Volt Typhoon & Salt Typhoon: What you need to know

Overview: The Crisis is Unfolding Before "US"

In a startling development that has sent shockwaves through the U.S. national security establishment, Chinese state-sponsored hackers, have successfully infiltrated multiple American telecommunications providers, compromising sensitive data and communications. This breach, attributed to a hacking group known as "Salt Typhoon," represents one of the most significant cybersecurity incidents in recent memory, with far-reaching implications for national security, privacy, and international relations.

Let's rewind back to May 2023: a Microsoft Threat Intelligence press release outlines the known information on Volt Typhoon, the objectives and techniques used to run their campaigns, as well as the specific tactics used to achieve and maintain access to such critical infrastructure. Anyone who had been compromised or affected at that time was directly contacted by Microsoft.

Then, in February 2024, CISA released a report on files discovered from Volt Typhoon. The collection of files discovered, without getting into technical details, work together to let hackers find, access, and control an unsuspecting victim's computer, completely undetected. For anyone interested, a complete list of the recommendations that were made by CISA for all users and administrators to strengthen their systems' security posture is available at the bottom of this post.

The Scope of the Salt Typhoon Breach

The extent of the Chinese hacking campaign has proven to be significantly larger than initially reported. Federal investigators have confirmed that hackers affiliated with China broke into at least nine (9) U.S. telecommunications providers, stealing data related to lawful wiretaps and exfiltrating cellular records of Americans13. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) acknowledged that the Chinese hackers eavesdropped on the conversations of "a limited number of individuals who are primarily involved in government or political activity"1.

Known Telecommunications Companies Affected

The intrusion has affected major US telecommunications companies. Of the 9 that have been reported, the identities of 4 of this have been disclosed. Those identities are below. Make sure you subscribe to my blog to ensure you are the first to hear about the other 5 as soon as they're reported!

1. AT&T (VZ.N)

• First reported by WSJ on October 5, 2024. VZ.N stock activity since September 2024:

Generated with Groq. You can use my StockBot here.

2. Verizon (T.N)

• First reported by WSJ on October 5, 2024. VN.N stock activity since September 2024:

Generated with Groq. You can use my StockBot here.

3. Lumen Technologies (LUMN.N)

• First reported by WSJ on October 5, 2024. LUMN.N stock activity since September 2024:

Generated with Groq. You can use my StockBot here.

4. T-Mobile(TMUS)

• First reported by WSJ on October 5, 2024. LUMN.N stock activity since September 2024:

Generated with Groq. You can use my StockBot here.

5. 🕵️‍♀️
6. 🕵️‍♀️
7. 🕵️‍♀️
8. 🕵️‍♀️
9. 🕵️‍♀️

The total number of impacted providers could be as high as 80 globally. The hackers gained access to:

• Customer call records data
• Private communications of select individuals
• Information subject to U.S. law enforcement requests pursuant to court orders
• Systems where telecom companies collaborate with law enforcement and intelligence agencies

High-Profile Targets and Data Compromised

Among those targeted by the Chinese hackers were:

1. Former & Future President Donald Trump
2. Future Vice President JD Vance
3. Members of Vice-President Kamala Harris's campaign team
4. Office of Majority Leader Schumer, D-N.Y.

The cellular records of tens of millions of Americans were potentially accessed, though not all were necessarily singled out for surveillance. The hackers acquired "a significant volume" of bulk phone records, revealing the timing, location, and parties involved in communications, though not always the actual content of calls or messages. An FBI representative noted that the hackers mainly focused on call records of individuals located in the Washington, D.C. area. The agency is currently in the process of informing all Americans whose calls may have been compromised, although they do not intend to notify all citizens whose call records were accessed.

BBC reported on a U.S. Department of Justice March 25, 2024, Press Release, that seven (7) Chinese nationals, said to be part of APT31 Hacking Group, a group in Support of China’s Ministry of State Security’s Transnational Repression, Economic Espionage and Foreign Intelligence Objectives, had been charged with "enacting a widespread cyber-attack campaign."

White House Response and Ongoing Threat

The Biden administration is treating this breach with the utmost seriousness. President Joe Biden has been briefed multiple times on the situation, and a special White House response group is meeting nearly daily to address the crisis. Anne Neuberger, the White House's Deputy National Security Adviser for Cyber and Emerging Technology, revealed that a new cyber defense task force has been activated, involving the NSA, Pentagon, and CISA. Neuberger stated that the Chinese access was "broad in terms of potential access to communications of everyday Americans"⁷.

Despite these efforts, Neuberger warned that the Chinese hackers have not yet been expelled from all of the compromised networks. "Currently, we do not believe that any have entirely expelled the Chinese operatives from these systems... hence, there remains a threat of continued breaches to communications," she stated during a press briefing⁷.

Federal Agencies' Response

The FBI and CISA have been at the forefront of investigating and responding to this breach. They first detected the intrusions in the spring of 2024, but they did not begin cooperating on their investigations until later. In November, they confirmed the theft of cellular records, interception of call and text data, and copying of sensitive wiretap data ⁷.

The FBI initiated its investigation into the Chinese hacking activities in late spring or early summer of 2024, providing the most comprehensive update from the bureau regarding the espionage efforts. U.S. authorities continue to assist major telecommunications firms in removing hackers associated with the Chinese government from their networks, although they have not publicly established a timeline for this process.

