Following the widespread Salt Typhoon hacks of US telecoms operators including AT&T and Verizon, CISA and partner agencies have launched refreshed security guidance for network engineers and defenders alike
The United States’ Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency (NSA), the FBI, and cyber agencies from Australia, Canada and New Zealand have published a joint security guide for communications services providers (CSPs) in the wake of a series of China-backed incursions on major US telcos.
Initially reported in October, and confirmed last month, the incidents saw household names including AT&T and Verizon attacked by an advanced persistent threat (APT) group tracked as Salt Typhoon.
The audacious campaign saw Salt Typhoon operatives break into their targets’ systems and then went on to steal customer call record data. The group was able to compromise the private communications of a number of unnamed individuals “primarily involved in government or political activity”, and also copied some data that was subject to US law enforcement requests pursuant to court orders.
According to the Wall Street Journal, which first broke the story, Salt Typhoon may have been actively harvesting data from its victims for a period of several months.
The new guide sets out a number of actions that defenders working in the communications sector should be taking to identify strange behaviour, root out vulnerabilities and threats, and respond to cyber incidents. It also provides guidance on how to reduce their exposure to vulnerabilities, improve secure configuration habits, and cut down the number of likely entry points.
“The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses. This guide will help telecommunications and other organizations detect and prevent compromises by the PRC and other cyber actors,” said CISA executive assistant director for cyber security, Jeff Greene.
“Along with our US and international partners, we urge software manufacturers to incorporate Secure-by-Design principles into their development lifecycle to strengthen the security posture of their customers. Software manufacturers should review our Secure by Design resources and put their principles into practice.”
Bryan Vorndran, assistant director at the FBI Cyber Division, added: “Threat actors affiliated with the People’s Republic of China (PRC) … have targeted commercial telecommunications providers to compromise sensitive data and engage in cyber espionage.
“We strongly encourage organisations to review and implement the recommended measures in this guide and to report suspicious activity to their local FBI field office.”
“These hacks are a reminder that … domestic communications infrastructure is critical to our national security,” said Tim Perry, head of strategy at Prepared, a US-based supplier of assistive technology to emergency call handlers and first responders.
“State actors have the resources and the motivation to exploit our network vulnerabilities, quietly infiltrate our communications networks and collect our most sensitive data. That’s why local, state and federal law enforcement agencies – whether they are running wiretaps, supporting law enforcement sensitive operational communications or just administering their local 911 system – must remain up to date on the latest cyber threats.”
Advice for network engineers
The full guidance, which can be accessed via the CISA website, is also highly pertinent to any organisation running on-premise enterprise equipment, particularly operators of critical national infrastructure (CNI), which should be implementing it as a matter of course.
Besides those tasked with defending communications networks, it sets out steps that network engineers who may not necessarily be steeped in cyber security best practice could, and should, take.
These include scrutinising and investigating any strange configuration modifications or alterations to devices such as switches, routers or firewalls, inventorising these devices, implementing network flow monitoring, limiting exposure of management traffic to the public internet, monitoring user and service account logins for anomalies, and implementing secure, centralised logging.
Engineers may also wish to set up an out-of-band management network physically separated from the operational data flow network, implementing access control lists (ACLs), deploy stronger network segmentation with router ACLs, stateful packet inspection and the like, harden and secure virtual private network (VPN) gateways, implement end-to-end encryption, and much more.
It also includes guidance specific to a number of Cisco-specific features known to have been exploited by Salt Typhoon, including applying hardening best practice to all Cisco operating systems, such as IOS XE and NX-OS.