Analysis Summary

Threat actors with ties to the People's Republic of China (PRC) have launched a widespread cyber espionage campaign against telecommunications companies, according to a joint alert released by the U.S., Canada, New Zealand, and Australia.

According to the report, no new activity has been noticed. The identified exploitations or compromises linked to these threat actors' activity are consistent with the victim infrastructure's current vulnerabilities. About six months after a probe into the intrusions began, U.S. officials said that the threat actors are still active within U.S. telecommunications networks.

A Chinese nation-state group known as Salt Typhoon has been linked to the attacks; this group's actions coincide with those of Earth Estries, FamousSparrow, GhostEmperor, and UNC2286. Some of the artifacts were created as early as 2019, and the organization has been known to be active since at least 2020. T-Mobile said last week that it had discovered attempts by malicious actors to compromise its networks, but it pointed out that no consumer information had been accessed.

The White House reported that the campaign has impacted eight telecom companies in the United States and dozens of other countries, raising concerns about the scope of China-backed Salt Typhoon's breaches into American communication networks. According to reports, the activities started two years ago. The full list of businesses and nations targeted has not been released. The deputy national security advisor for cyber and emerging technology added that although the attacks have given China access to the metadata of many Americans, there is no proof that any confidential communications have been hacked.

It was revealed in late September that the threat group had infiltrated several U.S. telecommunications companies in an attempt to obtain private data, which was the first indication of the offensive campaign. The accusations have been denied by China. Intelligence and cybersecurity organizations have released guidelines on best practices that can be implemented to strengthen company networks in order to thwart the attacks. In addition to generally safeguarding environments, patching susceptible devices and services will lessen the likelihood of intrusion and lessen the actors' activities.

Impact

• Cyber Espionage
• Unauthorized Access
• Exposure of Sensitive Data

Remediation

• Conduct regular, comprehensive cybersecurity training programs for employees, focusing on spear-phishing recognition and avoidance. Simulate phishing attacks to test awareness and response.
• Enforce multi-factor authentication (MFA) for all critical systems, including email, source code repositories, and proprietary software, to reduce the risk of unauthorized access.
• Apply the principle of least privilege, ensuring that only authorized personnel have access to sensitive software and source code. Regularly review and audit access control policies.
• Use advanced email filtering systems that detect and block phishing attempts, especially those involving domain spoofing and impersonation tactics.
• Employ continuous network monitoring tools to detect unauthorized access or unusual activity. Regularly audit system logs for any indicators of compromise (IOCs) or anomalous behavior.
• Deploy EDR solutions to detect and respond to malicious activity on endpoints, particularly those involving attempts to exfiltrate sensitive data.
• Ensure timely patching of software vulnerabilities in operating systems, email servers, and security tools to reduce the risk of exploitation by cybercriminals.
• Establish protocols for quickly reporting cyber incidents to relevant authorities, like the FBI or other national agencies, to assist with tracking and mitigating cybercriminal activities.
• Perform periodic penetration testing and vulnerability assessments to identify and address weaknesses in the security infrastructure.
• Leverage real-time threat intelligence feeds to stay informed about new phishing campaigns and tactics targeting industries like aerospace and defense.