Chinese hackers continue to torment U.S. telecommunication companies
In recent months, Chinese state-sponsored hackers, specifically a group known as Salt Typhoon, have been implicated in breaches targeting U.S. telecommunications companies. This group is believed to have conducted cyber operations aimed at stealing sensitive communications, law enforcement data, and information about political figures. The U.S. government and cybersecurity agencies have expressed concerns about these activities due to the potential impact on national security and critical infrastructure.
According to Reuters, the FBI, Director of National Intelligence Avril Haines, Federal Communications Commission Chair Jessica Rosenworcel, the National Security Council and the Cybersecurity and Infrastructure Security Agency met in a closed-door briefing this afternoon.
On December 11, the U.S. Senate Commerce Subcommittee will convene a hearing to address the risks posed by Salt Typhoon and other security threats to U.S. communications networks. The session will include testimony from Tim Donovan, CEO of the Competitive Carriers Association. Lawmakers aim to explore the extent of Chinese cyberattacks on U.S. telecommunications systems, evaluate vulnerabilities, and identify best practices for improving network security.
This hearing comes amid heightened concerns about the breadth and implications of reported Chinese intrusions into critical telecom infrastructure. These breaches have raised significant questions about when government agencies and private companies can restore public confidence in the safety and integrity of U.S. communications networks. The discussions are expected to focus on improving collaboration and bolstering defenses against future threats, added Reuters.
What Are the Implications
Brad LaPorte, CMO at Morphisec explains that Salt Typhoon, a state-sponsored hacking group linked to the People’s Republic of China, poses a significant threat to U.S. telecommunications and critical infrastructure.
“Known for exploiting backdoors and supply chain vulnerabilities and employing advanced tactics like “living off the land,” Salt Typhoon has been involved in the worst telecom hack in U.S. history, compromising national security and economic stability,” he says.
LaPorte adds that Common Tactics, Techniques, and Procedures (TTPs) Salt Typhoon's operations have been characterized by several key TTPs:
- Exploitation of Backdoors: Salt Typhoon has exploited intentional backdoors in telecommunications systems designed for lawful wiretapping to gain unauthorized access to sensitive data.
- Living off the Land: This tactic involves executing attacks using existing tools and processes within the target environment, minimizing detection risks.
- Data Exfiltration: The group has been reported to collect extensive data, including call logs, unencrypted text messages, and audio communications, particularly from high-profile individuals involved in national security and political campaigns. Supply Chain Attacks: By targeting telecommunications providers, Salt Typhoon has demonstrated the potential for supply chain vulnerabilities to be exploited, affecting not just the immediate targets but also downstream users and services.
“As China continues to engage in cyber operations that undermine U.S. interests, the trust between the two nations has eroded significantly. The ongoing meddling in critical assets and infrastructure for strategic and economic advantage has prompted a reevaluation of cybersecurity strategies across various sectors. This situation serves as a clarion call for organizations to adopt more robust defensive measures,” warns LaPorte.
Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity states that it's unfortunate to see notifications like this. So much of this guidance has been out there for a very long time. He stresses he would prioritize phishing resistant FIDO MFA in CISAs guidance for critical infrastructure providers, especially technology centric firms like the telcos.
“Everything we can do to raise the cost and work factor for malicious actors and nation state communities helps. Thankfully encrypted communications are ubiquitous and available to the general public today. We'd recommend adding encryption to anything crossing third party communications infrastructure when possible. iMessage, RCS (can be), WhatsApp, Signal - please use them,” says Ford. “Also, I would recommend adding a second factor of authentication, something stronger than SMS, such as Yubikeys, Apple's secure element, or pseudo-random code generators like Google Authenticator, Authy, Duo, etc.… to all of your online accounts - and use platforms that support them. “
Key Findings and Methods
Salt Typhoon’s operations are characterized by sophisticated tactics aimed at persistent access to their targets. They exploit vulnerabilities in public-facing systems, including routers and firewalls, and leverage compromised credentials to escalate privileges and move laterally within networks. Their focus is often on maintaining long-term access rather than immediate disruption, allowing them to gather intelligence or position themselves for future operations. This strategy aligns with other Chinese cyber espionage groups, such as Volt Typhoon, which have also targeted critical U.S. infrastructure.
