Salt Typhoon poses a serious supply chain risk to most organizations – Source: www.csoonline.com

In the late spring of 2024, the US Federal Bureau of Investigation (FBI) began investigating reports of malicious activities targeting multiple US telecommunications companies. The agency determined that Chinese-affiliated actors had stolen many communications records related to several unidentified individuals during what they later realized was a persistent infiltration dating back at least two years.

By late September and early October, US authorities began publicly warning about a threat actor that Microsoft calls Salt Typhoon (also known as Earth Estries, Ghost Emperor, Famous Sparrow, or UNC 2286) that is likely affiliated with China’s Ministry of State Security, also known as APT 40. Federal authorities have continued ramping up public warnings regarding the group.

Cybersecurity experts say the Salt Typhoon intrusions pose a serious supply chain risk for the telcos’ customers, who encompass a broad swath, if not all, of global public and private sector organizations. “It’s a supply chain attack where they’re not targeting the telcos as much as they’re targeting the telcos’ customers,” Jon Clay, vice president of threat intelligence at Trend Micro, tells CSO. “It’s a technique we call ‘island hopping,’ where they gain access to a target through a partner or a vendor or something.”

Not all of the details of Salt Typhoon’s attacks have been released

Although the US government has offered broad, generic risk management guidance to communications and critical infrastructure providers, details defenders need are under wraps. Given that the threat actor still resides in the infected networks, authorities are loathe to provide more concrete advice lest Salt Typhoon switch things up and burrow deeper into the infrastructure.

Nevertheless, experts say CISOs should try talking with their telecommunications providers about whether they’ve fixed the flaws that allowed Salt Typhoon in. They should also try to cut off the group’s command and control infrastructure if they spot it. Most importantly, experts say CISOs should embrace encryption throughout their networks to protect their data and voice communications from fueling future threats, including deepfake videos.

The good news is that with a lot of high-powered glare bearing down on it, publicity-shy China has got to be feeling the heat. “There’s definitely a hell of a lot more threat hunting going on now than there was before,” Adam Isles, principal and head of the cybersecurity practice at the Chertoff Group, tells CSO.

“And so, if you’re on their side of it, you’ve got to be thinking to yourself, ‘whatever access I have now is not what it was beforehand. And I have to appreciate the risk of that being time-limited.’”

Timeline of recent Salt Typhoon developments

The following is a timeline of the recent developments related to Salt Typhoon.

Nov 21: Worst telecom tack in history. Senator Mark Warner, the Senate Intelligence Committee chairman, called the Salt Typhoon campaign “the worst telecom hack in our nation’s history — by far.” Warner said the hackers have been able to listen to audio calls in real-time and steal call data, and they have, in some cases, moved from one telecom network to another.

Dec 3: US government’s encryption about-face. Although the initial concerns about Salt Typhoon centered on China hacking into federal government systems for court-authorized telecom network wiretapping requests, an FBI analysis revealed that the aims of Salt Typhoon were much broader than law enforcement and national security intercepts.

According to an FBI official speaking at a CISA press briefing, the threat actors were already embedded in other parts of the telcos’ systems before they pivoted to the law enforcement systems. During that call, Jeff Greene, Executive Assistant Director at CISA, said that one way to protect against voice call intercepts and data theft is to use encrypted apps, a seeming reversal for US law enforcement, which has long complained that end-to-end encrypted apps hide criminal activity.

Dec 3: Guidance for engineers and sysadmins. NSA, CISA, the FBI, the Australian Signals Directorate, and the National Cyber Security Centres of Canada and New Zealand released communications infrastructure guidance that provides engineers and system administrators with defensive measures to protect against intrusions.

Dec 4: Eight US telcos infiltrated. During a press briefing, Anne Neuberger, the White House deputy national security adviser for cyber and emerging technology, said that Salt Typhoon has infiltrated at least eight telecom companies in the US, which reportedly include Verizon, AT&T, and Lumen Technologies.

Press reports suggest that the targeted individuals include President-elect Donald Trump, his vice-presidential pickJD Vance, US Senate Majority Leader Chuck Schumer, Vice President Kamala Harris, and State Department officials, among other leaders.

Dec 4: Pentagon pressured on unencrypted phones. US Senators Ron Wyden and Eric Schmitt sent a letter to the Pentagon’s Inspector General urging the Department of Defense to abandon the use of unencrypted phones and platforms given the risk of serious harm from Salt Typhoon.

Dec 5: FCC push on telcos to do better. Following an emergency classified briefing of Senate leaders regarding Salt Typhoon, the US Federal Communications Commission launched an effort to require telecom networks to secure their networks against unlawful access and interception.

Dec 6: CSRB kicks off an investigation. The Cyber Safety Review Board (CSRB), an arm of CISA, kicked off an investigation into the Salt Typhoon attacks. House Committee on Homeland Security Chairman Mark E. Green vowed to hold hearings on the CSRB’s report and introduce legislation to address the nation’s cybersecurity that would, among other things, create an interagency task force to address China’s cybersecurity threats.

Details of Salt Typhoon’s activities are still scarce

Although federal agencies have been elevating their warnings about Salt Typhoon for months, details on how the group achieved its infiltration or the number of organizations affected are still scarce.

The lack of specifics is due to the unfortunate fact that Salt Typhoon is still lodged in the infected telecommunications networks. “We cannot say with certainty that the adversary has been evicted because we still don’t know the scope of what they’re doing,” CISA’s Greene said during the press briefing. “We’re still trying to understand that along with [industry] partners.”

