According to a new report from NCC Group, the Chinese state-sponsor cybercriminal group known as Salt Typhoon – and alternatively as Red Mike – has continued to carry out targeted attacks on the United States and other Western and Asian telecommunication companies. It was just last fall that reports first warned that the group had been carrying out cyber-espionage campaigns that targeted mobile phones.
Salt Typhoon Continues to Strike U.S. Telecomms
The hackers, believed to be working at the behest of Beijing, accessed the networks of AT&T, Verizon, and Lumen Technologies, notably the systems used by federal authorities for court-approved eavesdropping. It has been speculated that the attacks could escalate in nature.
“Telecommunications has an ever-increasing role in society beyond just voice and messaging. They enable our ever-connected society from smart homes to operational technology in critical national infrastructure sectors such as utilities and transport,” Chris Proctor, senior advisor and associate director at the cybersecurity firm NCC Group, told ClearanceJobs.
“Removing bad actors or malware left by Salt Typhoon or any APT attack is a costly and time-consuming exercise. It is time that the boards of these companies weigh the risk of fallout at a national and personal level to so many people against the cost of mitigating vulnerabilities and securing by design with defense in depth,” suggested Yogita Parulekar, CEO of cybersecurity provider Invi Grid.
No Longer a Gathering Storm
One concern is that while Salt Typhoon remains an advanced persistent threat (APT) group, it has changed focus. Previous research suggested it was primarily conducting cyber espionage campaigns and targeted Government and Technology providers in North America, South and Southeast Asia, Europe, and South Africa.
“Since mid-2022, the group’s targeting has switched to Critical Infrastructure sectors, including Telecommunications across North America, Asia-Pacific, the Middle East, and South Africa,” NCC Group warned this month.
Salt Typhoon has shown to have an in-depth understanding of the targeted environments – which could include the continuous identification of exposed layers for potential reentry – but also a multi-layered attack strategy, using a combination of known tools and custom backdoors that are difficult to detect and mitigate, the researchers suggested.
“The Telecommunications sector plays a crucial role in the global economy as it enables growth, innovation, and connectivity worldwide, thus making it a key component of Critical National Infrastructure (CNI),” NCC Group added. “The sector provides global communication and is an essential component to international business, trade, and general communication. Such connectivity is of utmost importance to organizations across all sectors globally to operate efficiently and stay competitive.”
An Ongoing And Persistent Threat
Though the ties Salt Typhoon has to Beijing aren’t explicitly clear – experts warn it is part of a much larger strategy from the People’s Republic of China (PRC) and the Chinese Communist Party (CCP).
“Salt Typhoon is a well-funded, well-organized group, directly run by China’s Ministry of State Security,” Willy Leichter, chief marketing officer at cybersecurity provider AppSOC. “There is every reason to believe it is alive and well and expanding its reach. Analysts have described it as part of China’s 100-year strategy to replace the U.S. as the dominant global superpower. Salt Typhoon is an advanced persistent threat that has targeted telecoms and government networks, including a major breach of the U.S. Treasury Department.”
Countering this group will remain a serious challenge, but Leichter told ClearanceJobs more needs to be done. The potential damage the group could do may be underestimated by Washington.
“Out of the gate, the new U.S. administration has done exactly the wrong things to defend against Salt Typhoon by disbanding the Cyber Security Review Board (CSBR) – a collaboration between government and the private sector, which was actively investigating the recent attacks on the Treasury Department,” warned Leichter. “It’s critical that governments aggressively defend against these threats, investigate incidents collaborating with the private sector, and make all reliable findings public. Raising awareness of these threats helps all security-conscious organizations to strengthen their defenses. Given the turmoil in the U.S. government and mass layoffs of experienced experts, the U.S. has made itself dramatically more vulnerable.”
Telecoms Remain in the Crosshairs
For now, the U.S. and Western telecoms are in the crosshairs, but these firms understand that they are on the frontlines in the ongoing cyber cold war.
“This is a never-ending ratcheting up of threats and defensive measures,” said Leichter. “All large enterprises should be deploying more advanced AI-based tools that can more quickly find and hopefully remediate these threats before significant damage is done. But it will be used on both sides, so it’s mandatory for defense, but it will not solve the problem – just help us keep up.”
Given the potential for global disruptions to trade and diplomacy, experts warn that we should expect China to ramp up its efforts to infiltrate and damage the critical infrastructure of its perceived rivals around the world.
“With a relatively small investment, this type of state-sponsored hacking can have a huge impact,” added Leichter. “We should not expect diplomacy to solve this problem any time soon. The only answer for telcos, governments, and all enterprises with critical infrastructure is to ramp up security spending, modernize systems with AI, and expect the cyber war to be ugly.”
