U.S. agencies, including the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Agency (CISA), are advising that China-linked threat actors have breached several U.S. commercial telecommunication service providers. The agencies are not providing further details besides indicating that they notified the affected companies, rendered assistance, and shared information with other potential victims.
This revelation comes just weeks after it was revealed that the China-linked threat actor known as Salt Typhoon breached multiple U.S.-based broadband internet providers, including Verizon, AT&T, and Lumen Technologies. It is believed that Salt Typhoon gained access to the victims’ interception systems used to accommodate warranted investigation requests by law enforcement agencies.
The Canadian government has released its own warning, indicating that China-linked threat actors have been observed conducting reconnaissance and scanning networks belonging to government departments and agencies, critical infrastructure, defense companies, media organizations, and think tanks. Fortunately, at this time, the activity does not constitute a security breach.
Source: Bleeping Computer
Analysis
It’s possible that Salt Typhoon was also responsible for these latest breaches given that the targeting of large telecoms would be a natural progression for an actor previously caught compromising broadband providers.
Unauthorized access to broadband companies and telecoms could present a significant threat if threat actors were able to obtain user billing information, call and text message metadata, or worse, the contents of calls and messages. This type of access would effectively amount to a Signals Intelligence (SIGINT) capability, similar to that of the U.S.’s National Security Agency (NSA), and could allow Salt Typhoon to obtain sensitive information on targeted individuals.
Unfortunately, the FBI and CISA have not released enough information about the two campaigns for security analysts to get a full picture of the impact they have.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from nation-state threat actors like Salt Typhoon. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Given this recent malicious activity, broadband providers and telecoms should implement strict security measures, including enabling multi-factor authentication, logging, traffic monitoring, and providing employees with anti-phishing training.
Related Articles
