Chinese telecom espionage began with ‘much broader’ aims, officials say

A prolific Chinese hacking group launched sweeping intrusions into U.S. telecom networks with “much broader” aims than just compromising the systems that facilitate court-authorized wiretap requests, a senior FBI official said Tuesday.

National security and law enforcement intercepts — which monitor, capture and collect communications data as they are transmitted — were just one of several targets the hacking collective, dubbed Salt Typhoon, sought to exploit, said the official, who spoke on background under press guidelines issued in a Tuesday news conference.

The Wall Street Journal first brought Salt Typhoon’s campaign to light in October. The group used sophisticated methods to penetrate dozens of telecom firms inside and outside the U.S. over the course of several months. The hackers have not been entirely jettisoned from the networks, said the FBI official, as well as Jeff Greene, the executive assistant cybersecurity director at the Cybersecurity and Infrastructure Security Agency.

The revelations about Salt Typhoon’s targets lay bare the hackers’ sophisticated operation aimed at accessing the backbone of U.S. spying systems used for tracking critical individuals at home and possibly abroad. The intrusions were first investigated in late spring and early summer of this year, the senior FBI official said.

The wiretap environment — governed by the Communications Assistance for Law Enforcement Act that requires telecom companies to engineer their system for “legal access” surveillance requests — was accessed in the penetrations, but was not necessarily the initial entry vector used by the hackers in all cases, said the senior FBI official.

Forensic analysis for two of the victims “indicated that the actors were on other parts of their network conducting reconnaissance before pivoting to the CALEA system and surrounding devices,” the FBI official said.

The official declined to categorize which systems governed by the Foreign Intelligence Surveillance Act, or FISA, were accessed, but noted that CALEA includes court orders for Title I of FISA, which allows the U.S. to electronically surveil foreign powers and their agents, including Americans acting as agents of a foreign power.

Other FISA systems, such as the controversial Section 702 ordinance, allow the U.S. to target non-U.S. persons abroad without a warrant by compelling communications firms to hand over conversations on that target, which are then stored in query databases for investigations. Beijing could glean insights into highly classified 702 matters if Salt Typhoon had successfully peered into those environments.

CALEA is a 30-year-old legal protocol that has become a mainstay in law enforcement’s surveillance toolkit, but hasn’t undergone a formal update since the Federal Communications Commission last reviewed it in 2005. 

Wiretaps have evolved from physically tapping analog phone lines to remotely intercepting digital communications across multiple channels, including calls, texts and internet traffic. The FCC does not yet appear poised to launch a formal proceeding to rework CALEA, despite calls from Congress to do so in the wake of the intrusions.

So far, the cyberspies have ensnared around 80 providers in the U.S. and abroad, including AT&T, Verizon, Lumen and T-Mobile. They’ve accessed communications of some 150 select, high-value targets, including people affiliated with President-elect Donald Trump, according to previous media reports. 

Overseas servers were used to springboard the hackers into some telecom providers’ networks, said the senior FBI official, though they did not break down the specificity of each intrusion and what servers were exploited.

On Tuesday, American cybersecurity and intelligence agencies and their international partners also released a playbook aimed at helping communications operators protect their facilities from further cyberattacks.

The guidance from CISA, the FBI, the NSA and counterparts in Australia, Canada and New Zealand, shed light on the overlapping techniques and methods that the Chinese operatives used for their break-ins.

The agencies in the document said they’ve observed “Cisco-specific features often being targeted by, and associated with, these PRC cyber threat actors’ activity,” confirming earlier reports that the hackers leveraged Cisco router vulnerabilities to get into the networks.

They recommended companies using Cisco devices set stronger, more secure passwords. The guide also advised turning off Telnet, a feature that allows administrators to send keystrokes from one device to another when managing multiple servers.

Network engineers are advised to use a separate network for managing devices that is completely isolated from the main operational networks backing their systems. All blocked, inbound traffic should also be logged for later analysis, it said.

Many of the breached systems were not properly equipped with logging mechanisms to monitor device activity, Nextgov/FCW previously reported.

“While there were some commonalities and some common threads, they were not locked into a single playbook here,” a person with knowledge of the hacks previously said, describing how Salt Typhoon carried out the operation.

Hackers can obtain system access credentials through a variety of ways. Operatives may spin up fabricated, plausible-sounding emails that can trick recipients into handing over sensitive account information. Other data may be obtained through sales on dark web forums and similar unpatrolled areas of the internet that often serve as marketplaces for stolen log-in data, personal information and other illicit materials.

“We definitely need to look at what this means long term — how we secure our networks [and] how we work with our telecommunications partners,” Greene said, later adding that “we cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing."