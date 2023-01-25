With the help of tipsters, the cybersecurity agency was able to 'connect the dots' to crack what has been called one of the worst telecom hacks in US history:
Chinese state-backed cyber espionage group Salt Typhoon, which has been in the news for its breach of U.S. telecom firms, was first discovered on the federal network using a different name, according to Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA).
"We saw it as a separate campaign called another goofy cyber name. And we were able to—based on the visibility that we had within the federal networks—to be able to connect some dots," she said during a discussion at the Foundation for Defense of Democracies on Jan. 15.
[...] The earlier identification under a different name enabled officials to connect the dots with the help of tipsters from the private sector, which Easterly said ultimately "led to kind of cracking open the larger Salt Typhoon piece."
[...] On Jan. 17, the U.S. Treasury Department announced it was sanctioning Chinese cybersecurity company Sichuan Juxinhe Network Technology Co. for "direct involvement in the Salt Typhoon cyber group."
"Chinese state-backed cyber actors continue to present some of the greatest and most persistent threats to U.S. national security," the Treasury Department said.
The Treasury Department also sanctioned Shanghai-based hacker Yin Kecheng, who was allegedly behind a major breach of the department's network in early December. The cyber actor is affiliated with China's Ministry of State Security, the department said.
'We are deeply alarmed [the Department of Homeland Security] has not publicly disclosed when this investigation will begin,' the senators stated in a letter:
A bipartisan group of senators has urged a federal review board to immediately begin an investigation into a Chinese hacking group's attacks against the United States, according to a recent letter sent to Robert Silvers, undersecretary for policy at the Department of Homeland Security (DHS).
Led by Sen. Eric Schmitt (R-Mo.), the senators wrote in a letter dated Nov. 14 that the independent Cyber Safety Review Board (CSRB) had announced in late October that it would initiate a review "at the appropriate time," a DHS spokesman confirmed in a statement to the Wall Street Journal, following media reports that Salt Typhoon, a Chinese state-sponsored threat group, had breached several U.S. telecommunications companies.
[...] The senators noted that the CSRB's announcement "is a good first step." The CSRB, established by the DHS in 2022, consists of federal officials and private-sector cybersecurity experts.
"We are deeply alarmed DHS has not publicly disclosed when this investigation will begin," the senators wrote. "While details of the attack are still being revealed, the scope of this attack is historic in nature and the hacking technique used by Salt Typhoon holds countless senior U.S. officials and millions of U.S. citizens at risk.
"With all due speed and urgency, the CSRB should begin investigating how this happened immediately."
The reach of the China-linked Salt Typhoon gang extends beyond telecommunications giants in the United States, and its arsenal includes several backdoors – including a brand-new malware dubbed GhostSpider – according to Trend Micro researchers.
While the crew has made headlines recently for hacking "thousands and thousands" of devices at US telcos, research published on Monday by Trend Micro's threat intel team suggests Salt Typhoon (which Trend tracks as Earth Estries) has also hit more than 20 organizations globally since 2023. These span various sectors – including technology, consulting, chemical and transportation industries, government agencies, and non-profit organizations (NGOs) in the US, the Asia-Pacific region, the Middle East, and South Africa.
Affected countries include Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the US, and Vietnam.
It's "one of the most aggressive Chinese advanced persistent threat (APT) groups," Trend Micro's Leon Chang, Theo Chen, Lenart Bermejo, and Ted Lee wrote.
"We found that in 2023, the attackers had also targeted consulting firms and NGOs that work with the US federal government and military," the threat intel team observed.
These intrusions not only compromised telcos' database and cloud servers, but also attacked the firms' suppliers – in at least one instance implanting the Demodex rootkit on machines used by a major contractor to a dominant regional telecommunications provider. Trend Micro's analysts think that shows Salt Typhoon wanted to gain access to more targets.
We’ve noted for decades that U.S. telecom security and privacy standards aren’t great. T-Mobile has been hacked so many times in the last five years it’s easy to lose count. AT&T not long ago had a breach impacting the data of 73 million users it initially tried to pretend hadn’t happened.
Telecoms have lobbied relentlessly to dismantle much in the way of corporate oversight, so when hacks or breaches or bad choices manifest, executives and companies alike routinely see little in the way of real, meaningful accountability. Which, of course, ensures nothing much changes.
This all came to a head recently with the Salt Typhoon hack, which involved 8 major U.S. telecom operators suffering a major intrusion by Chinese hackers. The hack, oddly getting far less attention than the TikTok moral panic did, was leveraged to help spy on U.S. political officials. It was so severe and extensive that the involved, unnamed telecoms have yet to fully remove the intruders from their networks:
This is par for the course for a country that’s literally too corrupt to pass even a baseline privacy law for the internet era, or hold telecom giants meaningfully accountable for much of anything. At best, telecoms have grown fat and comfortable with a paradigm that involves a tiny fine and wrist slap for their incompetence, assuming they get challenged over it at all.
