Critical Infrastructure Security , Network Firewalls, Network Access Control , Security Operations
No Timeline for Evicting Chinese Hackers from US Networks
Beijing Threat Actor Shifts Tactics in Response to Public Disclosure
Chinese cyberespionage hackers who penetrated U.S. telecoms likely haven't been fully evicted partially due to shifting tactics made in response to public disclosures, federal officials said Tuesday.
See Also: SANS Report, Zero Trust: What You Need to Know to Secure Your Data and Networks
Industry and government investigators have for weeks revealed in dribs and drabs an extensive campaign of Beijing telecom hacking that's global in scope, attributed to an advanced persistent threat group linked to China's foreign intelligence service that's tracked as Salt Typhoon (see: US National Security Officials Brief Telecom Executives).
The hacks encompass the telephonic metadata - records of network connections including with who, when and where individuals communicated - covering a large group of individuals located mostly in metro Washington, D.C. A narrower set of individuals in government and politics had their telephone communications intercepted, sometimes in real time (see: Chinese Hackers Reportedly Targeted Trump, Vance Phones).
Chinese hackers also penetrated court-authorized wiretap backdoors maintained by telecoms to comply with warrants. The backdoors were not necessarily an access point for the Chinese hackers, two federal officials who asked for anonymity told reporters during a Tuesday afternoon press call. The officials said they would not state whether Chinese hackers accessed communications being intercepted for national security purposes. Federal civilian networks appear uncompromised.
The officials said they will not divulge the number of affected Americans, but said the threat actor has made limited use of its ability to intercept the content of calls. Users who rely on encrypted text and voice apps almost certainly cannot have the content of their messages intercepted, one official stressed.
The officials also said it's impossible to predict when cyber defenders will fully eject the Chinese hackers. Beijing is monitoring public communications from the government and media and altering its behavior accordingly. The hackers may go dormant for a period to throw off detection.
The federal government hopes hardening guidance published Tuesday will make it easier to detect the presence of hackers and prevent them from returning.
The guidance includes specific steps for fortifying Cisco networking devices, including turning off Cisco Smart Install. The U.S. Cybersecurity and Infrastructure Security Agency in an August advisory had already recommended disabling the legacy feature. Other points including disabling all non-encrypted web management capabilities and disabling telnet.
One official issued a plea to industry to embrace principles of secure by design. Many devices are built with security weaknesses already embedded into them, the official said.
