Touching the surface of Salt Typhoon’s telco attack
Earlier this month, it was found that Chinese hackers breached dozens of telecommunication companies around the world. The hack provided the group, dubbed Salt Typhoon, unprecedented access to metadata, including some of the content of phone messages.
Salt Typhoon specifically targeted at least eight US telecommunications and telecom infrastructure companies. What happened, and what were the possible motivations behind the attack?
The worst telecom hack in history?
The Salt Typhoon hack has been traced back to 2022, and according to U.S. officials, it was aimed at giving Chinese operatives persistent access to telecommunication networks across the U.S. The hack was conducted by exploiting technical vulnerabilities in cybersecurity tools such as firewalls. Once inside the network, the attackers deployed malware for later use. Salt Typhoon also compromised the private portals, or backdoors, which telecoms provide to law enforcement and the U.S. intelligence services uses to surveil foreign targets.
The chair of the Senate Intelligence Committee Senator Mark Warner called it "the worst telecom hack in our nation’s history," adding that China's activities make Russia-linked incidents like the SolarWinds supply chain incident and the ransomware attack on Colonial Pipeline look like "child’s play."
Affected telecoms in the U.S. include Verizon, AT&T, T-Mobile, and Lumen. In the U.K., UK telecom giant BT also announced it had endured “an attempt to compromise” its conferencing service, but was able to circumvent it.
In some of the found cases, the hackers appeared to have stolen telephone audio intercepts along with a large tranche of call record data: the who, what, when, and where of phone calls. While it doesn’t include the actual content of a call, it can reveal details such as who was called, the duration of the call, and the location where it was made. Even without the content, call record metadata - particularly when collected in bulk - can expose highly detailed insights into a person’s life, work, and personal relationships. In a smaller number of instances, Salt Typhoon was also able to intercept calls and messages of targeted individuals, which include government officials and politicians, and to collect information on an unknown number of individuals who were the subjects of legal national security and law enforcement intercepts.
China’s global interference
The Salt Typhoon hacks “demonstrate that China is capable of going beyond the hypothetical and venturing into drastic global interference,” the Guardian said, linking the Chinese hack to the upcoming TikTok ban. Last week, a court of appeals upheld the US’s bill that would either ban TikTok or force its sale. TikTok’s owner ByteDance now has until January 19 to sell the app or face the ban.
Following the decision of the court of appeals, TikTok filed an emergency request with the US Supreme Court, asking the court to rule in favor of protecting free speech, and arguing that the law was based on “hypothetical information”. As of now, the US has not demonstrated that China has manipulated content on TikTok.
The Guardian also suggested the hack might be part of an elaborate, coordinated response in the escalating trade war over chips between the US and China. Last week, Beijing opened an antitrust investigation into Nvidia, and the week before, Chinese regulators banned the export of minerals critical for the fabrication of semiconductors like gallium and germanium to the US. Earlier this year, the US forbade the sale of the most advanced semiconductor chips to China. However, the hacking of telecommunications networks doesn’t seem closely related enough to the semiconductor industry, the article noted.
Secure by design
As the scope of the hack is yet unclear, it seems like telcos are still working to evict the hackers from their systems. CISA, America’s Cyber Defense Agency has published guidance for addressing the threat, which includes recommendations for quickly detecting Salt Typhoon activity, improving visibility, reducing existing vulnerabilities, eliminating common misconfigurations, and limiting the attack surface. The recommendation also includes Cisco-specific guidance, as these features seem to be often targeted by, and associated with, the threat actors’ activity.
CISA also urges software manufacturers to incorporate secure-by-design principles into their software development lifecycle to strengthen the security posture of their customers. Luckily, this approach has been on the top of the agenda of European organizations already, with new legislative frameworks such as NIS2 and CRA soon being enforced throughout the European Union.
