Full Report
Experts tell CyberScoop that the U.S. telecom system is just too technologically fragmented to gather a clear picture of threats, and too big to ever fully eject all espionage efforts. The post A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Salt Typhoon
## Attribution & Identity
* **Identification:** A Chinese state-sponsored hacking group.
* **Aliases:** Not explicitly stated, but clearly identified as a Chinese hacking group targeting U.S. infrastructure.
* **Associated Groups/Patrons:** Implied association with a U.S. adversary, potentially the Ministry of State Security (MSS) given the context comparing their infiltration to having MSS spies sitting inside a major telecom building.
## Activity Summary
Salt Typhoon conducted a brazen and methodical spying campaign targeting multiple U.S. telecommunications networks. The group gained access to the phones of a presidential campaign and collected sensitive geolocation data on high-value targets located around Washington D.C. Officials suggest the group may have deep, persistent access within these networks, making complete eradication difficult.
## Tactics, Techniques & Procedures
* **Persistence/Reentry:** Leveraging sprawling network architectures (legacy and modern tech) with numerous software/hardware vulnerabilities to maintain access even after initial eviction attempts.
* **Living Off the Land:** Utilizing existing system functionality to reside within compromised networks.
* **Systematic Compromise:** Exhibiting a deep understanding of U.S. telecommunications network operations to compromise them methodically.
* **Exploitation Chains:** Exploiting one vulnerability chain to regain access after another is patched or closed.
* **Data Collection:** Specifically collecting geolocation data on high-value targets.
* **Impact on Lower Layers (Inferred through research):** Exploiting vulnerabilities in core cellular software (e.g., OpenAirInterface, SD-Core, NextEPC, srsRAN) to potentially disrupt communications or gain remote access to the network core.
* **Memory Corruption:** Sending specific messages to the core network to corrupt system memory, allowing command execution.
* **C2 Establishment:** Developing proof-of-concept techniques to establish command and control or persistent channels within vulnerable network components.
## Targeting
* **Sectors:** U.S. Telecommunications Networks (critical infrastructure), U.S. Government/Political entities.
* **Geography:** United States (specifically Washington D.C. area for target geolocation).
* **Victims:** Multiple U.S. telecommunications networks (including AT&T, Lumen mentioned as affected), and the phones of a U.S. presidential campaign.
## Tools & Infrastructure
* **Malware Families Used:** Not explicitly named, but their operations rely on exploiting weaknesses in commercial and open-source telecom software components.
* **Infrastructure (C2, domains, IPs):** No specific indicators (URLs/IPs) were provided in the text, though the actors established command and control channels.
## Implications
This campaign is considered by some officials to be the "most serious telecom hack in our nation's history," posing a severe threat to U.S. national security due to the potential compromise of cellular communications for high-level government officials. The complexity and poor security posture of U.S. telecom networks mean that Salt Typhoon may achieve near-permanent persistence, as evicting them completely requires forensic analysis of tens of thousands of endpoints across sprawling, vulnerable infrastructure, which many firms are ill-equipped to handle immediately.
## Mitigations
* **Expulsion Efforts:** Undertaking full-scale, digital efforts similar to evicting physical spies, requiring forensic analysis of numerous endpoints across the network.
* **Vulnerability Management:** Addressing the hundreds of exploitable vulnerabilities found in core network software components (e.g., OpenAirInterface, NextEPC). Researchers emphasize that the disclosure process is often slow or ignored by maintainers, requiring coordinated efforts to create and deploy patches.
* **Improved Visibility:** Implementing advanced endpoint memory forensics capabilities (as mentioned by Nemesis Global) to detect deep persistence mechanisms that traditional defenses might miss.
* **Addressing Underpinning Issues:** Resolving systemic issues in the telecom sector related to complexity, legacy technology, and historical indifference to robust cybersecurity practices.