Salt Typhoon hacked at least eight telecoms firms
CISA and FBI “still figuring out just how deeply and where” attackers penetrated
As many as eight telecoms firms have been identified as victims, with the attackers using techniques that easily evaded defences.
Moreover, the criminals have yet to be evicted from the telecom company networks, one month after US authorities went public over the attack, with government agencies unsure about when they will be able to declare US communications networks clean.
The attack was first uncovered by the Wall Street Journal in early October.
All the biggest telecoms companies were affected by the attack, including Verizon, AT&T and T-Mobile, while Lumen Technologies – formally CenturyLink and Level 3 – has also confirmed that it is affected.
The other four targets were not named, but it is believed that communications companies, including ones outside the USA, may have been affected.
FBI officials say three types of data were compromised: first, metadata relating to calls and text messages; second, live phone calls of particular high-profile targets; and third, the information systems used by law enforcement and intelligence agencies to track the communications of particular targets.
The warning comes from the US Cybersecurity & Infrastructure Security Agency (CISA), which this week published a best practice guide to defend against the threat actor.
CISA has been working with both the US National Security Agency and FBI since the attack was uncovered at the beginning of November.
As the networks are still believed to be compromised, prominent officials in the US have been advised to refrain from sending messages via SMS – which is known to be flawed in terms of security – and to use encrypted messaging apps instead.
Even 4G networks come with more than their fair share of security shortcomings – as do the latest 5G networks.
The Salt Typhoon attack on US communications infrastructure is believed to have been ongoing for up to two years. It enabled the theft of customer call records data, and even the private communications of a small number of people involved in government or political activity.
It may even continue to be active now, with the group still able to access many telecoms systems. The US government agencies dealing with it have said that it is “impossible” to say when the attackers will have been completely evicted. They have warned high-profile people in government to avoid using phones and smartphones for any sensitive communications.
The Salt Typhoon moniker was a label affixed by Microsoft, with the Typhoon suffix an identifier for all national state threat groups believed to be affiliated with China. Other names include Ghost Emperor (Kaspersky), FamousSparrow (ESET) and the catchy UNC2286 (by Mandiant/Google).
China’s government denies any involvement in the attack.
"The US needs to stop its own cyberattacks against other countries and refrain from using cyber security to smear and slander China," Liu Pengyu, a spokesperson for China’s embassy in the US, told reporters earlier this week.
Computing says:
The fact that Salt Typhoon was able to breeze past the defences of multiple major telecoms operators without so much an alarm bell going off, with no novel activity detected (no custom zero-day exploit, no low-level firmware implant, etcetera) ought to, well, set alarm bells ringing in every government, public sector and private sector organisation.