Protecting infrastructure: US agencies respond to Salt Typhoon cyberattack campaign, publish guide

Sponsor ad - 728w x 90h (at 72 dpi)

The US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and international partners released, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, a joint guide that provides best practices to protect against a threat actor affiliated with the People’s Republic of China (PRC).

Known as Salt Typhoon, the attack has compromised networks of multiple major telecommunications providers, including AT&T, Verizon, T-Mobile, and at least five others, giving access to live phone calls, sensitive communications, and surveillance data used by law enforcement.  US government officials said it to be the worst telecommunications hack in US history.

Sponsor ad

Also participating in the campaign are the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Cyber Security Centre and New Zealand’s National Cyber Security Centre.

Recommended best practices

The recommended practices are for network engineers and defenders of communications infrastructure to strengthen visibility and harden network devices against this broad and significant cyber espionage campaign.

The guide recommends actions to quickly identify anomalous behavior, vulnerabilities and threats, and to respond to a cyber incident. It also guides organizations to reduce existing vulnerabilities, improve secure configuration habits, and limit potential entry points.

Network protection diagram. (Source: NSA Cybersecurity Technical Report, 2023)

The US Federal Communications Commission is also working on steps to address vulnerabilities in U.S. telecommunications networks following the Salt Typhoon cyberattack.

Follow-on to previous warnings

In November, US law enforcement, national security and critical infrastructure agencies had identified that actors affiliated with the People’s Republic of China (PRC) compromised networks at multiple telecommunications companies.

The US Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA) said that these compromises enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders

Iran-backed influence operations

This follows an October warning by CISA and the FBI, of Iran-backed cyber-activity intended to undermine US democratic institutions. Actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) have been using social engineering techniques across email and chat applications probably to stoke discord and undermine confidence in U.S. democratic institutions; and issued a fact sheet recommending actions to protect against this malicious activity.

Further reading

CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure Press release. December 3, 2024. US Federal Bureau of Investigation (FBI), US National Security Agency (NSA), and US Cybersecurity and Infrastructure Security Agency (CISA)

Joint Statement from FBI and CISA on the People’s Republic of China (PRC) targeting of commercial telecommunications infrastructure.  Press release. November 13, 2024. FBI, CISA

CISA and FBI warn of Iranian-backed cyber activity to undermine U.S. democratic institutions. Press release. October 8, 2024. FBI, CISA

Cybersecurity Technical Report: Network Infrastructure Security Guide (Publication U/OO/118623-22, PP-22-0293, Version 1.2). October 2023. NSA

Why it matters

While these concerns are at a much higher level, they align closely with concerns over protecting intellectual property, and best practices intended to reduce the risk of penetrating the world’s media delivery ecosystems to conduct piracy operations.

The concerns, of course, are nothing new, and were amplified during the period prior to the 2024 US elections, in which hostile actors hoped to influence the outcome, not just through breaches to infrastructure but also through psychological operations conducted through journalistic, social and electronic communications channels, and through influence operations aimed at politicians, business leaders and other public figures.

CISA and the FBI expect that the understanding of these compromises will grow as the investigations continue.

From our Sponsors