CISA Issues New Guidance Amid Recent Security Breaches
The Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidance aimed at assisting network defenders in fortifying their systems against attacks from the Salt Typhoon Chinese threat group, which previously compromised several major global telecommunications providers this year.
In late October, the U.S. cybersecurity agency, alongside the FBI, confirmed these security breaches, which involved significant broadband providers such as AT&T, T-Mobile, Verizon, and Lumen Technologies. The attackers accessed “private communications” of a “limited number” of government officials, infiltrated the U.S. government’s wiretapping platform, and obtained customer call records and law enforcement request data.
While the exact timeline of the breaches remains unclear, a report from the Wall Street Journal indicated that the hackers had access to the networks for “months or longer,” enabling them to siphon off substantial amounts of “internet traffic” from service providers serving a wide range of businesses and millions of Americans.
A senior CISA official stated, “We cannot say with certainty that the adversary has been evicted,” emphasizing the ongoing efforts to understand the full scope of the threat. In contrast, T-Mobile’s Chief Security Officer mentioned that the attack originated from a connected wireline provider’s network and that there are currently no active threats within their system.
Known by various aliases, including Earth Estries, FamousSparrow, Ghost Emperor, and UNC2286, this threat group has been infiltrating government entities and telecom companies across Southeast Asia since at least 2019. The NSA noted that these attackers tend to exploit exposed services, unpatched devices, and under-secured environments.
The joint advisory, developed with the FBI, NSA, and international partners, provides recommendations for enhancing device and network security. Key suggestions for hardening systems include:
- Promptly patching and upgrading devices
- Disabling all unused, unauthenticated, or unencrypted protocols
- Limiting management connections and privileged accounts
- Storing passwords securely and using strong cryptography
Network defenders are encouraged to log all configuration changes and management connections, alerting on any unexpected activities to improve visibility at network perimeters. Additionally, monitoring traffic from trusted partners, such as wireline providers, is crucial since T-Mobile’s breach stemmed from a connected provider rather than directly exposed devices.
NSA Cybersecurity Director Dave Luber emphasized the importance of vigilance, stating, “Always have eyes on your systems and patch and address known vulnerabilities before they become targets.”
2W Tech offers comprehensive security solutions designed to combat ransomware attacks effectively. By leveraging advanced cybersecurity tools and practices, 2W Tech assists organizations in safeguarding their systems against potential threats. Our managed security programs include continuous network monitoring, robust data protection measures, and cybersecurity awareness training, all aimed at enhancing an organization’s resilience to ransomware incidents. Moreover, 2W Tech’s expertise in backup and disaster recovery ensures that businesses can quickly restore operations with minimal data loss in the event of an attack. As a Microsoft Tier 1 Cloud Services Partner, 2W Tech also provides cloud-based security solutions that offer scalable protection tailored to the specific needs of each client, ensuring a proactive defense against evolving cybersecurity threats. Give us a call today and let us team up with your business to help keep you safe from ransomware and other cyberattacks.
Read More: