CISA Issues Guidance Following Salt Typhoon Cyber Attacks on Telecommunications
The Cybersecurity and Infrastructure Security Agency (CISA) has released a series of recommendations aimed at bolstering defenses against cyber attacks linked to the Salt Typhoon threat group, which is believed to have infiltrated major global telecommunications providers earlier this year. This guidance comes in light of confirmed breaches that were publicly acknowledged by CISA and the FBI in late October, following reports that the group had successfully accessed networks of major U.S. telecom companies, including AT&T, T-Mobile, Verizon, and Lumen Technologies.
The breaches reportedly involved the exploitation of vulnerabilities within telecommunications infrastructure, which allowed the adversaries to compromise the private communications of a select group of government officials. Reports indicate that malicious actors gained access to sensitive components of the U.S. government’s wiretapping platform and were able to collect customer call records and data pertaining to law enforcement requests. The extent and duration of the access remain concerning, with sources noting that attackers could have been embedded within the networks for several months, potentially siphoning large volumes of internet traffic that affects both businesses and millions of American citizens.
A senior official at CISA conveyed uncertainty regarding the complete removal of adversaries from the network, acknowledging ongoing investigations to assess the full scope of the breaches. Despite this, a T-Mobile executive stated that their internal assessments indicated the absence of lingering threats in their networks following the incident, which reportedly originated through a connected wireline provider rather than direct exploitation of exposed internet-facing devices.
The Salt Typhoon group, also known by various aliases such as Earth Estries and Ghost Emperor, has a documented history of targeting government entities and telecommunications infrastructure across Southeast Asia since at least 2019. The recent attacks align with a broader trend characterized by nation-state actors exploiting vulnerable systems, often targeting outdated or unpatched devices and insecure configurations.
In a joint advisory issued in collaboration with the FBI, NSA, and international partners, CISA emphasized the importance of vigilance against such threats. The advisory specifies that vulnerabilities within exposed services and improperly secured environments present ongoing risks. To mitigate these threats, the advisory outlines best practices like timely patch management, disabling unused protocols, restricting privileged access, and implementing strong cryptographic measures.
The guidance stresses the necessity of improving visibility for network administrators managing telecommunications infrastructure. Enhanced logging of all configuration changes and regular monitoring of network traffic—especially traffic from trusted partners—are crucial measures for maintaining security and recognizing potential indicators of compromise.
In the context of the MITRE ATT&CK framework, the tactics employed by Salt Typhoon could include initial access through exploitation of unpatched vulnerabilities, establishing persistence within the network, privilege escalation to gain elevated access rights, and collection of sensitive information. Understanding these tactics is vital for business owners as they develop comprehensive security strategies tailored to their operations.
CISA’s directive underscores the urgency with which organizations, especially those in critical industries like telecommunications, must address cybersecurity vulnerabilities. As NSA Cybersecurity Director Dave Luber noted, maintaining constant vigilance over network systems is imperative to thwart potential breaches. Organizations are advised to prioritize reliable patch management and secure configurations as key components of a robust cybersecurity posture in the face of increasing threats from sophisticated adversaries.
