The Cybersecurity and Infrastructure Security Agency (CISA) published guidance today that provides best practices to protect against cyberattacks by Salt Typhoon – a People’s Republic of China (PRC)-affiliated threat actor that has compromised networks of major global telecommunications providers.
CISA Executive Assistant Director for Cybersecurity Jeff Greene told reporters today that the new guidance will help to strengthen communications infrastructure, making Salt Typhoon’s activity “much harder” to continue.
But he also noted that CISA and the FBI are “still figuring out just how deeply and where they’ve penetrated.”
In early October, a report from the Wall Street Journal revealed that Salt Typhoon may have accessed the wiretapping systems that carriers AT&T, Verizon, and Lumen maintain for the benefit of law enforcement agencies.
Last month, the FBI and CISA confirmed Salt Typhoon’s recent hacks in the United States, noting that they have had a “limited” impact on “individuals who are primarily involved in government or political activity.”
A senior FBI official told reporters today that they began investigating Salt Typhoon’s activity in late spring of this year.
“Since the FBI first identified specific malicious activity targeting the sector, we’ve identified that PRC-affiliated cyber actors have compromised networks of multiple telecom companies to enable multiple activities,” the FBI official said. “First, the actors have stolen a large amount of records, essentially they stole data about where, when, and who individuals were communicating with.”
“Second, much more narrowly, the actors compromised private communications of a limited number of individuals who are primarily involved in the government or political activities. This would contain call and text content,” the official said. “As a third vector, the actors copied certain information that was subject to U.S. law enforcement requests pursuant to court orders.”
The official FBI told reporters that the call and text content that was obtained was “specific targeting,” and Greene emphasized the need for encrypting all communications.
However, Greene said that these are not “cookie cutter” compromises in terms of how deeply Salt Typhoon has been able to penetrate each victim organization.
“These are all victims of a nation-state attack, and we are trying to work closely with them to figure out how best to mitigate today and protect for the near term,” Greene said. “We’re going to have a conversation within the government, with our partners, about how to secure the infrastructure in the long term.”
“The hardening guidance that we put out specifically would make the activity that we’ve seen across the victims much harder to continue. In some cases, it might result in limiting [PRC] access,” Greene told reporters. “But again, we’re still figuring out just how deeply and where [the PRC has] penetrated. So, until we have a clear picture, it’s hard to know the exact parameters of how to kick [the PRC] off. But again, the [victims] that we’ve been working with the longest are making the most progress.”
The Enhanced Visibility and Hardening Guidance for Communications Infrastructure – released by CISA today alongside the FBI, the National Security Agency, and international partners – provides network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network devices against successful exploitation carried out by PRC-affiliated and other malicious cyber actors.
The guidance notes that identified compromises associated with Salt Typhoon activity aligns with existing weaknesses associated with victim infrastructure – and that no novel activity has been observed.
The new document offers nearly three dozen best practices for organizations to better monitor, detect, and understand activity within their network as well as reduce vulnerabilities, improve secure configuration habits, and limit potential entry points for PRC-affiliated cyber threats.
“The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses. This guide will help telecommunications and other organizations detect and prevent compromises by the PRC and other cyber actors,” Greene said in a statement. “Along with our US and international partners, we urge software manufacturers to incorporate Secure by Design principles into their development lifecycle to strengthen the security posture of their customers.”
