AT&T and Verizon confirm removal of Salt Typhoon from their respective cellular networks
The Salt Typhoon cyber attack, linked to Chinese state-sponsored actors, continues to pose a significant threat to U.S. telecom companies, including major providers like AT&T, Verizon, and T-Mobile. The campaign, which has been active for over two years, has compromised core network infrastructure at telecom providers and collected sensitive data for potential long-term geopolitical leverage.
Key details of the attack include the exploitation of critical vulnerabilities, such as the Cisco IOS XE vulnerability CVE-2023-20198, to breach network devices and establish tunnels for data exfiltration. The intrusion has affected at least one Canadian telecom victim and multiple U.S. companies.
While some affected companies, such as T-Mobile, have taken remediation actions and have not detected any recent suspicious activity, investigations into the attack are still ongoing. The FBI and Canadian cybersecurity agencies have issued warnings and requested public assistance regarding Salt Typhoon’s activities, which are not limited to telecom but may affect other sectors.
Anne Neuberger, deputy national security advisor for cyber and emerging technology, has stated that once companies make their networks defensible, she would feel more confident to say that the Chinese actors have been evicted. However, federal cyber officials have not yet confirmed that the nation-state attackers have been evicted from any of the intruded networks.
AT&T and Verizon have not disclosed when they ejected the nation-state group from their networks, but both companies declared their networks secure last week. AT&T is continuing to work closely with government officials, other telecom companies, and third-party experts on the investigation of the nation-state action, and is monitoring and remediating its networks to protect its customers' data.
Verizon has contained the activities associated with the Salt Typhoon incident and has not detected threat actor activity in its network for some time. AT&T and Verizon have notified individuals who were directly targeted and impacted by Salt Typhoon's activities.
Salt Typhoon is known for being very careful about their techniques and erasing logs, and many companies were not keeping adequate logs, according to Neuberger. This means that U.S. officials may never know some details regarding the scope and scale of the intrusion.
The Salt Typhoon cyber attack is part of a larger pattern of Chinese cyber operations focused on telecommunications and defense sectors, especially in regions of geopolitical interest such as the South China Sea and U.S. military facilities in Guam. The ongoing investigation into the attack is expected to provide more information on the extent of the intrusion and the measures taken to protect U.S. telecom networks from future attacks.
Cybersecurity measures are crucial for telecom companies in the face of ongoing threats like the Salt Typhoon attack, as demonstrated by the exploitation of technology vulnerabilities and the careful techniques used by the attackers. The continuous collaboration between companies, government officials, and cybersecurity agencies is essential to safeguard networks and protect sensitive data from potential future cybersecurity breaches.
