The ACSC has issued guidance on Salt Typhoon – here’s why telcos should be listening
Published by Grant Walsh, CyberCX Industry Lead for Telecommunications, Technology and Media on 6 December 2024
When we think about cyber attacks, we often think about chaos and disruption. Systems are locked up and stop working and large quantities of data are stolen and advertised on the dark web for a ransom.
These attacks are designed to be noticed. Afterall, as we tell our clients: cyber criminals will deploy harm maximisation tactics to exert as much pressure on their victim to pay an extortion.
But this week, the Australian Cyber Security Centre (ACSC) – and partner organisations around the world – shone a light on another type of attack that can be even more serious: cyber espionage.
What happened this week
On Wednesday, the ACSC issued guidance for telecommunications providers around best practices for enhancing visibility of their networks and hardening devices against Chinese state-affiliated and other malicious cyber actors. Similar guidance was issued by partner agencies in the US, New Zealand and Canada.
This is a positive step by the ACSC and is encouraging to see. In March, the Australian and New Zealand governments joined international partners to warn about the “critical business risk” posed by a Chinese nation-state actor associated with a separate campaign called ‘Volt Typhoon’ which is also known to be targeting critical infrastructure.
CyberCX wrote about this in March – Calm before a brewing storm: Managing cyber risk in the era of Volt Typhoon.
- In this blog, we provide an overview of our rapid threat assessment process for critical infrastructure, or RAPTOR service, designed for the critical infrastructure sector to combat sophisticated threat actors.
Cyber espionage and ‘Salt Typhoon’
While the ACSC didn’t name them, this guidance was issued in response to a group called ‘Salt Typhoon’ – a Chinese-affiliated group of cyber espionage hackers who have caused increasing concern among US government and the telco sector.
In fact, the Washington Post reported this week that despite finding Salt Typhoon in American telco networks, US officials warned in a downbeat press briefing that they have not yet been able to expel the group giving no firm timeline for securing impacted carriers.
What is particularly alarming for US officials is that ‘Salt Typhoon’ have gone after and potentially captured highly sensitive interception and surveillance data meant for security agencies. This data could be about individuals who are of national security or foreign intelligence concern, or individuals who have sensitive roles in government, international affairs and politics. Such information is highly valuable to the Chinese Ministry of State Security (MSS).
Volt Typhoon and Salt Typhoon are how security agencies and the cyber security industry refer to advanced persistent threat actors or ‘APTs’.
These kinds of threat actors aren’t seeking immediate financial gain, like a ransomware payment. Instead they want access to the sensitive core components of critical infrastructure, like telecommunications, for espionage or even destructive purposes.
That means their attacks are not about locking up systems and extracting fast profits like many of the cyber incident we read about in the media. Instead, these are covert, state-sponsored cyber espionage campaigns that use hard to detect techniques to get inside critical and stay there, potentially for years. Waiting to steal sensitive data or even disrupt or destroy assets in the event of future conflict with Australia.
Salt Typhoon in Australia
To be clear, while Salt Typhoon has been observed in US telco networks there is not yet any public evidence the group is active in Australia. However, it’s unlikely the ACSC – and partner agencies – would issue such detailed guidance if the threat was not real.
Australian telco networks have invested significantly in some of the most mature cyber defences in Australia. But the global threat landscape is deteriorating. Telecommunications networks are a key target for persistent and highly-capable state-based cyber espionage groups, particularly those associated with China.
What Australian telcos can do
For starters, read the ACSC guidance carefully.
For both network engineers and network defenders, the ACSC steps out tangible measures that organisations can take to strengthen their visibility with enhanced monitoring, as well as protocols and management processes. There’s also specific guidance from CISCO in relation to its’ systems.
A raft of cyber reforms passed the Australian Parliament last week, and these have clear implications for telcos. The most relevant is that the reforms bring existing Telecommunications Sector Security Reforms (TSSR) into line with the Security of Critical Infrastructure (SOCI) Act – effectively expanding SOCI to cover telcos.
Telco and critical infrastructure security teams would be wise to familiarise themselves with these reforms and what they mean for their organisation. I’ve previously published a blog on what the cyber reforms mean for telcos.
More broadly, this increased willingness from the ACSC and partner agencies to take a more forward-leaning approach to calling out advanced, persistent cyber espionage campaigns targeting critical infrastructure should be welcomed.
Combined with the cyber reforms around TSSR and SOCI, the government is acutely aware of the role telecommunications plays within our wider security ecosystem and the need to ensure that telcos have the best possible defences that evolve in line with a deteriorating threat landscape.
Above all else, this is a timely reminder that nation states are increasingly turning towards cyber espionage and telecommunications providers – despite significant cyber investments – are priority one targets.
