US shares tips to block hackers behind recent telecom breaches
CISA released guidance today to help network defenders harden their systems against attacks coordinated by the Salt Typhoon Chinese threat group that breached multiple major global telecommunications providers earlier this year.
The U.S. cybersecurity agency and the FBI confirmed the breaches in late October after reports that Salt Typhoon breached multiple broadband providers, including AT&T, T-Mobile, Verizon, and Lumen Technologies.
They later revealed the attackers compromised the "private communications" of a "limited number" of government officials, gained access to the U.S. government's wiretapping platform, and stole customer call records and law enforcement request data.
Although it's still unknown when the telecom giants' networks were first breached, the Chinese hackers had access "for months or longer," according to a WSJ report, which allowed them to steal vast amounts of "internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
"We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing. We're still trying to understand that, along with those partners," a senior CISA official told reporters today in a press call.
However, T-Mobile's Chief Security Officer, who said on Wednesday that the attack originated from a connected wireline provider's network, claims the company no longer sees any attackers active within its network.
Also tracked as Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286, this threat group has been breaching government entities and telecommunications companies across Southeast Asia since at least 2019.
"Vigilance is key"
As the NSA said today, the Chinese attackers have targeted exposed and vulnerable services, unpatched devices, and generally under-secured environments.
The joint advisory, released in partnership with the FBI, the NSA, and international partners, includes tips on hardening devices and network security to reduce the attack surface exploited by these threat actors.
It also includes defensive measures to enhance visibility for system administrators and engineers managing communications infrastructure for more detailed insight into network traffic, data flow, and user activities.
Other hardening best practices highlighted in today's advisory include:
- Patching and upgrading devices promptly,
- Disabling all unused, unauthenticated, or unencrypted protocols,
- Limiting management connections and privileged accounts,
- Using and storing passwords securely,
- Using only strong cryptography.
Network defenders are also advised to configure their systems to log all configuration changes and management connections and alert on any unexpected ones to enhance visibility for edge devices at network perimeters.
It is also important to monitor traffic from trusted partners, such as wireline providers, since T-Mobile was breached through a connected wire provider rather than devices exposed on the internet.
"Vigilance is key for defending against network compromise. Always have eyes on your systems and patch and address known vulnerabilities before they become targets," said NSA Cybersecurity Director Dave Luber.
Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449)
Exploit released for critical WhatsUp Gold RCE flaw, patch now
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-688 Function Call With Incorrect Variable or Reference as Argument
CWE-288 Authentication Bypass Using an Alternate Path or Channel
CWE-1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
CWE-574 EJB Bad Practices: Use of Synchronization Primitives
CWE-940 Improper Verification of Source of a Communication Channel
Free online web security scanner