The widespread intrusion by the Chinese-backed APT Salt Typhoon, which gained infamy by targeting sensitive telecommunications data of U.S. political figures, revealed significant vulnerabilities in critical telecom infrastructure. The attack exposed not only the challenges faced by the U.S. to secure the backbone of communications infrastructure but also exposed critical flaws, at a global level, that are being exploited with similar attack chains.
Salt Typhoon’s exploitation of at least nine U.S. telecom service providers (TSP) gave the adversary the opportunity to access sensitive metadata, including call logs, messages, and records of high-profile individuals, and was first detected on government systems in 2022. Less highlighted is that the threat actor has also been attributed to dozens of additional ISP compromises globally. The breaches allowed further access to core infrastructure (e.g., edge routers, core routers, switches, etc.), potentially even some utilized by outside organizations who are TSP customers.
This level of access, in theory, could allow threat actors to pivot into other organizations’ architecture, starting an entirely new campaign with different TTPs. This level of initial TSP access could also be used to target those organizations' customers and intellectual property. Many organizations depend heavily on TSPs for their communication, security, and managed devices for networking. Expanding the implications of the Salt Typhoon breaches is important to prevent further unauthorized access into the private sector, which can take the form of corporate espionage campaigns or critical infrastructure compromise, as was seen in these examples.
Legacy Systems and Telecom's Growing Attack Surface
These breaches highlight the complexity of securing the scope of telecom infrastructure, a challenge worsened by the difficult nature of securing edge routers and the industry's reliance on legacy systems. Just as every city is built upon the remnants of its past, with old infrastructure shaping new expansions, telecoms have evolved atop legacy systems, creating a complex, interwoven foundation of outdated and cutting-edge technologies to support availability. This mix includes legacy communications equipment, modern IP stacks, an increasingly cloud-based presence, enormous API usage, and insecure edge devices.
With limited visibility across every piece of infrastructure, attackers can exploit overlooked vulnerabilities, whether in legacy hardware or modern cloud services. For organizations whose digital architecture utilizes telecom managed edge infrastructure equipment, it is highly plausible that a breach in a TSP could result in secondary unauthorized access or data collection on their network. Enterprises reliant on telecom infrastructures must know they also inherit their vulnerabilities and risk profiles. This is especially relevant as many critical infrastructure sectors are reliant on these relationships and, as seen with the Volt Typhoon campaigns, are vulnerable.
CALEA: When Surveillance Becomes a Security Risk
One of the most alarming aspects of the Salt Typhoon breach is how it exploited vulnerabilities in telecom systems designed for lawful intercept (LI) under the Communications Assistance for Law Enforcement Act (CALEA). Enacted in 1994, this act mandates that telecom carriers build systems capable of intercepting communications for government surveillance. Unfortunately, these very same systems are vulnerable to misuse by attackers.
CALEA itself does not require service providers to encrypt the intercepted data. It is up to the individual providers to handle that level of security, and while encryption is critical for securing sensitive information, it also comes with risks and limitations, especially for high-volume, high-retention datasets like those in lawful interception (LI) systems. These can include high computational costs, latency issues, storage inefficiency, and file corruption. If threat actors gain access to these systems in cleartext, as Salt Typhoon did, they can intercept vast amounts of enterprise communication data that can be used in subsequent cyber or information operation campaigns.
Rethinking Telecom-Dependent Security
As telecom providers become increasingly targeted by state-sponsored actors and cybercriminals, businesses must consider the potential fallout. The question isn’t just about protecting their own systems but also about how to build resilience against attacks on external vendors and critical partners. With telecom providers serving as a critical backbone for enterprise connectivity, businesses must account for this risk and proactively secure their communications channels to ensure vendors are held to high security standards.
Key Actions for Enterprises to Strengthen Security
Enterprises must focus on these critical areas to improve telecom-related security:
1. Assess Telecom Vendor Security: Enterprises must include service provider-managed devices and connections in their risk profiles for review and ensure they implement strong encryption, secure authentication, and secure API connections. They must also focus on ensuring edge devices are up to date with patches, sufficiently hardened from external attacks, and demand transparency in vendor security practices.
2. Implement Encryption: Businesses should not rely solely on telecom providers to secure communications. Use end-to-end encryption for calls, messages, and data to safeguard communications, ensuring protection even if telecom providers are breached. This is critical to protect high-value data like intellectual property and customer information. Important data at rest should also be encrypted when possible.
3. Actively Monitor Infrastructure and Threat Hunting: Security teams must have visibility into all communications infrastructure, including telecom dependencies. They should continuously monitor assets like external APIs, network traffic, and third-party systems pairing. Proactive threat hunting can also detect anomalies and prevent attacks before damage occurs.
4. Adopt Zero Trust Architecture: Enterprises should take a zero trust approach, where all network traffic is treated as suspicious, and access is continuously verified. Regular audits of credentials, permissions, and third-party connections minimize risks from compromised systems or legacy vulnerabilities. Applying zero trust principles to communications infrastructure also ensures that attackers are unable to move laterally within the organization, even if a telecom provider is breached.
Rising to the Challenge
The Salt Typhoon breach highlighted a stark reality for telecom providers and the enterprises that rely on them. Complex, inherited infrastructure creates significant cybersecurity risks that must be addressed. While headlines often show breaches as impacting one organization or sector, it is important to extrapolate how APT campaigns can be related across sectors (i.e., TSP/ISP pivoting to critical infrastructure like ICS/SCADA). It is crucial for businesses to understand the scope of these vulnerabilities and take steps to mitigate them to protect operations, communications, and sensitive data in an increasingly hostile environment.
Enterprises must take a more proactive approach to secure their communications channels, vendor relationships, and internal infrastructure. The telecom industry and its customers are facing an era where it is essential to build robust cybersecurity practices, and the time to act is now.
