monitor, manage and secure.
How bad is it?
Salt Typhoon exploited technical vulnerabilities in some of the cybersecurity products like firewalls used to protect large organizations. Once inside the network, the attackers used more conventional tools and knowledge to expand their reach, gather information, stay hidden and deploy malware for later use.
According to the FBI, Salt Typhoon allowed Chinese officials to obtain a large amount of records showing where, when and who specific individuals were communicating with. In some cases, they noted that Salt Typhoon gave access to the contents of phone calls and text messages as well.
Salt Typhoon also compromised the private portals, or backdoors, that telephone companies provide to law enforcement to request court-ordered monitoring of phone numbers pursuant to investigations. This is also the same portal that is used by U.S. intelligence to surveil foreign targets inside the United States.
As a result, Salt Typhoon attackers may have obtained information about which Chinese spies and informants counterintelligence agencies were monitoring – knowledge that can help those targets try to evade such surveillance.
On Dec. 3, the Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI, along with their counterparts in Australia, New Zealand and Canada, released guidance to the public on how to address the Salt Typhoon attack. Their Enhanced Visibility and Hardening Guidance for Communications Infrastructure guide essentially reiterates best cybersecurity practices for organizations that could help mitigate the impact of Salt Typhoon or future copycat attacks.
It does, however, include recommendations to protect specific telecommunication equipment for some of the Cisco products that were targeted in this attack.
As of this writing, U.S. officials and affected companies have not been able to fully ascertain the scope, depth and severity of the attack – or remove the attackers from compromised systems – even though this attack has been ongoing for months.
What can be done?
U.S. officials have said that many of the ways Salt Typhoon penetrated its targets was through existing weaknesses with the infrastructure. As I’ve written previously, failing to implement basic cybersecurity best practices can lead to debilitating incidents for organizations of all sizes. Given how dependent the world is on networked information systems, it is more important than ever to maintain cybersecurity programs that make it difficult for attacks to succeed, especially for critical infrastructure like the phone network.
In addition to following the best practices guidance issued by the Cybersecurity and Infrastructure Security Agency earlier this week, organizations should remain vigilant. They should monitor not only the news for information about this attack but the various free, proprietary or private threat intelligence feeds and informal professional networks to stay up to date on attackers’ tactics and techniques – and ways to counter them.
Companies and governments should also ensure their IT departments and cybersecurity programs are adequately staffed and funded to meet their needs and ensure that best practices are implemented. The Federal Communications Commission is already threatening companies with fines for failing to bolster their defenses against Chinese hacking.
Although any illicit surveillance is concerning, the average American probably has little to worry about from Salt Typhoon. It’s unlikely that your family phone calls or text messages to friends are of interest to the Chinese government. However, if you want to increase your security and privacy a bit, consider using end-to-end encrypted messaging services like Signal, FaceTime or Messages.
Also make sure you’re not using default or easily guessed passwords on your devices, including your home router. And consider using two-factor authentication to further strengthen the security of any critical internet accounts.
Backdoors and bad guys
Lost in the noise of the story is that Salt Typhoon has proved that the decades of warnings by the internet security community were correct. No mandated secret or proprietary access to technology products is likely to remain undiscovered or used only by “the good guys” – and efforts to require them are likely to backfire.
So it’s somewhat ironic that one of the countermeasures recommended by the government to guard against Salt Typhoon spying is to use strongly encrypted services for phone calls and text messages – encryption capabilities that it has spent decades trying to undermine so that only “the good guys” can use it.
Richard Forno, Principal Lecturer, CSEE & Assistant Director, UMBC Cybersecurity Institute, University of Maryland, Baltimore County
This article is republished from The Conversation under a Creative Commons license. Read the original article.
