Global warning of Chinese cyberattacks on telecommunications infrastructure

In recent years, cyber attacks by suspected Chinese actors on international network systems have become known time and again. The cyber attackers, who were probably state-supported, were able to infiltrate and spy on the global telecommunications infrastructure. The security authorities of various countries have joined forces against this and have now published a joint and comprehensive cyber security guide that describes the attackers' approach, provides information on how to detect the attacks and recommends countermeasures.

What many of these cyber attacks have in common is the exploitation of security gaps that are already known but not closed by the operator. This was recently the case with a North American telecommunications provider. Cyber criminals used an unpatched Cisco security vulnerability as a gateway to a Canadian provider. Cisco provided updated software after the vulnerability became known, but the telco provider apparently did not install it for over a year.

Security warning about Salt Typhoon and other cybergangs

This is one of the reasons why security authorities from Australia, Canada, New Zealand, the UK, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and the USA have joined forces and issued a joint cyber security recommendation. From Germany, the Federal Intelligence Service, the Federal Office for the Protection of the Constitution and the Federal Office for Information Security (BSI) were involved.

The"Joint Cybersecurity Advisory", which is currently only available in English, names the groups "Salt Typhoon", "OPERATOR PANDA", "RedMike", "UNC5807" and "GhostEmperor" as the main actors. According to the report, the activities of these so-called APT (Advanced Persistent Threat) actors have been discovered in the USA, Australia, Canada, New Zealand and the UK, but they are also said to be active elsewhere in the world. The attackers often modify routers in order to gain permanent and long-term access to networks.

The Federal Office for the Protection of the Constitution and the BSI have singled out Salt Typhoon as the main actor for the joint security notice. This group is therefore also known as GhostEmperor and FamousSparrow, as the cybergangs have different names internationally. The main targets of these cyber criminals are the telecommunications infrastructure. Once the attackers have penetrated the networks, this allows the Chinese intelligence services associated with the hackers, for example, to monitor the communications of individual targets and their locations.

Professional cyberattacks not only against telecoms providers

The security researchers from Google's "Threat Intelligence Group" emphasize the extraordinary "familiarity of this actor with telecommunications systems", which makes it easier for Salt Typhoon not to be discovered after a successful break-in into the networks. "Many of the particularly successful Chinese cyber espionage actors we encounter have deep expertise in the technologies," explains John Hultquist, Chief Analyst of the Google Threat Intelligence Group.

Hultquist also highlights the business-like organization of this cybergang. "An ecosystem of contractors, academics and other supporters is at the heart of Chinese cyber espionage," he continues. "Contractors are used to develop tools and valuable exploits as well as do the dirty work of intrusion operations. They have been critical to the rapid advancement of these operations and their expansion to an unprecedented scale."

In addition to the telecommunications infrastructure, the attackers with links to the Chinese government are also targeting other industries. The "hospitality and transportation sectors could also be used to closely monitor individuals," Hultquist continues. "Information from these industries can be used to create a complete picture of who someone is talking to, where they are and where they are going."

(fds)