(Credit: Just_Super via Getty Images)
China's Salt Typhoon hacking group is exploiting existing vulnerabilities, not new software flaws, to break into US telecommunication networks, according to federal investigators.
On Tuesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory that offers a glimpse into how these state-sponsored cyberspies infiltrated the networks.
The agencies pointed out: “As of this release date, identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed.” Hence, US cyber officials are urging telecommunication networks to roll out patches to plug holes in their software and equipment.
Although the advisory stops short of naming any specific vulnerabilities, it says China’s Salt Typhoon group has been targeting “Cisco-specific features” used in the communications sector. The FBI and CISA issued the alert to help US telecommunication companies identify and boot the hackers out amid reports that Salt Typhoon has already breached AT&T, Verizon, T-Mobile, and ISPs to spy on users’ cellphone activities.
In a Tuesday press briefing, officials with the FBI and CISA said they began investigating the hacks in late spring, which led federal investigators to conclude that Salt Typhoon had compromised multiple telecommunication providers.
The Chinese hackers were able to spy and intercept phone calls from a group of high-profile US politicians and government staffers. In addition, Salt Typhoon stole a massive amount of records from customers concerning “where, when, and who” they were communicating with, although no voice and text content was lifted, a senior FBI official said.
But even though about five months have passed since the investigation began, the US still hasn’t uncovered the full scope of the breach. It’s why investigators remain unsure whether the Chinese hackers have been booted out of US telecommunication networks. During the press briefing, FBI and CISA officials noted that China’s Salt Typhoon may have simply gone dormant with the goal of reactivating its access once scrutiny into the breaches dies down.
“Each victim is unique; these are not cookie-cutter compromises in terms of how deeply compromised a victim might be or what the actor has been able to do,” said Jeff Greene, Executive Assistant Director for Cybersecurity at CISA. “It really is case-specific in terms of how to mitigate the specific activity.”
Others, such as US Senator Mark Warner (D-Virginia), have warned that Chinese hackers likely remain in US networks and that booting them out will require physically replacing thousands of outdated routers and switches. Greene said that the US government will need to have a conversation about securing domestic telecommunication networks over the long term.
“It is not the case that we’ve been moving slowly, or we’re sitting on this,” Greene added. “We are very much reliant on our industry partners. That is the same, in respect [to] the eviction.”
In the meantime, the agencies' advisory is designed to protect US telecommunication networks from both Salt Typhoon and all kinds of hackers, he said.