CISA’s Recommendations
The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance to mitigate these threats. Recommendations include:
- Strengthening access controls: Implementing multi-factor authentication and minimizing privileged account access.
- Monitoring for unusual activity: Enhancing detection of lateral movement and suspicious login behaviors.
- Patch management: Promptly addressing known vulnerabilities in network appliances and critical software.
- Collaboration and reporting: Encouraging organizations to share threat intelligence and report incidents to federal authorities to improve collective defenses
“This campaign has been reported on by CISA for about two months. I would have hoped guidance like this would have been published sooner, but honestly, it’s slightly better than a recitation of best practices that should be done anyway,” scolds John Bambenek, President at Bambenek Consulting.
Callie Guenther, Senior Manager for Cyber Threat Research at Critical Start, a Plano, Texas-based provider of Managed Detection and Response (MDR) cybersecurity solutions points out that Salt Typhoon’s activities against U.S. telecom providers reveal a strategic focus on long-term espionage, targeting sensitive data such as metadata, relational networks, and credentials to support broader intelligence and operational goals. These operations exploit systemic vulnerabilities in the telecommunications sector, including outdated infrastructure and supply chain weaknesses, highlighting the sector’s susceptibility to advanced state-sponsored threats
“The recent guidance from CISA, NSA, and FBI emphasizes Zero Trust principles, robust encryption, timely software updates, and enhanced supply chain security as critical defenses. A notable recommendation to use encrypted messaging apps reflects diminishing confidence in the security of traditional telecom systems against sophisticated adversaries,” adds Guenther.
He goes on to say that the state of U.S. telecommunications infrastructure underscores operational inefficiencies, an emphasis on cost over security, and significant regulatory gaps compared to other critical industries.
“This creates persistent vulnerabilities that adversaries like Salt Typhoon can exploit. To mitigate these risks, public-private collaboration is essential, alongside an industry-wide push for modernization and adherence to security baselines. Salt Typhoon’s focus on data-driven, stealthy espionage highlights the strategic nature of attacks on critical infrastructure and underscores the need for proactive and comprehensive security measures to address evolving threats,” Guenther says.
Broader Implications
The Salt Typhoon breaches highlight systemic vulnerabilities in U.S. telecom infrastructure, which is critical for both civilian and military operations. The ongoing investigation has prompted congressional scrutiny and calls for stronger oversight of cybersecurity practices within telecom providers. Some policymakers are also advocating for enhanced coordination between private industry and federal agencies to bolster defenses against state-sponsored cyber threats.
These developments underscore the importance of proactive cybersecurity measures and the need for robust public-private partnerships to safeguard critical infrastructure from advanced persistent threats like Salt Typhoon.
"The knowledge that nation state sanctioned entities have made their way into our country's communication providers is an alarming thought that will hopefully help demonstrate why cybersecurity needs to be a priority for these types of organizations,” warns Erich Kron, a Security Awareness Advocate with KnowBe4.
“Communications are a critical part of government and business and the ability to steal data or even collect metadata, such as who a person calls, when they call them, and how often they place these calls, or the ability to intercept internet traffic, could be a significant threat to national security, law enforcement, and large organizations. The threat of communication disruptions is also a significant threat, especially in modern times where fast communication is critical to everything from business practices to military operations."
Kron concludes Telecom providers and ISPs need to be on alert for odd behavior and should pay close attention to logs, especially access logs, and network traffic to key infrastructure devices.
“With the size of many of these networks and the vast amount of data that gets moved through them, spotting and evicting these bad actors will be a challenge that may take several more months to complete."