What the Salt Typhoon Attack Means for Enterprises: An Interview with OneLayer Cellular Network Expert Ido Shaked
Salt Typhoon, a Chinese state-sponsored cyberattack that has compromised eight telecommunications providers in the U.S. and likely many more globally, exposed a stark reality for enterprises that have become accustomed to trusting mobile network operator infrastructure implicitly. While much of the early coverage of the incident, which is confirmed to include AT&T, Verizon, and Lumen Technologies, is focused on potential impact to government targets, severe impacts to enterprises from this and future cellular network attacks are also likely.
Firms that operate critical infrastructure were already frequent targets of attackers in the months leading up to the Salt Typhoon disclosure For example, American Water Works, which serves over 14 million people, disclosed a cyberattack that impacted its billing systems, though the company says water and wastewater services remain unaffected. The impact of the cellular network cyberattack on critical infrastructure underscores the urgent need for enhanced cybersecurity measures in both public and private mobile networks. Ido Shaked, OneLayer’s VP of Research, shares insights on how these breaches were possible and what enterprises can do to protect themselves.
How Was Salt Typhoon Possible? Identifying Attack Vectors
Exploitation of Existing Vulnerabilities: Salt Typhoon leveraged known security weaknesses within telecommunications infrastructure to gain unauthorized access. By exploiting these existing flaws, the group has infiltrated networks without relying on new or zero-day vulnerabilities. The infiltration into the U.S. telecommunications network, as detailed in recent investigations, exposed an alarming number of vulnerabilities, especially within software containing code developed in China. With over 9,000 unique vulnerabilities identified—and 855 of them easy to exploit—this code can serve as a “backdoor” into critical systems, endangering infrastructure. U.S. investigators found that hackers systematically dismantled layers of security, achieving deep infiltration without detection.
Compromise of Core Network Components: The group penetrated core network components, such as routers and switches, which are integral to internet traffic management. This access enabled them to intercept and manipulate data traversing these devices and perform extensive surveillance and data exfiltration.
Infiltration of Lawful Intercept Systems: Salt Typhoon compromised systems designed for lawful intercepts of communication by law enforcement during authorized surveillance. By accessing these systems, the attackers monitored communications intended to be secure, posing significant national security risks.
Deployment of Advanced Malware and Rootkits: The group employed sophisticated malware, including Windows kernel-mode rootkits like Demodex, to maintain persistent access and control over compromised systems. These tools are designed with anti-forensic and anti-analysis capabilities to evade detection and complicate remediation efforts.
Targeting of Device Supply Chain: Beyond direct attacks on telecom providers, Salt Typhoon has also targeted suppliers and contractors within the telecommunications ecosystem. This strategy allows them to exploit interconnected systems and propagate their malicious activities across multiple organizations.
Additional Potential Methods Used:
Attackers may have utilized tactics such as IMEI spoofing to disguise device identities and gain unauthorized access. Furthermore, non-cellular devices hidden behind cellular adaptors, including cellular routers and dongles, present opportunities to bypass traditional network defenses and gain network access. Lateral movement efforts were leveraged to advance from one area of the network to another; for this, attackers may have leveraged vulnerabilities, device identities, and user credentials and most likely have leveraged existing access as a result of ineffective and insufficient network segmentation set within the cellular network.
Impact on Enterprises: A Call for Enhanced Network Security
For enterprises, the implications of these vulnerabilities are profound. The risks highlighted by Salt Typhoon are not isolated; 90% of critical infrastructure products include code from potentially adversarial origins. This necessitates a proactive approach to fortifying mobile networks. These efforts must also include supply chain scrutiny to ensure that software components are secure and free from exploitable code.
The methods employed by Salt Typhoon highlight significant vulnerabilities within critical infrastructure sectors. The ability to compromise core network components and lawful intercept systems underscores the necessity for robust cybersecurity measures and comprehensive threat detection capabilities. The persistent and evolving nature of their tactics suggests a well-resourced adversary with strategic objectives aligned with state-sponsored espionage.
