A joint advisory issued by Australia, Canada, New Zealand and the United States warns of a widespread cyberespionage campaign by threat actors linked to the People’s Republic of China (PRC) targeting telecommunications providers.
“Identified exploits or breaches associated with the activities of these threat actors coincide with existing vulnerabilities associated with the victims’ infrastructure; no new actions were observed”, – state institutions said.
US officials told Tuesday that threat actors are still lurking in U.S. telecommunications networks nearly six months after an investigation into the intrusions began.
The attacks were attributed to a group of nation-states from China tracked as Salt Typhoon, which coincides with activities tracked as Earth Estries, FamousSparrow, GhostEmperor and UNC2286. The group is known to have been active since at least 2020, and some artifacts were created as early as 2019.
Last week, T-Mobile admitted that it detected attempts by attackers to penetrate its systems, but noted that no customer data was obtained.
Word of the offensive campaign the first one broke In late September, The Wall Street Journal reported that a hacking group had infiltrated a number of US telecommunications companies in an effort to gather sensitive information. China rejected these accusations.
To counter the attacks, cybersecurity and intelligence agencies have issued best practice guidelines that can be adapted to harden corporate networks –
- Examine and investigate any modifications or configuration changes to network devices such as switches, routers, and firewalls
- Implement a powerful solution for network traffic monitoring and network management capabilities
- Limit management traffic on the Internet
- Monitor user and service account logins for anomalies
- Implement secure, centralized logging with the ability to analyze and correlate large volumes of data from multiple sources
- Ensure that device management is physically isolated from client and production networks
- To control inbound and outbound traffic, apply a strict default ACL deny strategy
- Leverage strong network segmentation with router ACLs, stateful packet inspection, firewall capabilities, and demilitarized zone (DMZ) designs.
- Protect virtual private network (VPN) gateways by limiting external exposure
- Ensure that traffic is encrypted to the maximum extent possible and that Transport Layer Security (TLS) v1.3 is used on any protocols that support TLS to protect data in transit over the network
- Disable all unnecessary discovery protocols such as Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) and other operational services such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol Servers (HTTP) and SNMP v1/v2c
- Disable Internet Protocol (IP) source routing.
- Make sure no default passwords are used
- Confirm the integrity of the software image in use with a trusted hashing utility, if available
- Run port scans and scans of known Internet-facing infrastructure to ensure that no additional services are available over the network or from the Internet
- Monitor vendor end-of-life (EOL) announcements for hardware devices, operating system versions, and software and update as soon as possible
- Keep passwords safe with secure hashing algorithms
- Require phishing-resistant multi-factor authentication (MFA) for all accounts accessing company systems
- Limit session token duration and require users to re-authenticate after session ends
- Implement a role-based access control (RBAC) strategy and remove all unnecessary accounts and periodically review accounts to ensure they are still needed
“Patching vulnerable devices and services, as well as ensuring the security of the environment as a whole, will reduce opportunities for intrusion and mitigate the activities of actors,” the warning said.
This comes amid escalating trade tensions between China and the US, as well as Beijing export ban important minerals gallium, germanium and antimony to America in response to the latter’s crackdown on the Chinese semiconductor industry,
Earlier this week, the US Department of Commerce announced new restrictions aimed at limiting China’s ability to produce semiconductors with advanced assemblies that can be used for military purposes, in addition to curbing exports to 140 companies.
While Chinese chip companies since then laid down to localize supply chains, industry associations in the country have warned domestic companies that American chips are “no longer safe.”
