China’s aggressive operations to infiltrate the United States’ networks pose a significant security threat to the Nation’s critical infrastructure. China-backed attacks, often referred to as Typhoon attacks, have focused on the U.S. technology sector, targeting multiple layers of network infrastructure.
Chinese state-sponsored hackers are consistently targeting telecommunications firms and internet service providers (ISP) both to gather intelligence and utilize access as a stepping-stone into customer networks. These attacks are particularly concerning as they highlight weaknesses in the United States’ digital ecosystem, which when combined with our reliance on network services, creates implications extending beyond immediate data breaches, possibly affecting national and economic security.
While organizations cannot control attacks on their service providers, there are ways to prepare and reduce risk.
Salt Typhoon – What happened?
In late September and early October of 2024, The Wall Street Journal reported that a Chinese state sponsored group, Salt Typhoon, successfully breached multiple U.S. ISPs including Verizon, AT&T and Lumen Technologies. Most significantly, the attackers may have gained access to the systems used for court-authorized wiretapping by U.S. law enforcement agencies and infiltrated systems used for domestic information.
Salt Typhoon is known for its ability to infiltrate and disrupt networks and has actively targeted U.S. ISPs over several years. In this latest attack, they were caught exfiltrating data and planting backdoors and other capabilities, potentially meant for future attacks. Nation state actors like Salt Typhoon are thought to have obtained initial access to the target network by exploiting vulnerabilities, such as the ProxyLogon vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). One report also indicates the attackers gained access by reconfiguring Cisco routers within Verizon’s enterprise. Cisco routers are responsible for routing much of the internet’s traffic and are considered core network infrastructure components.
In addition to Salt Typhoon, multiple other China-related “Typhoon” attacks have targeted U.S. network infrastructure. These include:
- Volt Typhoon. Active since mid-2021, Volt typhoon has targeted a number of critical infrastructure organizations across the United States. Earlier this year, FBI Director Christopher Wray discussed the ongoing investigation of Volt Typhoon, stating the Chinese government had gained illicit access to networks within America’s “critical telecommunications, energy, water, and other infrastructure sectors.” More recently, in August of 2024, cybersecurity researchers disclosed that Volt Typhoon exploited a zero-day flaw in Versa Director software (CVE-2024-39717). Versa software is used by internet service providers as a single pane of glass to manage all their network devices, such routers and other edge devices. According to researchers, Volt Typhoon gained initial access via a vulnerability (CVE-2024-39717) in the high availability port of the Versa Director software. After gaining access, the actor installed a malicious version of VersaMem onto the Versa Director, that allowed the adversary to escalate privileges. With escalated privileges, the adversaries further used VersaMem to capture authentication sessions from other devices prior to encryption, enabling the adversary to harvest credentials from downstream customers.
- StormBamboo. In August of 2024, StormBamboo, a Chinese cyber espionage threat actor, used Domain Name System (DNS) poisoning to deliver malware against its targets. A DNS poisoning attack is when hackers change a DNS address to a “spoofed” DNS address so that when a person visits a website, they are redirected to a completely different imposter site, where malware was then deployed on the targeted devices. StormBamboo has a history of exploiting third parties to launch attacks on targeted victim machines. Their latest attack involved a man-in-the-middle technique which allowed them to leverage an undisclosed internet service provider’s compromised infrastructure to control the DNS responses from its DNS servers. StormBamboo also used DNS poisoning to exploit insecure HTTP software update mechanisms within customer environments that did not validate digital signatures. Attackers intercepted and modified victims’ software update DNS requests and delivered malware to the targets’ systems from StormBamboo’s command-and-control servers without requiring user interaction.
- Flax Typhoon. The hacking campaign known as Flax Typhoon created a massive botnet by accessing and installing malicious software on more than 200,000 consumer devices, including cameras, video recorders and routers. A botnet is a network of infected devices that can be controlled by a threat actor using command and controls to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. Flax Typhoon’s intention was to use the botnet to target the telecommunications industry, as well as other U.S. infrastructure, but prior to deploying the botnet, the FBI and Justice Department were able to dismantle the botnet’s infrastructure.
