US shares tips to block hackers behind recent telecom breaches

​CISA released guidance today to help network defenders harden their systems against attacks coordinated by the Salt Typhoon Chinese threat group that breached multiple major global telecommunications providers earlier this year.

The U.S. cybersecurity agency and the FBI confirmed the breaches in late October after reports that Salt Typhoon breached multiple broadband providers, including AT&T, T-Mobile, Verizon, and Lumen Technologies.

They later revealed the attackers compromised the "private communications" of a "limited number" of government officials, gained access to the U.S. government's wiretapping platform, and stole customer call records and law enforcement request data.

Although it's still unknown when the telecom giants' networks were first breached, the Chinese hackers had access "for months or longer," according to a WSJ report, which allowed them to steal vast amounts of "internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."

"We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing. We're still trying to understand that, along with those partners," a senior CISA official told reporters today in a press call.

However, T-Mobile's Chief Security Officer, who said on Wednesday that the attack originated from a connected wireline provider's network, claims the company no longer sees any attackers active within its network.

Also tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286, this threat group has been breaching government entities and telecommunications companies across Southeast Asia since at least 2019.

"Vigilance is key"

As the NSA said today, the Chinese attackers have targeted exposed and vulnerable services, unpatched devices, and generally under-secured environments.

The joint advisory, released in partnership with the FBI, the NSA, and international partners, includes tips on hardening devices and network security to reduce the attack surface exploited by these threat actors.

It also includes defensive measures to enhance visibility for system administrators and engineers managing communications infrastructure for more detailed insight into network traffic, data flow, and user activities.

Other hardening best practices highlighted in today's advisory include:

• Patching and upgrading devices promptly,
• Disabling all unused, unauthenticated, or unencrypted protocols,
• Limiting management connections and privileged accounts,
• Using and storing passwords securely,
• Using only strong cryptography.

Network defenders are also advised to configure their systems to log all configuration changes and management connections and alert on any unexpected ones to enhance visibility for edge devices at network perimeters.

It is also important to monitor traffic from trusted partners, such as wireline providers, since T-Mobile was breached through a connected wire provider rather than devices exposed on the internet.

"Vigilance is key for defending against network compromise. Always have eyes on your systems and patch and address known vulnerabilities before they become targets," said NSA Cybersecurity Director Dave Luber.