Chinese-backed Hackers Burrow Deep into United States Telecom and Internet Service Providers
On September 25, the Wall Street Journal (WSJ) broke a news story that the People’s Republic of China (PRC)-backed threat actor Salt Typhoon had successfully targeted several cable and broadband service providers[1]. It turns out that this was only part of the story, as further details have since come to light.
On October 8, Mark E. Green, Chairman of the U.S. House of Representatives Committee on Homeland Security and Andrew Garbarino, chairman of the Subcommittee on Cybersecurity and Infrastructure Protection sent a joint letter to Jen Easterly, director of Cybersecurity & Infrastructure Security Agency (CISA) and Christopher Wray, director of the FBI, requesting an urgent briefing on the status of PRC-backed cyber actors and their attacks on U.S. networks and critical infrastructure. The concerns expressed in this letter included that the PRC could “influence communications by rerouting internet traffic[2] or gain valuable information by accessing systems for lawful wiretapping requests[3].”
As reported by multiple sources, these PRC-backed threat actors associated with Salt Typhoon did in fact exploit an intentional backdoor in these ISP’s systems that had been put in place to comply with the Communications Assistance for Law Enforcement Act (CALEA). These backdoors were intended to provide law enforcement with a technical means of executing legal wiretapping per warrants and subject to legal requirements. What Salt Typhoon was able to access represents a potentially serious compromise of the privacy of U.S. citizens and carries significant national security implications.
Salt Typhoon also had access to more general internet traffic flowing through provider networks and could have potentially had access “for months” before being discovered[4].
While this is clearly evidence of sophisticated and persistent activity by a nation state, it is also a good reminder that there is no such thing as a “secure” backdoor into any system. A way in is a way in. It may take time for it to be discovered, but the very existence of an access point means that it can be leveraged as an attack vector. AT&T, Verizon, and Lumen (the three ISPs known to have been compromised in this attack) have not commented or provided further details, but from the evidence available it appears that Salt Typhoon’s mission was one of both intelligence collection and possible forward positioning for disruptive action in the future. Multiple U.S. government employees were specifically targeted, and the U.S. Consumer Financial Protection Bureau (CFPB) issued a warning to its employees not to conduct any official business over mobile devices until further notice due to the high likelihood that traffic could be intercepted and/or monitored.
It is vital that anyone involved in critical infrastructure or related industries maintains situational awareness about the threats that attacks like this can pose to not just our own organizations, or our personal privacy, but also to our national security.
Salt Typhoon’s infiltration reportedly gave them access to extensive data, including call logs, unencrypted text messages, and even audio recordings of high-profile individuals connected to national security and political campaigns, including members of the Trump and Harris presidential campaigns, according to reporting in the WSJ.
“Salt Typhoon’s access to call logs, unencrypted texts, and audio communications poses a severe threat to national security. Such data can reveal sensitive information about government operations, defense strategies, and intelligence activities,” said Arjun Chauhan, senior analyst at Everest Group. “For individuals in sensitive roles, this breach compromises personal security, exposes confidential communications, and increases the risk of coercion or blackmail[5].” This is a developing story and CISA and the FBI issued a joint statement on November 13 stating that they are continuing to investigate this cyberespionage campaign and that “Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues[6].”
While this specific attack did not directly target the trucking and supply chain industry, the resulting compromise demonstrates the technical potential for an adversarial nation-state to gain access to data relating to the flow of goods and expose internal communications between operations teams and drivers if these communications are made over unsecure cellular channels. It is critical to ensure that we have good asset control and inventory, including all devices on trucks and trailers as well as internal workstations, servers, mobile devices, and network hardware. These devices, their software applications and operating systems, must be kept patched and up to date. This is part of practicing good cyber security and will help us to understand what communications platforms and protocols are used in our operation so that we can ensure we are utilizing secure by default, encrypted communication channels, such as an encrypted communication app, or a proprietary communication channel inside a telematics unit.
The NMFTA cybersecurity team will continue to track this investigation and bring additional details to the trucking and supply chain community as they become available.
Citations:
[1] Sarah Krouse et al., “China-Linked Hackers Breach U.S. Internet Providers in New ‘Salt Typhoon’ Cyberattack,” WSJ, (Sept. 26, 2024), https://www.wsj.com/politics/national-security/china-cyberattack-internet-providers-260bd835
[2] Id at 1.
[3] Sarah Krouse et al., “U.S. Wiretap Systems Targeted in China-Linked Hack,” WSJ, (Oct. 5, 2024), https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b
[4] Tara Seals, Managing Editor, News, Dark Reading. (2024, October 8). Salt Typhoon APT subverts law enforcement wiretapping: Report. https://www.darkreading.com/cyber-risk/salt-typhoon-apt-subverts-law-enforcement-wiretapping
[5] Swain, G. (2024, November 8). U.S. consumer protection agency bans employee mobile calls amid Chinese hack fears. CSO Online. https://www.csoonline.com/article/3601277/us-consumer-protection-agency-bans-employee-mobile-calls-amid-chinese-hack-fears.html
[6] Joint Statement from FBI and CISA on the People’s Republic of China (PRC) Targeting of Commercial Telecommunications Infrastructure | CISA. (2024, November 13). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/news/joint-statement-fbi-and-cisa-peoples-republic-china-prc-targeting-commercial-telecommunications
