The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. teamed up with the National Security Agency (NSA), the FBI, and cyber teams from Australia, Canada, and New Zealand to release a crucial security guide for communications service providers (CSPs). This comes after a wave of cyberattacks from a China-backed group known as Salt Typhoon, which targeted major U.S. telecoms like AT&T and Verizon.
These incidents, initially reported in October and confirmed last month, saw Salt Typhoon breach systems and steal customer call records. They managed to access the private communications of individuals involved in government or political activities and even copied data related to U.S. law enforcement requests. The Wall Street Journal reported that this group may have been collecting data for several months.
The new guide outlines essential steps for those in the communications sector to detect unusual behavior, address vulnerabilities, and respond to cybersecurity incidents. It emphasizes reducing exposure to threats, enhancing secure configurations, and limiting possible entry points.
Jeff Greene, the executive assistant director for cybersecurity at CISA, stressed the seriousness of the threat. “This PRC-affiliated activity poses a grave risk to critical infrastructure, government agencies, and businesses,” he said. He urged software manufacturers to adopt Secure-by-Design principles to bolster security for their users.
Bryan Vorndran from the FBI’s Cyber Division echoed these sentiments, highlighting that hackers linked to the People’s Republic of China are targeting telecommunications firms to compromise sensitive data and engage in espionage. He encouraged organizations to implement the guidance and report any suspicious activities to local FBI offices.
Tim Perry, head of strategy at Prepared, a firm supporting emergency communications, noted the critical nature of domestic communications infrastructure for national security. He cautioned that state actors have the resources to exploit network vulnerabilities and emphasized that law enforcement agencies must stay informed about emerging cyber threats.
The full guidance is available on the CISA website and is particularly relevant for organizations managing on-premise equipment, especially critical national infrastructure operators. It’s vital for network engineers—not just cybersecurity experts—to follow recommended actions.
Engineers should closely examine any unusual changes in device configurations, maintain an inventory of their devices, set up network flow monitoring, and limit management traffic exposure to the public internet. They should also watch for anomalies in user and service account logins and implement secure, centralized logging.
Creating an out-of-band management network separate from the operational flow, using access control lists (ACLs), and enhancing network segmentation are also critical steps. Strengthening virtual private network (VPN) gateways and using end-to-end encryption are additional strategies engineers can employ. The guidance also addresses specific Cisco features that Salt Typhoon exploited, advising best practices for hardening Cisco operating systems like IOS XE and NX-OS.