New Cybersecurity Guidelines and FCC Action In Response to the Salt Typhoon attacks

Federal agencies have issued updated cybersecurity guidance for telecommunications providers and other critical infrastructure organizations. CISA's guidance falls into two main categories5:

1. Strengthening visibility:

• Rigorous monitoring of network traffic
• Detecting anomalous activity
• Logging unauthorized changes

2. Hardening systems and devices:

• Timely patching
• Securing device configurations
• Enforcing strict access controls

The Federal Communications Commission (FCC) has taken decisive action to mandate telecom carriers to secure their networks. FCC chairwoman Jessica Rosenworcel has introduced a draft Declaratory Ruling with two major purposes:

1. Expanding cybersecurity requirements across a range of communications providers
2. Creating an annual certification requirement for communications service providers to create, update, and implement cybersecurity risk management plans

Industry Response

Major telecommunications companies have begun to respond to the breach:

• From a statement emailed on December 30, 2024 by AT&T to The Register, AT&T confirmed that a "small number" of its customers were compromised but stated that the PRC-backed crew had since been removed from its networks⁹
• Verizon acknowledged that Chinese intruders had accessed "a small number of high-profile customers in government and politics" and has since contained the incident⁹
• Lumen Technologies also confirmed the breach but did not provide specific details⁹

International Impact and China's Denial

The Salt Typhoon campaign has affected "dozens of nations globally," according to U.S. officials. This widespread impact underscores the global nature of the cybersecurity threat posed by state-sponsored actors. China has consistently denied any involvement in these hacking activities. However, the evidence presented by U.S. intelligence agencies and cybersecurity firms strongly points to Chinese state sponsorship of the Salt Typhoon group.

Looking Ahead: Implications and Challenges

As the investigation continues and the full scope of the breach becomes clearer, several key challenges and implications emerge:

1. National Security: The breach has exposed significant vulnerabilities in America's critical infrastructure, potentially compromising sensitive communications and intelligence operations
2. Privacy Concerns: The vast amount of personal data accessed raises serious privacy concerns for millions of people living in America (not just Americans!)
3. International Relations: This incident is likely to further strain U.S./China relations and may lead to diplomatic repercussions or sanctions

• Sanctions have already been imposed on Chinese nationals found to be involved in the APT31 hacking organization. Now, as-of December 31, 2024, APT was just discovered to be involved in another threat: APT was able to breach the U.S. Treasury Department's instance of BeyondTrust, which is a system that is intended to secure human and non-human identities and endpoints.

4. Cybersecurity Investments: There will likely be increased pressure on both the public and private sectors to invest heavily in advanced cybersecurity measures.
5. Regulatory Changes: The FCC's proposed rules and CISA's new guidelines may be just the beginning of a wave of new regulations aimed at hardening telecommunications infrastructure

• Senator Ron Wyden (D-OR) has proposed the Secure American Communications Act , which would require the Federal Communications Commission (FCC) to establish rules within one year of the act's enactment, which would prevent unauthorized access to communications and call-identifying information. The rules must include cybersecurity requirements, regular testing and corrective measures, and annual compliance assessments by independent auditors. Telecommunications carriers must submit compliance documentation, including a statement from their chief executive officer and chief information security officer.

6. Technological Arms Race: This breach highlights the ongoing technological arms race between nation-states in the cyber domain, potentially spurring new innovations in both offensive and defensive capabilities.

This unprecedented breach underscores the urgent need for stronger cybersecurity measures and highlights the ongoing challenges in protecting critical infrastructure from state-sponsored cyber attacks. As the situation develops, it will undoubtedly shape cybersecurity policies and practices in the United States and around the world for years to come, potentially redefining the landscape of global cybersecurity and international relations in the digital age.

Resources

1. May 24, 2023 | Microsoft: Volt Typhoon Press Release
2. February 7, 2024 | NSA, CISA, FBI: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
3. February 7, 2024 | CISA: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
4. September 26, 2024 | WSJ: First rumblings of Salt Typhoon attack
5. October 6, 2024 | Reuters vis WSJ on October 5: Chinese hackers breached US court wiretap systems, WSJ reports
6. November 13, 2024 | Original FBI/CISA Press Release
7. December 4, 2024 | Politico: The White House struggles to contain massive Chinese telco hacks
8. December 29, 2024 | Reuters: AT&T, Verizon targeted by Salt Typhoon cyberespionage operation, but networks secure
9. December 30, 2024 | The Register: More telcos confirm Salt Typhoon breaches as White House weighs in
10. December 30, 2024 | Department of the Treasury: FISMA Incident Notice Report to Senate Committees
11. December 31, 2024 | Reuters: US Treasury says Chinese hackers stole documents in 'major incident'
12. StockBot

PDF Downloads

1. Joint Guidance: Living Off the Land Techniques (LOTL)
2. Proposed Bill by senator Ron Wyden (D-OR): Secure American Communications Act

CISA Recommendations to Protect Systems Against Salt Typhoon attacks

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
• Monitor users' web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

CISA: Actions to take today to mitigate Volt Typhoon Activity

1. Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
2. Implement phishing-resistant MFA.
3. Ensure logging is turned on for application, access, and security logs and store logs in a central system.
4. Plan “end of life” for technology beyond manufacturer’s supported lifecycle.