The Cybersecurity and Infrastructure Security Agency (CISA) has published an alarming warning indicating that state-backed Chinese hackers have deep penetration into “major” US telcos, and are getting in by compromising an assortment of networking equipment and routers.
The report declined to name specific impacted telcos, but did indicate that this is not a case of zero-day exploits or even any sort of advanced tradecraft; the Chinese hackers appear to be using published exploits on various types of equipment that have simply not been patched or remediated.
Chinese hackers have established “broad network” of compromised infrastructure
The advisory is a joint effort from CISA, the NSA and the FBI based on observations of data breaches at telcos over roughly the past two years.
The Chinese hackers are primarily preying on Common Vulnerabilities and Exposures (CVEs) that telcos are simply not keeping up with. The main issue appears to be smaller devices that are numerous in quantity (and thus more time-consuming to continually patch): Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, which are ideal for facilitating network intrusions once breached. The CISA report notes that organizations often overlook these devices as they struggle to keep pace with routine patching requirements, not at all helped in this task by a string of high severity network device vulnerabilities that have emerged in recent years.
State-supported Chinese hackers appear to be running large-scale programs to exploit these vulnerabilities as quickly and broadly as possible. They generally go to work as soon as the new CVE is made available to the public. State-sponsored groups have been fingered given that they also demonstrate advanced ability to evade defenses and cover their tracks, in addition to the scope and scale of these efforts. For its part, China denies (as it always has) that it has any involvement in any sort of foreign hacking incidents.
CISA’s first piece of advice to telcos for remediation is about as obvious as can be: keep up with patching. But, given the lack of ability to realistically keep pace with a torrent of new threats, the advisory also calls for disabling unnecessary ports and protocols, and swiftly replacing end-of-life infrastructure. The report also suggests a centralized patch management system to cut down on workload, segmenting networks to limit or block the possibility of lateral movement, enforcing organization-wide multi-factor authentication (MFA), and setting up out-of-band management networks (among other pieces of advice).
There are numerous examples of the Chinese hackers exploiting vulnerabilities that have been known for some time, but the targeting of a Netgear router flaw that has been public knowledge for five years now perhaps best illustrates the sorts of holes that are being left open for attackers like these to walk through. As Jason Middaugh, Chief Information Security Officer of MRK Technologies, observes: “Many companies make the mistake of focusing on implementing the latest and greatest high-tech hardware/software and overlook the basics like system hardening and asset lifecycle management. It does not matter whether it is the PRC attempting to exploit the device or an international cybercrime syndicate, if you don’t do the basics well it is only a matter of time before an internet facing asset is compromised.”
US telcos heavily targeted by Chinese hackers
The Chinese hackers are reportedly not just breaching telcos for purposes of espionage, but also using the footholds they establish as pieces of command and control networks aimed at levying attacks elsewhere. NSA cybersecurity director Rob Joyce believes that this is all part of an extended long-term strategy to employ even more sophisticated and crippling cyber attacks. Alon Nachmany, Field CISO of AppViewX, illustrates the seriousness of this threat: ” … what many don’t realize is how much one carrier relies on the FCC and its partners. While U.S. telecommunications companies and carriers, as well as the FCC attempts to secure our communications, the harsh reality is that the telecoms industry is built in a way to rely too much on partners and carriers. If a telecoms firm becomes a victim of a cyberattack, for example, the ripple effect it has on the entire industry, as well as consumers is tremendous. With nearly half of today’s organizations experiencing one or more security incidents due to mismanagement of digital certificates – the backbone to enterprise security — it’s mission critical for the telecom industry and the FCC and its partners to prioritize OT security and implement Zero Trust strategies.”
Russian hackers tend to keep the media spotlight on them, between the brazen attacks on critical infrastructure as of late and the invasion of Ukraine. But state-backed Chinese hackers are highly active, highly organized and responsible for some major recent breaches. A group called “LightBasin” has been tied to the Syniverse breach, which was discovered in 2021 but was likely initiated in 2016. Syniverse is a third party contractor that provides text messaging services to major telcos around the world, and the snooping hackers may have had access to even 2FA-protected messages during the lengthy breach window. Chinese hackers were also linked to the breach of six US state governments in March, along with numerous incidents in recent years.
The China-linked Hafnium group was also linked to a massive infestation of Windows Exchange servers in the US in 2021, to the point that the FBI requested a court order to “ethically hack” hundreds of these servers to remove the backdoors they had created. The controversial move was justified (and eventually approved by a federal court) due to organizations continuing to not patch Exchange vulnerabilities that had been made public.
CISA has suggested that some organizations go so far as to isolate all internet-facing services in a “demilitarized zone” to prevent compromise of them leading to an opening into the internal network. Terry Olaes, Director of Sales Engineering for Skybox, sees this as a clear call to all types of organizations to accelerate the development of their vulnerability management programs: “To stay ahead of cybercriminals, companies need to address vulnerability exposure risks before hackers attack them. That means taking a more proactive approach to vulnerability management by learning to identify and prioritize exposed vulnerabilities across the entire threat landscape. Organizations should ensure they have solutions in place capable of quantifying the business impact of cyber risks into economic impact. This will help them identify and prioritize the most critical threats based on the size of financial impact, among other risk analyses such as exposure-based risk scores. It’s essential for organizations to increase the maturity of their vulnerability management programs to ensure they can quickly discover if they are impacted by vulnerabilities and how urgent it is to remediate.”