'Mind-Boggling' Salt Typhoon Attack Draws Worry, Potential Legislation

U.S. elected officials and regulatory bodies are expressing concern about the recent telecom-focused cyberattack by China-sponsored hacking group Salt Typhoon on customer call information.

The Salt Typhoon attack, first publicized in October, has reportedly compromised at least eight telecommunications providers, an unnamed U.S. security official told reporters on Wednesday. Members of the U.S. Senate on the same day attended a classified briefing with multiple government agencies, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

Reuters reports that the threat actors intercepted telephone audio and call record data, though T-Mobile and Lumen have said no customer data was stolen. Threat actors reportedly accessed wiretapping capabilities that U.S. officials use to spy on calls by government officials. The FCC said the Salt Typhoon's efforts represented a "massive" espionage campaign touching multiple countries.

"The extent and depth and breadth of Chinese hacking is absolutely mind-boggling – that we would permit as much as has happened in just the last year is terrifying," senator Richard Blumenthal told Reuters after the briefing.

Cybersecurity Guidance on Salt Typhoon

The FBI this week issued a warning that messages between Android and Apple device users are vulnerable to foreign hackers, encouraging people to use encrypted channels. That being said, cybersecurity expert Peter Tran told CBS that Salt Typhoon was going after "certain individuals that are of high value to the Chinese government" during the "political climate."

Related:Salt Typhoon Reportedly Hacks AT&T, Verizon, Lumen

CISA, the NSA and the FBI in a joint Dec. 4 publication laid out guidance for IT/security teams at telecom companies. This includes storing device configurations centrally rather than making devices the "trusted source of truth for their configuration." Other advice includes implementing a network flow monitoring solution that centers around "key ingress and egress locations," limiting how much management traffic is exposed to the internet and disabling unnecessary discovery protocols.

The publication also contains guidance focused on Cisco, as the agencies said threat actors frequently targeted "Cisco-specific features," such as Cisco's Smart Install service.

Potential Legislation

The revelation has prompted the Federal Communications Commission (FCC) to mull a revision to a ruling that requires carriers to secure their networks. While Section 105 of the Communications Assistance for Law Enforcement Act already obligates telcos to possess security equipment, the change in the ruling would concern the actual management of netwoks.

Related:FCC Orders T-Mobile to Spend $15.7 Million on Cybersecurity

The announcement comes amid a year when data breaches are running rampant at telcos like AT&T and Frontier. Earlier this year the FCC ordered T-Mobile to invest $15.8 million in its cybersecurity program.

"The attack underscores the urgent need for robust cybersecurity frameworks to protect against escalating threats targeting the telecommunications sector," the FCC said in its statement.

'Novel' Moves

T-Mobile chief security officer Jeff Simon told The Register that an entity attempted to enter T-Mobile's U.S. system by compromising a third-party wireline provider. Although he said the attempt was unsuccessful, it showed an unusual strategy.

"..the technique that was used to go from one telecommunications infrastructure to another, I would say, is novel. That's not something that I've seen in my 15-plus-year career in cyber security. It's not something that is well published or read about. There's no CVE for it," he said.

The 2020 SolarWinds supply chain attack, in which threat actors breached multiple businesses through a third-party software provider. Reports show that threat actors may be looking to that attack as a playbook of sorts. China’s civilian intelligence agency solicited a former software engineer of Verizon and Infosys for information about the SolarWinds attack, as well as information on his employers.

Related:Ex-Verizon, Infosys Employee Researched U.S. Cyberattacks for China