Salt Typhoon Attack: On December 4, 2024, a top U.S. security agency confirmed reports that foreign actors, state-sponsored by the People’s Republic of China, infiltrated at least eight U.S. communications companies, compromising sensitive systems and exposing vulnerabilities in critical telecommunications infrastructure. This was part of a massive espionage campaign that has affected dozens of countries. The White House confirmed Wednesday that at least eight U.S. telcos have been compromised so far. Salt Typhoon has targeted telcos in dozens of countries for upward of two years, officials added.
Dated legacy network equipment and years of mergers and acquisitions are likely impeding the ability of telecommunications providers to prevent China inspired cyber-attacks. Until telecom operators fully secure their networks, China will keep finding ways to come back in, officials have warned.
- On Thursday, FCC chair Jessica Rosenworcel proposed a new annual certification requirement for telecom companies to prove they have an up-to-date cybersecurity risk management plan. More below.
- Senior Cybersecurity and Infrastructure Security Agency and FBI officials confirmed Tuesday that U.S. telcos are still struggling to keep the China-backed hackers out of their networks — and they have no timeline for when total eviction is possible.
FCC Chair Jessica Rosenworce suggested ‘telecom carriers’ raise their network security methods and procedures: “The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses. “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”
Rosenworcel’s plan is to make U.S. telcos submit some kind of annual certification to the FCC, proving their cybersecurity measures are up to scratch. The clear inference from the attack itself and all the subsequent attempts to shut the stable door after the horse has bolted is that those efforts currently fall short of the mark. But, understandably, none of the specific deficiencies have been publicly detailed. Consequently we don’t yet know which boxes would need to be ticked in order to get the FCC clean bill of health. The FCC press release refers to a recent WSJ report based on an unpublished briefing from U.S. national security adviser Anne Neuberger, in which she detailed the scale of the Salt Typhoon attack. “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” she was quoted as saying.
Illustration: Sarah Grillo/Axios
……………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….
Legacy network equipment and years of acquisitions have made it particularly difficult for telcos to patch every access point on their networks, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.
- Many of the systems in question are nearly 50 years old — like landline systems — and they were “never meant for the type of sensitive data and reliance that we have on them right now,” he said.
- During an acquisition, a company could also miss a server when taking stock of all its newly acquired equipment, Steinhauer said. Network engineers are often inundated with security alerts that are hard to prioritize, he added.
- U.S. telecommunications carriers are required to provide a way for law enforcement to wiretap calls as needed — providing another entry point for adversaries.
Many of the security problems telcos face require simple fixes, like implementing multifactor authentication or maintaining activity logs.
- Even CISA’s recent guidance for securing networks focuses on the security basics.
- But to keep China out, telcos would have to make sure that every device — including their legacy physical equipment, online servers and employees’ computers — is patched.
Most high-profile cyberattacks across industries come down to the basics: a server that didn’t have multifactor authentication turned on or an employee who was tricked into sharing their password. Even if a company invests all of its resources in cybersecurity, it may not be enough to fend off a sophisticated nation-state like China.
- These actors are skilled at covering their tracks: They could delete activity logs, pose as legitimate users, and route their traffic through compromised computers in the U.S. so they aren’t detected.
- “You’ve got a persistent, motivated attacker with vast resources to poke and prod until they get in,” Mr. Steinhauer said.
References:
https://docs.fcc.gov/public/attachments/DOC-408015A1.pdf
https://www.axios.com/2024/12/06/telecom-cybersecurity-china-hack-us
WSJ: T-Mobile hacked by cyber-espionage group linked to Chinese Intelligence agency