What is a salt typhoon? A security expert explains the Chinese hackers and their attack on US telecommunications networks

What is a salt typhoon? A security expert explains the Chinese hackers and their attack on US telecommunications networks

Cyberattacks linked to the Chinese government that have compromised large swathes of America’s telecommunications network are prompting the U.S. government to sound the alarm. Senate Intelligence Committee Chairman Sen. Mark Warner (D-VA) called it the “worst telecommunications hack in our country’s history” and noted that previous cyberattacks by Russian agents were “child’s play” in comparison.

The complex cyberattack, carried out by a group of Chinese hackers called Salt Typhoon, began back in 2022. According to US officials, its purpose was to give Chinese agents persistent access to telecommunications networks across the US through devices such as routers and other devices were compromised switches from companies like AT&T, Verizon, Lumen and others.

This attack follows reports that the FBI and the Cybersecurity and Infrastructure Security Agency were assisting phone companies in mitigating other compromises of their networks linked to China. The earlier hack was part of an attack targeting people in the Washington region in government or political positions, including candidates for the 2024 presidential election.

But Salt Typhoon isn’t just targeting Americans. Research from security provider Trend Micro shows that Salt Typhoon attacks have compromised other critical infrastructure around the world in recent years. US officials have also confirmed these findings – and their concern is notable.

Chinese officials have denied allegations that they were behind the operation, just as they did in response to allegations of previous cyberattacks.

As a cybersecurity researcher, I find this attack truly breathtaking in its scale and severity. However, it is not surprising that such an incident took place. Many organizations of all sizes still do not follow good cybersecurity practices, have limited resources, or operate IT infrastructures that are too complex to effectively monitor, manage, and secure.

How bad is it?

Salt Typhoon exploited technical vulnerabilities in some cybersecurity products, such as firewalls used to protect large organizations. Once on the network, attackers used more conventional tools and knowledge to expand their reach, gather information, remain hidden, and deliver malware for later use.

According to the FBI, the Salt Typhoon enabled Chinese officials to obtain a large amount of records showing where, when and with whom certain people communicated. In some cases, they found that Salt Typhoon also provided access to the content of phone calls and text messages.

“PBS News Hour” reports updates from the White House on the Salt Typhoon.

Salt Typhoon also compromised the private portals, or backdoors, that phone companies provide to law enforcement to request court-ordered surveillance of phone numbers as part of investigations. This is also the same portal used by the US Secret Service to monitor foreign targets in the United States.

As a result, the Salt Typhoon attackers may have obtained information about which Chinese spies and informants were monitoring counterintelligence agencies – intelligence that can help these targets evade such surveillance.

On December 3, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI, along with their counterparts in Australia, New Zealand and Canada, released guidance for the public on how to respond to the Salt Typhoon attack. Their guide, “Enhanced Visibility and Hardening Guidance for Communications Infrastructure,” essentially reinforces best cybersecurity practices for organizations that could help mitigate the impact of Salt Typhoon or future copycat attacks.

However, it does provide recommendations for protecting specific telecommunications devices for some of the Cisco products that were affected by this attack.

At this time, US officials and affected companies have not been able to fully determine the scope, depth and severity of the attack – or remove the attackers from the compromised systems – even though this attack has been ongoing for months.

What can be done?

U.S. officials said Salt Typhoon often targeted existing infrastructure weaknesses. As I’ve written before, failure to implement basic cybersecurity best practices can lead to debilitating incidents for organizations of all sizes. Given the world’s reliance on networked information systems, it is more important than ever to maintain cybersecurity programs that make it difficult for attacks to succeed, particularly on critical infrastructure such as the telephone network.

In addition to following best practice guidelines issued by the Cybersecurity and Infrastructure Security Agency earlier this week, companies should also remain vigilant. You should not only monitor the news for information about this attack, but also the various free, proprietary or private threat intelligence feeds and informal professional networks to stay abreast of attackers’ tactics and techniques – and ways to counter them to stay.

Companies and governments should also ensure that their IT departments and cybersecurity programs have sufficient staffing and funding to meet their needs and ensure that best practices are implemented. The Federal Communications Commission is already threatening companies with fines if they don’t strengthen their defenses against Chinese hacking attacks.

While any illegal surveillance is worrisome, the Salt Typhoon probably has little to worry the average American. Your family calls or text messages to friends are unlikely to be of interest to the Chinese government. However, if you want to increase your security and privacy a bit, you should consider using end-to-end encrypted messaging services such as Signal, FaceTime or Messages.

Also, make sure you don’t use default or easy-to-guess passwords on your devices, including your home router. And consider using two-factor authentication to further increase the security of all critical Internet accounts.

Backdoors and villains

Lost in the noise of history is that Salt Typhoon proved that decades of warnings from the Internet security community were correct. Any mandated secret or proprietary access to technology products is likely to go undetected or used only by “the good guys” – and efforts to require it are likely to backfire.

So it’s somewhat ironic that one of the government’s recommended countermeasures to protect against Salt Typhoon espionage is to use heavily encrypted services for phone calls and text messages – encryption capabilities that it has tried to undermine for decades so that only “the good guys” can can use it.

Leave a Reply

Your email address will not be published. Required fields are marked *