Massive Breach in Telecommunications
A sophisticated cyberattack campaign known as Salt Typhoon has been actively breaching telecommunications networks across the world. Despite various efforts by governments and security agencies to stop these attacks, the hackers have continued their operations into the new year. According to cybersecurity researchers from Insikt Group, this attack campaign attempted to infiltrate over 1,000 Cisco network devices worldwide between December and January. These devices are critical components of telecommunication networks, which means that compromising them can allow hackers to gain deep access to sensitive communication systems.
The attack was global in scale, targeting telecommunication providers across multiple countries, including the United States, South Africa, Italy, and Thailand. Researchers found that a major telecommunications provider in South Africa and a U.S.-based subsidiary of a UK telecom company were among the targeted organizations. It appears that the hackers selected their targets based on their connections to telecom infrastructure, allowing them to gather information and possibly disrupt communications in strategic locations.
Furthermore, security experts discovered that the Salt Typhoon hackers had carried out reconnaissance activities in December on IP addresses owned by Mytel, a telecommunications provider based in Myanmar. Salt Typhoon hackers targeted Cisco devices primarily in the United States, South America, and India, while also attacking networks in over 100 other countries.
The researchers also uncovered evidence that the hackers targeted universities in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, the Netherlands, Thailand, the U.S., and Vietnam. They believe that Salt Typhoon specifically focused on universities to gain access to valuable research in telecommunications, engineering, and advanced technology. Universities often have weaker security measures than corporations or government agencies, making them easier targets for cyberattacks.
Exploiting Network Weaknesses
For months, U.S. cybersecurity officials have warned about Salt Typhoon’s increasing cyber operations, which have breached at least nine major U.S. telecom companies. These companies are essential to national communication infrastructure, making them prime targets for state-sponsored cyber espionage.
The hackers reportedly used their deep access into these networks to steal call data and communication records from high-profile individuals. Once inside, they could intercept messages, track call logs, and monitor sensitive conversations between key figures.
To carry out these attacks, Salt Typhoon exploited known security vulnerabilities in Cisco devices. The two main security flaws they used were identified as CVE-2023-20198 and CVE-2023-20273. The first flaw allowed hackers to break into the system, while the second flaw enabled them to escalate their privileges and take full control of the infected network.
After successfully breaching the devices, the hackers reconfigured them, making it difficult to detect the intrusion. They then created a hidden connection to the compromised devices, which allowed them to maintain access indefinitely. This means they could return at any time without needing to break in again.
Insikt Group also discovered that the hackers had scanned for vulnerable Cisco devices multiple times, specifically on December 4, 10, 17, and 24, as well as January 13 and 23. This suggests that Salt Typhoon was continuously searching for new weaknesses and expanding its attack scope.
Even though hackers could access over 12,000 Cisco devices on the internet, they targeted only a select portion. This choice shows that they planned and executed their attacks deliberately rather than conducting random cyber intrusions.
Government Response and Ongoing Telecommunications Threats
The U.S. government has been closely monitoring Salt Typhoon’s activities for several months. In January, the Treasury Department announced new sanctions against a Chinese contractor believed to be directly involved in these telecommunications cyberattacks.
According to the Treasury Department, Salt Typhoon has been actively compromising U.S. telecommunications networks since 2019. However, their most recent attacks represent a significant escalation in China’s cyber operations against critical U.S. telecommunications infrastructure.
Beyond the immediate cyberattacks, experts believe Salt Typhoon’s activities pose a much larger strategic threat. By infiltrating telecommunications networks, state-backed cybercriminals can monitor private conversations, manipulate communication data, and even disrupt essential services. This could be used for surveillance, cyber warfare, or geopolitical intelligence gathering.
Despite growing concerns, U.S. authorities have struggled to fully contain the threat. The FBI and the Department of Homeland Security have not issued official statements regarding the latest telecommunications attack wave, and the Justice Department has provided little additional information.
Cybersecurity researchers strongly advise network administrators to check their Cisco devices for signs of exploitation, particularly on the dates identified in the attacks. They also urge organizations to update their security patches and implement stronger protection measures to prevent further intrusions. However, as long as telecommunications infrastructure remains vulnerable, the risk of future attacks remains high.
