Security agencies team up for Salt Typhoon warning

• Chinese cybercrime group Salt Typhoon is well known for having hacked multiple North American telcos
• But its activities are international and cover multiple industry verticals
• Security agencies from around the world have collaborated on a ‘cybersecurity advisory’ document that identifies the group’s threats and modus operandi

Multiple security and law enforcement agencies from around the world have issued a joint ‘cybersecurity advisory’, or CSA, that warns against the threat posed by major hacking outfit Salt Typhoon, which has gained notoriety for breaching multiple major US telco networks but which, it seems, is active in multiple countries and targeting companies across multiple industry sectors. 

Salt Typhoon, which has long been identified as being “state-sponsored” by the People’s Republic of China (PRC), made headlines last year when it emerged that the group had hacked into the systems of at least nine US telecom networks, including those of AT&T and Verizon, with the hackers believed to have had what US deputy national security advisor for cyber and emerging technology Anne Neuberger described as “broad and full access”.

More recently, the Canadian Centre for Cyber Security issued a cyber bulletin that “aims to raise awareness of the threat posed by PRC cyber threat activity, particularly to Canadian telecommunications organisations, in light of new Salt Typhoon-related compromises of entities in Canada. The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon.”

Now a detailed joint document has been published and distributed by more than 20 security agencies, including: the US National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI); the Canadian Centre for Cyber Security and Canadian Security Intelligence Service (CSIS); the UK’s National Cyber Security Centre (NCSC); Germany’s federal intelligence service, the Bundesnachrichtendienst (BND), as well as other German security institutions; and agencies in Australia, New Zealand, the Czech Republic, Finland, Italy, Japan, Spain, Poland and the Netherlands. 

It notes: “People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks.” 

The 37-page document points out that the activity of multiple groups, including but not limited to Salt Typhoon, and collectively referred to as “advanced persistent threat (APT) actors” has been observed in the US, Australia, Canada, New Zealand, the UK and other areas globally and that these groups have been active since 2021. 

FBI assistant director Brett Leatherman, who heads up the bureau’s cyber division, told The Washington Post that the activity of the APT actors had spread to 80 countries and impacted at least 200 US companies. Leatherman stated the threat is ongoing, saying the hackers have multiple software-based hidden points of reentry into network devices. “Just because it was secure six months ago does not mean it is now,” he told the newspaper.

The FBI also posted a video in which Leatherman noted that PRC-affiliated APT actors have been active since 2019. He added that “Beijing’s indiscriminate targeting of private communications demands our stronger collaboration with our partners to identify and counter this activity at the earliest stages.” 

The extensive CSA, which aims to help companies defend themselves against the APT actors and help identify the ongoing activity of the Salt Typhoon and other cybercriminals, “details the tactics, techniques and procedures (TTPs) leveraged by these APT actors to facilitate detection and threat hunting, and provides mitigation guidance to reduce the risk from these APT actors and their TTPs.”

The security agencies “strongly urge network defenders to hunt for malicious activity and to apply the mitigations in this CSA to reduce the threat of Chinese state-sponsored and other malicious cyber activity.” 

The agencies note that “three China-based technology companies provide cyber-related services to the Chinese intelligence services and are part of a wider commercial ecosystem in China, which includes information security companies, data brokers and hackers for hire.” 

The three companies are Sichuan Juxinhe Network Technology Co Ltd, Beijing Huanyu Tianqiong Information Technology Co, and Sichuan Zhixin Ruijie Network Technology Co Ltd.

In its announcement about the CSA, the UK’s National Cyber Security Centre (NCSC) explains that the data stolen by the APT actors “can ultimately provide the Chinese intelligence services [with] the capability to identify and track targets’ communications and movements worldwide. The advisory describes how the threat actors have had considerable success taking advantage of known common vulnerabilities rather than relying on bespoke malware or zero-day vulnerabilities to carry out their activities, meaning attacks via these vectors could have been avoided with timely patching.”

NCSC CEO Dr Richard Horne stated: “We are deeply concerned by the irresponsible behaviour of the named commercial entities based in China that has enabled an unrestrained campaign of malicious cyber activities on a global scale. It is crucial organisations in targeted critical sectors heed this international warning about the threat posed by cyber actors who have been exploiting publicly known – and so therefore fixable – vulnerabilities. In the face of sophisticated threats, network defenders must proactively hunt for malicious activity, as well as apply recommended mitigations based on indicators of compromise and regularly review network device logs for signs of unusual activity.”

The NCSC added that the UK has helped to improve cyber risk management with legislation, such as the Telecommunications (Security) Act 2021 and the associated Code of Practice, for which the NCSC was the technical authority.

The UK government’s forthcoming Cyber Security and Resilience Bill “will further strengthen the UK’s cyber defences, protecting the services the public rely on to go about their normal lives,” it added. 

- Ray Le Maistre, Editorial Director, TelecomTV