The US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and international partners released, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, a joint guide that provides best practices to protect against a threat actor affiliated with the People’s Republic of China (PRC).
Known as Salt Typhoon, the attack has compromised networks of multiple major telecommunications providers, including AT&T, Verizon, T-Mobile, and at least five others, giving access to live phone calls, sensitive communications, and surveillance data used by law enforcement. US government officials said it to be the worst telecommunications hack in US history.
Also participating in the campaign are the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Cyber Security Centre and New Zealand’s National Cyber Security Centre.
Recommended best practices
The recommended practices are for network engineers and defenders of communications infrastructure to strengthen visibility and harden network devices against this broad and significant cyber espionage campaign.
The guide recommends actions to quickly identify anomalous behavior, vulnerabilities and threats, and to respond to a cyber incident. It also guides organizations to reduce existing vulnerabilities, improve secure configuration habits, and limit potential entry points.
The US Federal Communications Commission is also working on steps to address vulnerabilities in U.S. telecommunications networks following the Salt Typhoon cyberattack.
Follow-on to previous warnings
In November, US law enforcement, national security and critical infrastructure agencies had identified that actors affiliated with the People’s Republic of China (PRC) compromised networks at multiple telecommunications companies.
The US Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA) said that these compromises enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders
Iran-backed influence operations
This follows an October warning by CISA and the FBI, of Iran-backed cyber-activity intended to undermine US democratic institutions. Actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) have been using social engineering techniques across email and chat applications probably to stoke discord and undermine confidence in U.S. democratic institutions; and issued a fact sheet recommending actions to protect against this malicious activity.
Further reading
CISA, NSA, FBI and International Partners Publish Guide for Protecting Communications Infrastructure Press release. December 3, 2024. US Federal Bureau of Investigation (FBI), US National Security Agency (NSA), and US Cybersecurity and Infrastructure Security Agency (CISA)
Joint Statement from FBI and CISA on the People’s Republic of China (PRC) targeting of commercial telecommunications infrastructure. Press release. November 13, 2024. FBI, CISA
CISA and FBI warn of Iranian-backed cyber activity to undermine U.S. democratic institutions. Press release. October 8, 2024. FBI, CISA
Cybersecurity Technical Report: Network Infrastructure Security Guide (Publication U/OO/118623-22, PP-22-0293, Version 1.2). October 2023. NSA
Why it matters
While these concerns are at a much higher level, they align closely with concerns over protecting intellectual property, and best practices intended to reduce the risk of penetrating the world’s media delivery ecosystems to conduct piracy operations.
The concerns, of course, are nothing new, and were amplified during the period prior to the 2024 US elections, in which hostile actors hoped to influence the outcome, not just through breaches to infrastructure but also through psychological operations conducted through journalistic, social and electronic communications channels, and through influence operations aimed at politicians, business leaders and other public figures.
CISA and the FBI expect that the understanding of these compromises will grow as the investigations continue.