A joint advisory issued by Australia, Canada, New Zealand, and the U.S. has warned of a broad cyber espionage campaign undertaken by People’s Republic of China (PRC)-affiliated threat actors targeting telecommunications providers.
“Identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed,” government agencies said.
U.S. officials told Tuesday that the threat actors are still lurking inside U.S. telecommunications networks about six months after an investigation into the intrusions commenced.
The attacks have been attributed to a nation-state group from China tracked as Salt Typhoon, which overlaps with activities tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. The group is known to be active since at least 2020, with some of the artifacts developed as early as 2019.
Last week, T-Mobile acknowledged that it detected attempts made by bad actors to infiltrate its systems, but noted that no customer data was accessed.
Word of the attack campaign first broke in late September, when The Wall Street Journal reported that the hacking crew infiltrated a number of U.S. telecommunications companies as part of efforts to glean sensitive information. China has rejected the allegations.
To counter the attacks, cybersecurity, and intelligence agencies have issued guidance on the best practices that can be adapted to harden enterprise networks –
- Scrutinize and investigate any configuration modifications or alterations to network devices such as switches, routers, and firewalls
- Implement a strong network flow monitoring solution and network management capability
- Limit exposure of management traffic to the internet
- Monitor user and service account logins for anomalies
- Implement secure, centralized logging with the ability to analyze and correlate large amounts of data from different sources
- Ensure device management is physically isolated from the customer and production networks
- Enforce a strict, default-deny ACL strategy to control inbound and egressing traffic
- Employ strong network segmentation via the use of router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) constructs
- Secure virtual private network (VPN) gateways by limiting external exposure
- Ensure that traffic is end-to-end encrypted to the maximum extent possible and Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network
- Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP), as well as other exploitable services like Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c
- Disable Internet Protocol (IP) source routing
- Ensure that no default passwords are used
- Confirm the integrity of the software image in use by using a trusted hashing calculation utility, if available
- Conduct port-scanning and scanning of known internet-facing infrastructure to ensure no additional services are accessible across the network or from the internet
- Monitor for vendor end-of-life (EOL) announcements for hardware devices, operating system versions, and software, and upgrade as soon as possible
- Store passwords with secure hashing algorithms
- Require phishing-resistant multi-factor authentication (MFA) for all accounts that access company systems
- Limit session token durations and require users to reauthenticate when the session expires
- Implement a Role-Based Access Control (RBAC) strategy and remove any unnecessary accounts and periodically review accounts to verify that they continue to be needed
“Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity,” according to the alert.
The development comes amid escalating trade tensions between China and the U.S., with Beijing banning exports of critical minerals gallium, germanium, and antimony to America in response to the latter’s crackdown on China’s semiconductor industry,
Earlier this week, the U.S. Department of Commerce announced new restrictions that aim to limit China’s ability to produce advanced-node semiconductors that can be used in military applications, in addition to curbing exports to 140 entities.
While Chinese chip firms have since pledged to localize supply chains, industry associations in the country have warned domestic companies that U.S. chips are “no longer safe.”