The Canadian telecommunications sector has recently faced a significant security breach, allegedly orchestrated by state-sponsored hackers from China. These cyber actors exploited a critical vulnerability that had been patched 16 months earlier, compromising a major telecommunications provider in Canada, as confirmed by officials from both the Canadian and U.S. governments.
The Canadian Cyber Centre, which serves as the nation’s primary cybersecurity agency, reported an increase in malicious activities targeting its telecommunications industry. Officials identified the attackers as almost certainly tied to the People’s Republic of China, specifically a group known as Salt Typhoon. The FBI issued a similar warning, albeit with varying details.
Exploiting System Vulnerabilities
Researchers have traced Salt Typhoon’s activities to several hacking incidents worldwide, often aimed at extracting sensitive information for the Chinese government. In October 2023, cybersecurity experts revealed that this group had successfully backdoored over 10,000 Cisco devices through the exploitation of CVE-2023-20198, a vulnerability rated with a severity score of 10, indicating the utmost risk level.
The vulnerability primarily affected devices running Cisco’s iOS XE—specifically, any switch, router, or wireless LAN controller configured with HTTP or HTTPS server features that were exposed to the Internet. Following a report from VulnCheck, which shed light on the issue, Cisco rolled out a security patch within a week to mitigate the risks.
Notably, Salt Typhoon has previously been implicated in breaches of major U.S. telecom companies, including Verizon and AT&T. Reports indicate that these hackers likely maintained covert, long-term access to monitor wiretap systems utilized by these companies to assist government agencies. Furthermore, they may have siphoned other internet traffic, raising concerns about national security implications surrounding these breaches.
In examining the tactics likely employed during these attacks, the MITRE ATT&CK framework serves as a valuable lens. Initial access may have been achieved through the exploitation of the aforementioned vulnerability, while persistence could have been maintained via backdoors established on compromised devices. Privilege escalation techniques might have been employed to gain further control and access to sensitive networks, enabling broader surveillance capabilities.
The ongoing threat posed by groups like Salt Typhoon illustrates the critical need for organizations to prioritize cybersecurity measures, particularly within sectors deemed essential for national infrastructure. Regularly updating and patching systems remains a crucial line of defense against increasingly sophisticated cyber threats, paying particular attention to vulnerabilities that could be exploited by malicious actors.