Why These Threat Streams Are Important: Downstream Impact for Telecommunications Customers
ISPs and telecommunications providers are critical communications nodes across sectors. Threat campaigns targeting them entail a number of important potential downstream impacts on customers. These include:
- Surveillance: Depending on their level of access, malicious actors may conduct surveillance or eavesdrop on communications traffic and potentially, content. For example, if an ISP customer’s billing records were accessed, threat actors would have the ability to view frequency and timing of communications between parties. If an organization uses an ISP-owned router and the data is unencrypted, the threat actor can see the entire content, including sensitive information. It should also be noted that if an organization is using a compromised ISP’s email platform, attackers could also potentially access email information, depending on the adversary’s level of access.
- SIM Swapping: Malicious actors who successfully gain access to internal Telco systems may be able to perform SIM swapping by accessing the applications and APIs that control the association between an individual subscriber’s mobile phone number and the registered SIM card or eSIM. This technique has been leveraged to great effect in order to subvert SMS-based Multi-Factor Authentication (MFA) protections.
- Malware: As seen before with other Chinese hacking groups such as StormBamboo, attackers could breach an ISP and use DNS poisoning to upload malware to customer networks and devices.
- Increased Phishing: Attackers could also use leaked information to create more convincing phishing scams, making it easier to trick individuals into revealing additional personal information.
- Downtime: Depending on an adversary’s objectives, customers could experience outages or degraded service quality, disrupting communication channels essential for daily business operations, causing lost productivity and potentially financial loss.
What should you do about it?
Businesses can take a number of steps to mitigate this threat activity. These include:
- Actively manage edge network devices (routers and firewalls) owned by your ISP by changing the admin passwords or the default credentials that were set by the network device manufacturers. If your service provider was compromised, consider changing your router’s admin password and review access logs to look for signs of unauthorized access into your network. These steps can help identify and/or prevent intrusions into your internal network.
- To mitigate DNS poising as described in StormBamboo, use protective DNS services such DNSFilter, Quad 9, or others that will provide DNS filtering and security protections if a compromise occurs. Consider using alternate DNS providers like Google DNS which can shield your endpoints from DNS attacks.
- Ensure data-in-transit is encrypted by using WPA3, HTTPS, TLS 1.3, SSH, SFTP, and other secure network protocols that encrypt your traffic and protect the confidentiality of your connections and data. Encryption will minimize what traffic and content an attacker can view.
- Enforce strong authentication standards by requiring all enterprise accounts to implement phishing-resistant MFA to the greatest extent possible. Doing so helps protect your users from falling victim to SIM swap attacks, social engineering, and other potential scams or phishing attacks that often follow high-profile breaches.
- Enable enhanced account security options with all mobile providers so that additional verification checks are performed prior to the carrier processing any SIM/eSIM change.
- As discussed previously, if an ISP breach causes customer outages, organizations can lower risks by developing contingency plans such as backup internet connections, telework from alternate offices, homes, or use of cellular hotspot.
Conclusion
Tech supply chain breaches will continue to happen. When organizations are developing security strategies, a baseline planning assumption should be that the tech sector is a primary “stepping stone” target for threat actors. This underscores the importance of Zero Trust, threat informed defense, and the need to implement a resiliency operating model, such as outlined in National Institute of Standards and Technology Special Publication 800-160, volume 2, which focuses on defining common critical assets; designing for adaptability; reducing attack surfaces; assuming compromised resources; and expecting adversaries to evolve.
Adriana Petrillo is a director in the Cybersecurity practice at The Chertoff Group. She most recently served as an INFOSEC/Cybersecurity Specialist at the Cybersecurity and Infrastructure Security Agency (CISA). She earned her J.D. from Suffolk Law School and her M.S in Cybersecurity from Boston College.
