Hundreds of organizations were notified of potential Salt Typhoon compromise

American cybersecurity officials are gearing up for a challenging period as they work to uncover and mitigate an extensive Chinese-backed cyber intrusion into the nation’s telecommunications infrastructure.

The hacking group, Salt Typhoon, has ensnared major providers including Verizon, AT&T, Lumen and T-Mobile, and has targeted dozens of high-value political figures, including people tied to President-elect Donald Trump.

While a total of 80 firms were reported to have been infiltrated or used as stepping stones in the hack, that figure could be much higher, according to two people with knowledge of the ongoing U.S. investigation. Several hundred organizations — both telecommunications companies and others — were notified over the past couple of months that they may be at risk of compromise, according to one of the people.

From the fragments of the hack, investigators have identified cases where cybersecurity defenses fell short. One provider’s management system was protected with a password “1111” that, once discovered, easily allowed the cyberespionage group to gain a better foothold inside, the other person said.

The Cybersecurity and Infrastructure Security Agency declined to comment, while the FBI did not return a request for comment. The cyberspies have not yet been eradicated from all of the telecom systems.

In Congress, staffers have grown frustrated with the lack of communication about the breach. At least one committee is assessing legislative options, according to a congressional aide familiar with ongoing discussions about the intrusion, but near-term recourse is limited because staff are often learning new information about the hacks only through news headlines. The aide was granted anonymity to be candid about internal conversations.

Some of the vulnerabilities exploited by Salt Typhoon go back to 2018, according to a second congressional aide familiar with the hack. Patches were issued, but the telecom companies never implemented them, that aide added.

The hacking unit exploited openings in Ivanti, Fortinent, Sophs and Microsoft Exchange Server systems, according to a Dec. 18 blog post from cyber intelligence firm Armis. 

Notably, most of those listed vulnerabilities are not zero-days, a cybersecurity term for flaws that developers have “zero days” to address before they are exploited. These, by contrast, have had patches available for a while. 

The hacking unit, tied to China’s Ministry of State Security, has carried out the campaign for likely one to two years and breached around eight U.S. telecom firms, a senior administration official previously said.

“This is gonna go down in history as SolarWinds 2.0,” said the second aide, referring to the 2020 SolarWinds Orion breach that became one of the most well-storied cyber incidents of the decade. Russian hackers exploited the password “solarwinds123” to infiltrate SolarWinds, eventually accessing IT systems critical to numerous U.S. agencies.

Salt Typhoon also breached America’s “lawful intercept” systems that house wiretap requests used by law enforcement to surveil suspected criminals and spies. Telecom firms are required to engineer their networks for wiretapping under the Communications Assistance for Law Enforcement Act, or CALEA, which passed in 1994. The Federal Communications Commission oversees the law.

CALEA inquiries are normally backed by a court order and typically submitted through a portal where requests are housed. Upon approval from a telecom company overseer, investigators can access key phone metadata, including call records that detail the timing, duration and participants of conversations, as well as geolocation data used for tracing communication and movement patterns.

FCC Chairwoman Jessica Rosenworcel distributed a draft ruling to colleagues earlier this month that, if adopted, would require telecom firms to secure those CALEA systems from unauthorized access. She also introduced a separate proposal for a rulemaking process that could mandate communications providers to report annually on their cybersecurity practices.

Both of those items are expected to be approved by the agency before President Joe Biden leaves office next month, according to a different person familiar with the procedures, who spoke on the condition of anonymity because they were not authorized to publicly discuss the matter.

A bill introduced this month by Sen. Ron Wyden, D-Ore., would direct the FCC to require telecom providers to adhere to a list of must-have cybersecurity compliance rules, including minimum cyber requirements and annual system testing.

“It’s clear that Congress needs to force the FCC to step up and pass mandatory security rules to finally secure our phones against foreign threats,” Wyden, a senior member on the Senate Intelligence Committee, said in an emailed statement to Nextgov/FCW. 

The agency’s outline of new regulations is well-intentioned, Wyden said, but he’s concerned that carriers could still dictate their own cybersecurity plans without having to meet minimum federal standards. 

“I’m afraid that will continue to leave our phone system wide open to foreign adversaries,” he added.

CISA last week issued mobile phone security guidelines designed for high-value political officials whose communications were potentially hoovered up by Salt Typhoon.

“I want to be clear that there’s no single solution that will eliminate all risks, but implementing these best practices will significantly enhance the protection of your communication,” Jeff Greene, CISA’s executive assistant director for cybersecurity, told reporters.

But updating the vulnerable systems and security practices across the telecom industry will be a massive and costly undertaking. Modern telecom networks operate as a complex mix of antiquated older technology integrated with contemporary digital infrastructure. In certain areas, security measures were robust, but in others, outdated practices left vulnerabilities that the Chinese identified and exploited.

“This incident should also put to rest arguments of risks in distributed versus consolidated tech,” a different person familiar told Nextgov/FCW. “[Salt Typhoon] hit many targets through various means, and nuances in hardware, software or implementation didn’t slow the actor down one bit.”

The hacks have prompted discussions in Congress about whether U.S. cyber warriors need more authority to go on the offensive against China. One senator previously described the U.S. to Nextgov/FCW as the “cyber punching bag of the world” and said fellow lawmakers often ask intelligence officials why digital forces don’t hack back more often.

Trump’s incoming national security advisor, Rep. Mike Waltz, R-Fla., suggested on CBS’s “Face the Nation” last Sunday that the new administration may adopt a more aggressive cyber stance toward China.

The Cyber Safety Review Board in DHS has already kicked off its investigation into the breaches, though an official report is not expected for some time.

“We definitely need to look at what this means long term — how we secure our networks, how we work with our telecommunications partners,” a senior CISA official said earlier this month. “For the time being, I encourage people to be careful what you communicate or use your encrypted communications where you have it.”