CISA Issues Guidance to Telecom Sector on Salt Typhoon Threat

Source: Weitwinkel via Shtterstock

Concerns over the extent of China-backed Salt Typhoon’s intrusions into US telecom networks have prompted the US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI to issue guidance to the sector on addressing the threat.

The detailed recommendations come as officials from the authoring agencies this week described victims of the attack — which include Verizon, AT&T, and Lumen — as still working to eradicate the threat actor from their networks.

Still Working to Evict

“We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing,” Jeff Greene, executive assistant director for cybersecurity at CISA, said in a media call this week.

“I have confidence that we are on top of it in terms of tracking them down and seeing what’s going on, but we cannot, with confidence, say that we know everything,” Greene said, according to a transcript of the media call that CISA made available to Dark Reading. Given where most victims are in their investigations, it is “impossible” to predict a timeframe for when they will complete fully evicting the threat actor, he said.

Several security experts consider Salt Typhoon’s attacks on US telecom infrastructure as one of the most egregious cyber espionage campaigns ever in size and scope. It’s unknown how many companies the threat actor has compromised as part of the campaign so far, but known victims include some of the biggest telecom providers in the country, including AT&T and Verizon.

The attacks enabled multiple activities, including theft of a large number of call detail records — such as a caller’s and receiver’s phone numbers, call duration, call type, and cell tower location — of telecom customers. In a smaller number of instances, Salt Typhoon used its presence on telecom provider networks to intercept calls and messages of targeted individuals, which include government officials and politicians. Separately, the threat actor also collected information on an unknown number of individuals who were the subjects of legal national security and law enforcement intercepts.

“The continued investigation into the PRC targeting commercial telecom infrastructure has revealed a broad and significant cyber-espionage campaign,” an FBI official said on background during this week’s media call. "We have identified that PRC-affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities.

Detailed Recommendations

The new guidance for addressing the threat includes recommendations for quickly detecting Salt Typhoon activity, improving visibility, reducing existing vulnerabilities, eliminating common misconfigurations, and limiting the attack surface. The guidelines include a section devoted to hardening Cisco network gear, which the authoring agencies described as a popular target for the attacker in the ongoing campaign.

“Right now, the hardening guidance that we put out specifically would make the activities that we’ve seen across the victims much harder to continue,” Greene said. “In some cases, it might result in limiting their access.” He described Salt Typhoon actors as employing a variety of tactics to breach victim networks, so response and mitigation approaches will differ on a case by case basis. “These are not cookie-cutter compromises in terms of how deeply compromised a victim might be, or what the actor has been able to do.”

Use Encrypted Messaging Apps and Services

Green and the FBI official on the media call recommended that individuals concerned about the privacy of their mobile device communications should consider using encrypted messaging apps — examples of which would include WhatsApp and Signal — and encrypted voice communications. “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing resistant MFA for email, social media, and collaboration tools,” the FBI official said.

Trey Ford, chief information security officer (CISO) at Bugcrowd pointed to phishing-resistant multifactor authentication in the new guidance as something that organizations should consider prioritizing. “Everything we can do to raise the cost and work factor for malicious actors and nation state communities helps,” he notes. He also recommends that organizations add encryption to all traffic crossing third-party communications infrastructure and leverage apps like WhatsApp and Signal where it makes sense. “Also, I would recommend adding a second factor of authentication, something stronger than SMS, such as Yubikeys, Apple’s Secure Element, or pseudo-random code generators like Google Authenticator, Authy, [and] Duo, to all of your online accounts.”

Chris Pierson, CEO and founder of Blackcloak, perceives the new hardening advice as useful in helping companies in the telecom sector prioritize their controls, remediation, and ongoing assessment activity. The advice to individual consumers and business executives to protect against Salt Typhoon is useful as well, he notes: “From tips on using security messaging as opposed to text/SMS, reducing the likelihood of SIM swapping by using a SIM PIN, and implementing dual factor authentication on key accounts, the guidance makes it easier for key executives and highly targeted persons to protect themselves.”

About the Author

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.