An advanced persistent threat (APT) group identified by Microsoft as “Salt Typhoon” has been credited with recent attacks against global communications networks, including internet service providers and telephone companies.
U.S. officials claim the group has likely links to the Chinese Ministry of State Security, China’s principal civilian intelligence service responsible for foreign intelligence, counterintelligence, and political security. Officials are investigating the alleged campaign by the People’s Republic of China (PRC) to target commercial telecommunications.
How have government officials responded?
Various intelligence and law enforcement agencies have issued best practice guidance to help defend against these new threats and minimize data exposure during amid this threat, including the following:
- Cybersecurity and Infrastructure Security Agency (CISA)
- National Security Agency (NSA)
- Federal Bureau of Investigation (FBI)
- Australian Signals Directorate’s (ASD’s)
- Australian Cyber Security Centre (ACSC)
- Canadian Cyber Security Centre (CCCS)
- New Zealand’s National Cyber Security Centre (NCSC-NZ)
Drawbridge has put together a list of directly actionable steps that can be taken by firms of any size based on these recommendations.
For more information regarding these guidelines, as well as the original reports of the attacks, some references have been included below. If you should have any questions, feel free to contact us.
Recommendations for Salt Typhoon impact mitigation
- Reduce your SMS reliance
- If SMS messaging is part of your internal business operations, move these communications to end-to-end encrypted platforms, such as Microsoft Teams, Slack, WhatsApp for Business, Signal, etc. Always enable multi-factor authentication (MFA) across all apps used for business purposes.
- If SMS messaging is part of your external business operations, the use of end-to-end encrypted platforms is still a recommended path forward. However, it can be more difficult to implement between each external stakeholder. Email communications offer a more secure alternative to SMS and can offer encryption features as well. You can enforce an encrypted email method either with your existing email provider or through an email security gateway solution.
- Consider the criticality of information being shared currently over SMS. For communications that are more sensitive or critical, following the recommendations above will help to reduce the likelihood of compromise for those messages.
- Secure your voice communications
- Move your voice communications to platforms such as the ones mentioned above or through Teams, Zoom, or WebEx rather than through cellular and ISP-provided phone lines. If you cannot move your operations entirely to these platforms, utilize them when discussing sensitive or business-critical information.
- Enable app containerization for voice and chat applications on mobile devices.
- Prioritize multi-factor authentication
- Confirm MFA for all users on all systems where it is supported and enable it where there are existing gaps.
- If voice and/or SMS are used for existing MFA mechanism, migrate to authenticator applications such as Microsoft Authenticator, or FIDO-compliant methods.Important to note: SMS and Voice MFA methods are still more secure than no MFA at all. If they are the only options currently in place, do not disable them before implementing the alternatives above.
- Review your network hardening measures
The recent attack campaigns referenced here were not due to novel or previously unknown attack methods. While not all details are available at the moment, the recommendations below will cover a broad spectrum of attack vectors available to most attackers in most attack campaigns:- Confirm network monitoring is in place with intrusion detection and prevention systems.
- Review rules for network traffic, both inbound and outbound.
- Segment networks to reduce the ability of an attacker to move laterally. Segmentation can be achieved with a number of factors, such as common device type, use type, or level of access to resources.
- Disable any protocols not required for business operations. Example: if you don’t need to remotely connect to workstations within the office, close down the RDP protocol, even within the local network.
- Confirm all systems have been secured with unique passwords, and there are no attached systems with default credentials in use. This should include all servers, network equipment, backup batteries, etc.
Bonus recommendation: Keep your system and security strategy well-maintained
- Conduct ongoing vulnerability scanning to identify weaknesses within your internal and external networks.
- Review and remove any accounts no longer in use or required for business operations.
- Maintain regular system patches on all connected devices.
References:
- Enhanced Visibility and Hardening Guidance for Communications Infrastructure
- Joint CISA/FBI Press Release
- Washington Post article (archived), October 2024 “White House forms emergency team to deal with China espionage hack”
- The Record article, December 2024 “At least 8 US telcos, dozens of countries impacted by Salt Typhoon breaches, White House says”
