Salt Typhoon breach was first detected on federal networks, CISA head says
Cybersecurity and Infrastructure Security Agency Director Jen Easterly said the group was first detected “before we understood it was Salt Typhoon.”
A Chinese state-backed espionage group’s wide-ranging intrusion into telecommunications providers in the U.S. and abroad was first detected on government systems, a top official said on Wednesday.
During a discussion at the Foundation for Defense of Democracies, Cybersecurity and Infrastructure Security Agency Director Jen Easterly said the hacking group — dubbed Salt Typhoon — “was first seen by us on federal networks that then enabled law enforcement to unravel and ask for process in virtual private servers.”
Nine American telecommunications providers were ensnared in the hacks. Although 80 different telecom firms were reportedly breached by Salt Typhoon, several hundred organizations were notified that they may be at risk of compromise, Nextgov/FCW reported in December.
Major providers have recently said in public statements that the hacking unit is no longer inside their networks, though it remains unclear if the cyberspies are entirely barred from all U.S.-linked telecom systems.
The group, which has ties to China’s Ministry of State Security, likely carried out its campaign for one to two years before it was discovered.
Easterly said government detection of the hackers occurred “before we understood it was Salt Typhoon.” Visibility into the workings of federal networks, however, allowed officials to connect the dots with the help of private sector tipsters, which Easterly said ultimately “led to kind of cracking open the larger Salt Typhoon piece.”
“We saw it as a separate campaign called another goofy cyber name, and we were able to — based on the visibility that we had within the federal networks — to be able to connect the dots,” she added.
Easterly expanded on her comments in a blog post that was also published Wednesday, writing that the government’s understanding of the scope of Salt Typhoon “was the fact that CISA threat hunters previously detected the same actors in U.S. government networks.”
She said this detection is what allowed law enforcement to “gain access to images of actor-leased virtual private servers,” which in turn provided officials with details about the scope of the campaign and enabled them to offer assistance to providers affected by the cyber intrusion.
Easterly cautioned during Wednesday’s event, however, that Salt Typhoon and the related Volt Typhoon hacking groups are “the tip of the iceberg” when it comes to Beijing-connected cyber espionage actors. She noted that other Chinese-backed espionage groups have burrowed into U.S. critical infrastructure systems “for the purposes of launching disruptive or destructive attacks in the event of a major crisis in the Taiwan Strait.”
According to Nextgov/FCW reporting from earlier this month, the Government Accountability Office is weighing whether to conduct a study that would evaluate the costs of a wide-ranging project to rip and replace telecommunications equipment across the U.S. that may be vulnerable to outside intrusion.
“At the end of the day, we need to be prepared for disruption,” Easterly cautioned. “It's not about preventing; it is really about architecting our systems, building our infrastructure and training and exercising our people to be prepared for this disruption so that we can respond to it and we can recover as rapidly as possible.”
Nextgov/FCW Cybersecurity Reporter David DiMolfetta contributed to this report.