Critical infrastructure faces severe threats from compromised mobile networks, potentially jeopardizing functions such as water utilities, power grids, industrial enterprises, and telecommunications–all worthy targets for state-sponsored attacks. It’s reported that 82% of critical vulnerabilities stem from just 20 software components. Addressing these potential weaknesses in private mobile networks through advanced security solutions is imperative for maintaining operational integrity and resilience.
Critical Support to Enterprises Navigating the Evolving Threats
Given the breadth of the cyberattack and the diverse set of tools and tactics used, OneLayer’s experts investigated each attack vector and reviewed the recent guidance from the Cybersecurity and Infrastructure Security Agency (CISA) to Telecom providers following Salt Typhoon. The following are some specific steps that enterprises can take to better protect themselves.
Addressing the Expanding Attack Surface:
- Device Security – Implement strong authentication and authorization for cellular network devices. Leverage SIM-based security, but don’t rely on it exclusively. The devices themselves pose a critical risk, and each device, including its software and firmware components, should be validated and authorized as part of secure device onboarding. This should include devices behind adaptors, such as routers or dongles, which pose an increasing risk to the network since they are hidden from the cellular provider. Ensure you have no network blind spots and maintain live visibility and monitoring of all cellular network assets, from SIM cards and cellular devices to non-cellular devices hidden behind adaptors.
- Network Segmentation: Use advanced network segmentation techniques to segregate private cellular networks from public or shared infrastructures and limit the access that attackers will gain by compromising individual devices. Do not rely solely on APNs for segmentation. Leverage device-level micro-segmentation for critical assets, especially those with access to the data center and other critical networks.
- Threat Monitoring: Deploy monitoring systems to detect anomalies and potential intrusions within the cellular network. This should include security orchestration, automation, and response (SOAR capabilities and continuous threat exposure management (CTEM). Make sure to monitor for cellular-specific threats, such as IMEI spoofing or cellular device abnormal behaviors.
Securing the Supply Chain:
- Vendor Assessment: Develop and enforce stringent vetting processes for suppliers and partners. Regular compliance audits should be conducted based on standards like IEC 62443.
- Firmware Security: Continuously monitor and ensure the validity of your cellular network-connected devices. Ensure device firmware and software versions, including modems within the device, comply with the corporate mandate of allowed vendors. Implement secure firmware update mechanisms to prevent supply chain compromise. Make sure to apply this not just for cellular devices connected to the network but also for devices connected to the network behind adaptors, such as cellular routers or dongles.
Defending Against Advanced Persistent Threats (APTs):
- Rootkit Protection: Proactively detect and neutralize rootkits like Demodex through endpoint detection and response (EDR) tools dedicated to cellular networks and their unique threats. Cellular devices are exposed to location-based threats, as zealous hackers, such as state-sponsored attackers, might physically gain access to a device and manipulate it for their use. Make sure to employ geo-fencing security measures.
- Incident Response: Develop a comprehensive incident response plan, including playbooks for responding to Salt Typhoon-like intrusions targeting core network components.
- Encryption Standards: Enforce end-to-end encryption for sensitive data traversing the network.
Ensuring Regulatory Compliance and Privacy:
- Regulatory Adaptation: Monitor and adapt to evolving regulatory standards specific to cellular networks, including private LTE and 5G networks. There are no mandates today that compel companies to adhere to them for such networks, regulations and standards are evolving. NIST, NERC-CIP, Gartner, and others have released reports and recommendations to follow for cellular networks that can be leveraged to ensure compliance standards are met.
- Cross-Functional Collaboration: Form cross-departmental teams, including security, operations, and networking, to address both legal and technical aspects of private network security.
By implementing these enhanced security measures, organizations can significantly bolster their defenses against sophisticated cyber threats like Salt Typhoon, ensuring the resilience and integrity of their private mobile networks.
Strategic Next Steps
OneLayer is the leader in private mobile network security. Enterprises are welcome to contact us for assistance with mitigating against Salt Typhoon and similar threats and consult with our experts if your enterprise was compromised.
Contact us today to learn more: OneLayer Contact
Explore CISA’s guidance on enhancing visibility and hardening communications infrastructure to stay ahead of evolving threats.