Authorities are almost certainly withholding details to prevent Salt Typhoon from changing its tactics and finding new and more covert ways to implant its malware onto victims’ networks. “Once they get on one machine, they always want to pivot,” ESET malware researcher Alexandre Côté Cyr tells CSO.

“And since most IT teams have blind spots in their network, they don’t know everything,” he says. “Not everything’s monitored properly. My guess is it’s hard to get them out because they’re in many different places, and they keep spreading among those machines. If they still have a foothold somewhere and they get reports about what’s being discovered as it goes on, they can always update or add new tools through those existing paths to keep evading the new detections.”

Salt Typhoon might be saving call recordings for future deepfakes

Like most Chinese-state-sponsored threat actors, Salt Typhoon is an espionage operation seeking to collect as much information as possible from its target organizations. Neuberger and other US officials believe the group aimed to capture metadata and recorded telephone calls of “very senior” American political figures.

Although Salt Typhoon’s current campaign appears targeted, officials also say it has scooped up data on hundreds of thousands of American mobile phone users, likely stealing information on more than one million customers. Cybersecurity experts say Salt Typhoon is poised to continue collecting massive amounts of data and voice recordings from all the telcos’ customers and saving the data they exfiltrate for various purposes, particularly deepfakes.

“What will they do with this data down the road?” asked Trend Micro’s Clay. “We’ve already been discussing this internally, and it’s audio fakes. Because if I get a whole bunch of conversations now, I’ve got your voice, and I can utilize your voice and audio fakes in the future. So, there’s a lot of concern over what can be done with this data.”

“I think the idea that they are hoovering up lots of information is not at all out of the realm of possibility,” Chertoff’s Isles says. “I think we can overweight that towards call content. They’re going to get the audio of CEOs, et cetera.”

Guidance on how to strengthen visibility, harden assets
The guidance issued by US, Canadian, Australian, and New Zealand authorities offers a series of detailed and rigorous steps for communications networks and other critical infrastructure providers to strengthen visibility and harden devices and architecture. It also provides hardening best practices for Cisco operating systems, which authorities say Salt Typhoon targeted.

The nine-page alert says organizations should engage in proactive monitoring, emphasizing early detection through robust visibility and anomaly tracking; defense-in-depth, adding layers of protection through encryption, segmentation, and secure device configurations; enhanced protection focus, emphasizing patching, turning off unnecessary services, and securing protocol usage; and collaboration, encouraging organizations and manufacturers to work together for a more secure infrastructure.

None of this is new guidance or necessarily specific to Salt Typhoon. It encompasses virtually all the cybersecurity risk management practices that CISA and other security organizations have long advocated organizations adopt. “All the guidance from CISA is like, ‘Okay, do everything in cybersecurity, do zero trust,’” Joe Saunders, founder and CEO of RunSafe Security, tells CSO.

Memory-based vulnerabilities are at the heart of the problem

Despite the potentially overbroad advice, Saunders recommends that CISOs take the collaboration guidance to heart and press their telecom providers on how they have addressed memory-based vulnerabilities in their products.

Memory-based vulnerabilities allow the attacker to take command and control of a device, introduce code to do something nefarious, or leverage existing code for unintended, equally nefarious purposes. They are a class of vulnerabilities targeted for elimination in CISA’s Secure by Demand initiative.

“At the core of what Salt Typhoon is doing is leveraging memory-based vulnerabilities deep in the heart of the telecom equipment itself,” Saunders says. “And that’s a very specific tactic often used by hacker groups from China. It is essential for CISOs to ask their suppliers: Have you eliminated the memory vulnerabilities completely in your equipment?”

Other experts are skeptical that CISOs or the federal government can make headway in pressing telcos on memory-based vulnerabilities. They say Chinese threat actors continually exploit multiple zero-day vulnerabilities in VPN, firewall, and other edge products from Ivanti, Fortinet, Sophos, Cisco, and others that telcos use in their networks.

Clay says that “the FCC can come up and say ‘Hey, you got to patch these vulnerabilities within X number of days.’ But how are they going to defend against a zero-day? Because zero days can be easily done these days” particularly given that Beijing now requires any zero days discovered by security researchers to be kept secret and reported to the government only.

Other experts think that only the world’s most influential organizations will have standing with the telcos to query them about memory-based vulnerabilities. “If you’re a Fortune 10 company, maybe you can have a conversation with Verizon,” Chertoff’s Isles says.

Clay says that instead of focusing on memory-based vulnerabilities, if “I were a CISO right now, I would certainly be looking for command-and-control infrastructure. If you can cut off the command-and-control infrastructure, it’s what maintains that ability to get back into the network from outside. If I can break that, I’m keeping them out of the network.”

Encryption is key to fighting Salt Typhoon

Experts agree that encrypting communications is crucial to thwarting Salt Typhoon’s espionage efforts. “What we have told folks internally is that encryption is your friend,” CISA’s Greene said during the press call. “Whether it is on text messaging or if you have the capacity, voice communications, even if the adversary is able to intercept the data, if it’s encrypted, it will make it really hard for them to detect it.”

Although end-to-end encryption (E2EE) messaging, such as Signal, is the gold standard, experts say it’s unclear how well that would scale across large organizations. Moreover, they say that in most cases, E2EE isn’t necessary.

“In most cases, use the common encryption methods,” ESET’s Cyr says. “You wouldn’t even need to have end-to-end encryption. It’s always a plus, but you only need any kind of encryption. Everything should be secured with TLS [transport layer security] or HTTPS [hypertext transfer protocol security] because the ISP cannot decrypt that. If it’s encrypted properly, the ISP just acts as a highway or a tube. So, the data passes through, and the threat actor can’t listen.”