In the wake of a spate of attacks on US broadband providers, the government is urging vigilance and telling companies to ramp up their defenses.
The US cybersecurity agency says that the Chinese group behind the attacks in October might well attack again; and companies are still reeling from how much data they stole.
Some of the country’s biggest providers were impacted, including T-Mobile, AT&T, Verizon and Lumen Technologies. In what became a horrific month for the industry, a separate impacted more than 200,000 Comcast subscribers.
What Data Was Stolen and When?
In October, CISA and the FBI confirmed the breaches and said that vast amounts of “internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers [had been taken].” The data included customer call records and law enforcement request data.
The hackers behind the attacks were tracked to China and revealed to be a group called Salt Typhoon. A Wall Street Journal report suggested that the group actually had access to the breached networks “for months or longer.”
This just in! View
the top business tech deals for 2024 👨💻
It also emerged that it was not just regular citizens who were impacted. As Bleeping Computer reports, the hackers also got hold of the “private communications” of a “limited number” of government officials. They even gained access to the U.S. government’s wiretapping platform, says the tech news site.
Is Security Threat Still High?
A senior CISA official told reporters in a press call that there is uncertainty as to whether the networks might still be harboring the cybercriminals. They said: “We cannot say with certainty that the adversary has been evicted, because we still don’t know the scope of what they’re doing. We’re still trying to understand that, along with those partners.”
Because of this, the threat is still high though T-Mobile has come out and said that it isn’t seeing any attackers active within its network.
However, this group has been active since 2019 – also going under the names of Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286 – and has attacked government agencies as well as telecoms outfits in South East Asia as well as the US attack.
What Advice Are Providers Being Given?
In a statement, Dave Luber, NSA Cybersecurity Director, said: “Vigilance is key for defending against network compromise,” said. “Always have eyes on your systems and patch and address known vulnerabilities before they become targets.”
The NSA has worked on a joint advisory with the FBI and international partners offering guidance as to how companies can harden their device and network security. The main aim is to reduce the attack surface exploited by these threat actors, says Bleeping Computer.
Tips include disabling all unused, unauthenticated, or unencrypted protocols; patching and upgrading devices promptly and stringent password protection. The agencies also encourage system administrators and engineers to put tools in place so that they can see network traffic, data flow and user activity. And this includes monitoring traffic from trusted partners as this is how T-Mobile was breached.
Network defenders also need eyes on configuration changes and management connections especially on devices at network perimeters as they could be a potential weakness.
