2024-10-07
Chinese Salt Typhoon Threat Actors Breached US Broadband Providers' Networks
According to a report in The Wall Street Journal, a threat actor group with ties to China's government has broken into the networks of several US broadband providers. Known as Salt Typhoon, the group may have accessed systems used for court-authorized wiretaps. The breached companies include Verizon, AT&T, and Lumen/Century Link. The incident is being investigated the FBI, U.S. intelligence agencies, and the Department of Homeland Security.
Editor's Note
If you build it, they will come. The court-authorized wiretap interfaces at telco providers are too juicy of a target for attackers to overlook. Note to also closely monitor any infrastructure like this in your own environment. You may not deal with court ordered wiretaps, but your security team likely still has extensive systems to reach out to and monitor endpoints.
Johannes Ullrich
Large ISPs are attractive targets for nation state intelligence agencies and present an equally large attack surface. While they could do more for the security of their users, they cannot be relied upon to do so. Targeted users should take appropriate precautions, to include end-to-end encryption and proprietary DNS service.
William Hugh Murray
The attack vector used by Salt Typhoon/Ghost Emperor in this case is unknown. In the past they have been known to obtain initial access through flaws like the Exchange ProxyLogin vulnerability to leverage a custom backdoor, SparroDoor, customized Mimikatz, and a rootkit known as Demodex. Make sure that any remaining on-premises Exchange servers are fully patched, and reach back to your team to make sure that MFA is required on your Internet facing services.
Lee Neely
Details are lacking, but two immediate thoughts: 1) there has to be an exploit in common for all three communication service providers (CSPs); and 2) over time CSPs automate CALEA implementation, which creates a pathway to those protected systems. Nation states understand that, as they implemented them in their own countries.
Curtis Dukes
Read more in
Washington Post: China hacked major U.S. telecom firms in apparent counterspy operation
Ars Technica: Reports: China hacked Verizon and AT&T, may have accessed US wiretap systems
Security Week: China's Salt Typhoon Hacked AT&T, Verizon: Report
Dark Reading: Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report
The Register: Chinese cyberspies reportedly breached Verizon, AT&T, Lumen
Bleeping Computer: AT&T, Verizon reportedly hacked to target US govt wiretapping platform
Gov Infosecurity: Feds Probe Chinese 'Salt Typhoon' Hack of Major Telcos