Enter Senator Ron Wyden, who is proposing a new law that would require the FCC to take broader ownership of telecom cybersecurity.
His Secure American Communications Act would more clearly establish FCC authority to monitor telecoms for privacy and cybersecurity violations, require they conduct routine testing of their networks and systems, and contract outside independent auditors to make sure they’re doing a competent job. They’d also have to submit formal annual reviews to the FCC.
“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules,” Wyden said. “Telecom companies and federal regulators were asleep on the job and as a result, Americans’ calls, messages, and phone records have been accessed by foreign spies intent on undermining our national security. Congress needs to step up and pass mandatory security rules to finally secure our telecom system against an infestation of hackers and spies.”
Of course the last thing AT&T, Verizon, Comcast, T-Mobile and Charter want is additional (or any) government oversight, so even if perfectly designed to minimize headaches and problems, the bill likely has zero real chance of passing a corrupt Congress.
A 9th telecoms firm has been hit by a massive Chinese espionage campaign, the White House says:
A ninth U.S. telecoms firm has been confirmed to have been hacked as part of a sprawling Chinese espionage campaign that gave officials in Beijing access to private texts and phone conversations of an unknown number of Americans, a top White House official said Friday.
Biden administration officials said this month that at least eight telecommunications companies, as well as dozens of nations, had been affected by the Chinese hacking blitz known as Salt Typhoon.
But deputy national security adviser Anne Neuberger told reporters Friday that a ninth victim had been identified after the administration released guidance to companies about how to hunt for Chinese culprits in their networks.
The update from Neuberger is the latest development in a massive hacking operation that has alarmed national security officials, exposed cybersecurity vulnerabilities in the private sector and laid bare China's hacking sophistication.
The hackers compromised the networks of telecommunications companies to obtain customer call records and gain access to the private communications of what officials have said is a a limited number of individuals. Though the FBI has not publicly identified any of the victims, officials believe senior U.S. government officials and prominent political figures are among those whose whose communications were accessed.
Neuberger said Friday that officials did not yet have a precise sense how many Americans overall were affected by Salt Typhoon, in part because the Chinese were careful about their techniques, but that a "large number" were in the Washington-Virginia area.
Officials believe the goal of the hackers was to identify who owned the phones and, if they were "government targets of interest," spy on their texts and phone calls, she said.
The FBI said most of the people targeted by the hackers are "primarily involved in government or political activity."
Neuberger said the episode highlighted the need for required cybersecurity practices in the telecommunications industry, something the Federal Communications Commission is to take up at a meeting next month. In addition, she said, the government was planning additional actions in coming weeks in response to the hacking campaign, though she did not say what they were.
"We know that voluntary cyber security practices are inadequate to protect against China, Russia and Iran hacking of our critical infrastructure," she said.
The Chinese government has denied responsibility for the hacking.
According to a letter from the U.S. Treasury Department to lawmakers revealed on Monday, Dec. 30, Chinese-backed hackers successfully infiltrated the department’s systems and stole government documents this month.
The breach, first reported by Reuters, highlights yet another instance of state-sponsored cyber espionage targeting U.S. government employees — just moments after AT&T and Verizon finally dealt with Salt Typhoon. In a statement to Senator Sherrod Brown, chair of the Committee on Banking, Housing, and Urban Affairs, the Treasury confirmed that the attack occurred in December.
In the letter, the department states that the breach was flagged by a third-party cybersecurity vendor, BeyondTrust, which discovered that the attackers had compromised a key used to secure a cloud-based service. That service was integral to providing remote technical support to end users within the department's offices.
"With access to the stolen key, the threat actor was able [to] override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users," the letter reads.
The Treasury revealed it was alerted to the breach on Dec. 8 and is collaborating with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to evaluate the scope of the incident. Reuters reports that the FBI has yet to respond to requests for comment, while CISA redirected inquiries back to the Treasury.
I had to read this a few times to figure out they're still sticking with the story of
At first glance I though they were admitting it was a failed false-flag.
As a side note, as time goes on, the phrases like "Chinese state-backed cyber actors" start sounding ever more ridiculous.
It never fails to amaze me if the politicians are mad at some country they can always find evidence of a "cyberattack" from that country but they can never fix the bad code ahead of time or track down specifically who did what. Just trust me, bro, the guys we are in an unrelated argument with bro, a bunch of 'them' with a funny name totally hacked us, bro, trust me bro, glowies never lie, bro.