Pervasive Chinese hacking group Salt Typhoon continues to strike, this time setting its sights on the Netherlands.
Dutch intelligence authorities have confirmed that the cyber actors accessed routers belonging to smaller internet service and hosting providers.
This follows a stark warning from intelligence agencies in more than a dozen countries about the dangers of Salt Typhoon, also known as GhostEmperor, Operator Panda, and RedMike, as well as confirmation that the group has been active in the UK. Experts note that the group’s expansion reflects a troubling pattern of inaction among both public and private sectors when it comes to cybersecurity.
“The fundamental issue here is that key pieces of our critical infrastructure, for example network technologies like core routers, remain far too easy to compromise and gain persistence on,” said David Shipley of Beauceron Security. “China’s rampant success is the bill come due for insecurity-by-design.”
Critical infrastructure, sensitive comms targeted
This week, intelligence agencies in the US, UK, Canada, Australia, New Zealand, Finland, Germany, Italy, Czech Republic, Japan, Poland, Spain, and the Netherlands issued a joint cybersecurity advisory about Salt Typhoon.
The group became notorious after having breached major US telecom and internet service providers (ISPs), including AT&T, Verizon, T-Mobile, Lumen Technologies, Charter, Consolidated, and Windstream Communications in recent months in an attempt to access sensitive communications. They also hacked the US National Guard for 9 months and accessed networks in every state, stealing credentials, personal data, and network diagrams.
Governments have linked the group’s activities to multiple Chinese entities, including those that support the People’s Liberation Army (PLA) and China’s Ministry of State Security (MSS). Global authorities have identified three China-based technology companies behind the campaign that provide “cyber-related” services to intelligence organizations in the country and are part of a wider commercial ecosystem composed of IT companies, data brokers, and hackers for hire.
These advanced persistent threat (APT) actors, as intelligence agencies have chosen to call them, have been active in Canada, Australia, and New Zealand in addition to the US and the UK.
Intelligence agencies in the Netherlands, for their part, emphasized that companies targeted in their region were not large telecommunications providers as they have been elsewhere, and seemed to indicate that the issue was not widespread or as significant as previous attacks. They reported that Salt Typhoon doesn’t seem to have penetrated further into the targeted companies’ networks after accessing their routers.
“The Dutch organizations most likely didn’t receive the same level of attention from the Salt Typhoon hackers as those in the US,” The Netherlands’ Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD) noted in a report.
They added that threat intelligence has been shared with affected companies and “other relevant audiences.”
Ivanti, Palo Alto Networks, Cisco flaws exploited
Salt Typhoon has been active since at least 2021, targeting critical infrastructure in telecom, transportation, government, and military bodies around the globe. Notably, a “cluster of activity” has been observed in the UK, according to the country’s National Cyber Security Centre.
The group has had “considerable success” with “n-days,” or known vulnerabilities that don’t yet have a patch, as opposed to relying on bespoke malware or on zero-day vulnerabilities (security issues that have yet to be identified by developers), exploiting flaws in network edge devices including security appliances, and routers, as well as in virtual private servers. Notably, they have targeted flaws in Ivanti Connect Secure and Ivanti Policy Secure; Palo Alto Networks PAN-OS GlobalProtect; and Cisco IOS and IOS XE.
They then take advantage of the compromised devices and trusted or private connections, such as provider-to-provider or provider-to-customer links, to pivot into other networks. Their activity involves “persistent, long-term access” to networks, according to authorities.
Key targets
Specifically, they seem to target:
Passwords; user content; customer records; inventories; device configurations and files; and vendor lists.
Router interfaces;
In-transit network traffic; resource reservation protocol (RSVP) sessions; and border gateway protocol (BGP) routes.
Authentication protocols and remote authentication dial-in user service (RADIUS) that authorizes and authenticates remote network users.
Managed information bases, or databases that manage entities.
“The data stolen through this activity can ultimately provide the Chinese intelligence services the capability to identify and track targets’ communications and movements worldwide,” the UK’s National Cyber Security Centre warned. Therefore, global threat intelligence agencies advise that enterprises perform extensive monitoring of configuration changes, virtualized containers, network services and tunnels, firmware and software integrity, and logs.
Recommendations
Authorities also advise organizations to
Regularly review network devices, routers, logs and configurations for “unexpected, unapproved, or unusual activity”;
Employ a “robust change management process” that includes periodic auditing of device configurations;
Disable outbound connections from management interfaces;
Change all default administrative credentials;
Require public-key authentication for administrative roles;
Disable password authentication;
Use the vendor recommended version of the network device operating system and keep it updated.
The ‘climate change of tech’
Continued attacks of this magnitude from Salt Typhoon and others comes down to a lack of incentives for major networking company technology providers to create more robust authentication mechanisms and resiliency, said Beauceron’s Shipley.
The cost to build a more secure digital economy is a bill that enterprises simply aren’t prepared to pay, “until it’s too late,” he noted.
“The internet and corporate networks still behave like we’re in the 1990s,” he said. “It’s not behaving like the vital digital nervous system to the global economy and society.”
“It’s the climate change of tech, a problem too many still don’t value solving, and something that requires the kind of consensus for action that’s almost impossibly elusive,” said Shipley.
No Responses