US, Canada, Australia, and New Zealand Warn of China-Backed Cyber Espionage Campaign Targeting Telecom Networks

### #TelecomThreats #SaltTyphoon #CyberEspionage

Summary: A joint advisory from Australia, Canada, New Zealand, and the U.S. has revealed ongoing cyber espionage activities by China-affiliated threat actors, specifically targeting telecommunications providers. The campaign, attributed to the group Salt Typhoon, has been active for several years and continues to pose risks to U.S. networks.

Threat Actor: Salt Typhoon | Salt Typhoon
Victim: U.S. Telecommunications Companies | U.S. Telecommunications Companies

Key Point :

  • Salt Typhoon has exploited existing vulnerabilities in telecommunications infrastructure without introducing novel techniques.
  • U.S. officials confirmed that the threat actors remain active within U.S. networks, despite ongoing investigations.
  • Cybersecurity agencies have issued best practices to harden enterprise networks against such intrusions.
  • The campaign has reportedly affected eight telecom companies in the U.S. and has implications for other nations as well.
  • While metadata access has been confirmed, there is no evidence of classified communications being compromised.
Cyber Espionage Targeting Telecom Networks

A joint advisory issued by Australia, Canada, New Zealand, and the U.S. has warned of a broad cyber espionage campaign undertaken by People’s Republic of China (PRC)-affiliated threat actors targeting telecommunications providers.

“Identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed,” government agencies said.

U.S. officials told Tuesday that the threat actors are still lurking inside U.S. telecommunications networks about six months after an investigation into the intrusions commenced.

The attacks have been attributed to a nation-state group from China tracked as Salt Typhoon, which overlaps with activities tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. The group is known to be active since at least 2020, with some of the artifacts developed as early as 2019.

Last week, T-Mobile acknowledged that it detected attempts made by bad actors to infiltrate its systems, but noted that no customer data was accessed.

Cybersecurity

Word of the attack campaign first broke in late September, when The Wall Street Journal reported that the hacking crew infiltrated a number of U.S. telecommunications companies as part of efforts to glean sensitive information. China has rejected the allegations.

To counter the attacks, cybersecurity, and intelligence agencies have issued guidance on the best practices that can be adapted to harden enterprise networks –

  • Scrutinize and investigate any configuration modifications or alterations to network devices such as switches, routers, and firewalls
  • Implement a strong network flow monitoring solution and network management capability
  • Limit exposure of management traffic to the internet
  • Monitor user and service account logins for anomalies
  • Implement secure, centralized logging with the ability to analyze and correlate large amounts of data from different sources
  • Ensure device management is physically isolated from the customer and production networks
  • Enforce a strict, default-deny ACL strategy to control inbound and egressing traffic
  • Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs
  • Secure virtual private network (VPN) gateways by limiting external exposure
  • Ensure that traffic is end-to-end encrypted to the maximum extent possible and Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network
  • Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as well as other exploitable services like Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c
  • Disable Internet Protocol (IP) source routing
  • Ensure that no default passwords are used
  • Confirm the integrity of the software image in use by using a trusted hashing calculation utility, if available
  • Conduct port-scanning and scanning of known internet-facing infrastructure to ensure no additional services are accessible across the network or from the internet
  • Monitor for vendor end-of-life (EOL) announcements for hardware devices, operating system versions, and software, and upgrade as soon as possible
  • Store passwords with secure hashing algorithms
  • Require phishing-resistant multi-factor authentication (MFA) for all accounts that access company systems
  • Limit session token durations and require users to reauthenticate when the session expires
  • Implement a Role-Based Access Control (RBAC) strategy and remove any unnecessary accounts and periodically review accounts to verify that they continue to be needed

“Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity,” according to the alert.

Cybersecurity

The development comes amid escalating trade tensions between China and the U.S., with Beijing banning exports of critical minerals gallium, germanium, and antimony to America in response to the latter’s crackdown on China’s semiconductor industry,

Earlier this week, the U.S. Department of Commerce announced new restrictions that aim to limit China’s ability to produce advanced-node semiconductors that can be used in military applications, in addition to curbing exports to 140 entities.

While Chinese chip firms have since pledged to localize supply chains, industry associations in the country have warned domestic companies that U.S. chips are “no longer safe.”

Update

Amid concerns over the extent of China-backed Salt Typhoon’s intrusions into U.S. telecom networks, the White House said that the campaign has impacted eight telecom companies in the country, with dozens of other nations also affected. The efforts are said to have commenced two years ago. The complete list of companies and countries targeted has not been made public.

While the intrusions have allowed China to access a “large number of Americans’ metadata,” there is no evidence that any classified communications have been compromised, Anne Neuberger, deputy national security advisor for cyber and emerging technology, added.

Speaking to The Register, T-Mobile Chief Security Officer Jeff Simon said the Salt Typhoon actors “were active for a single-digit number of days, and it was within the last couple of months.” Simon also described the modus operandi of jumping from one telecommunications infrastructure to another as “novel.”

Source: https://thehackernews.com/2024/12/joint-advisory-warns-of-prc-backed.html