A cyberattack by the Chinese cyber espionage threat group Salt Typhoon that came to light in October continues to make headlines. The FBI has now issued a warning to all Americans to switch to encrypted messaging apps and stop sending SMS texts.
Why the FBI does not want you to send SMS messages
In early December, the FBI began spreading the word among United States media. The message was simple: “Stop using SMS texts and switch to encryption.”
This FBI communication is the latest of a string of official communications related to the Salt Typhoon hack against American telecommunications companies and the US government wiretapping system.
Salt Typhoon, a Chinese threat group that specializes in cyber espionage, breached Verizon, AT&T, Lumen Technologies, and other mobile carriers, compromising civilian, government, military, and law enforcement communications.
A hack so sophisticated no one knows exactly what happened
The Salt Typhoon hack is so sophisticated that it is currently not known when the Chinese threat actors first breached the environment.
Some reports claim that Salt Typhoon could have spent 2 years undetected in the American telecommunications systems before the hack came to light.
It is believed that the main objective (or top target) of this large-scale operation was to gain illegal access to the US federal wiretapping system. Local police, federal law enforcement, and intelligence agencies like the NSA, working with US courts, operate wiretapping and communication surveillance systems that are hardwired into telcos’ servers.
It is also unknown exactly what Salt Typhoon hackers did when they were inside these systems. They may have exfiltrated user data by the millions, installed backdoors to gain later access when needed, or modified elements, to name just a few possibilities.
The government of China denied any participation in the incident and described it as “disinformation.”
How serious is the Salt Typhoon threat to the average American user?
Given all the serious news about this attack, it is fair for any American to have questions. But should they panic? Should Americans feel that they are being spied on by China? The short answer is no.
The probability that a threat group like Salt Typhoon performed this hack to target normal Americans is a big stretch from the group’s established modus operandi.
Salt Typhoon selects targets with precision and breaches infrastructure with complex exploitations. These techniques are reserved for digital espionage groups.
Advanced cyber espionage groups usually target high-value individuals. These usually include politicians, business leaders, lawmakers, and public figures.
Evidence of this is the recent hack on President Trump’s iPhone, an incident which the FBI believes is connected to this Salt Typhoon hack.
Like any foreign cyber espionage group, Salt Typhoon gathers intelligence and sets the ground for future operations. Their objectives are disruption and deception. Their endgame? To gain as much leverage as possible for negotiations on the international stage.
All this is evidence that groups like Salt Typhoon are not interested in conducting individual end-user cyberattacks, although they might be interested in population metadata in general.
More Salt Typhoon and Typhoon family cyberattacks are highly likely.
Just tell me, are SMS texts safe?
In theory, any and all SMS can potentially be intercepted. This can be done through a wide range of techniques, for example, via spyware or different versions of man-in-the-middle attacks.
A message sent over an end-to-end encrypted application can also be intercepted by hackers using different techniques. The big difference is that when an encrypted message is intercepted, it cannot be read.
This is the reason why the FBI recommends that users use encrypted applications instead of SMS.
Recommendations for developers and cybersecurity experts
If you work in the telecom industry or any sector affected by the Salt Typhoon cyberattack, a more serious approach is necessary.
The FBI and CISA have issued a technical guide specifically for the telecommunication industry and partners for this specific case. This guide lists the best practices and approaches that the industry should take to make sure their infrastructure is secure.
At this point, the Salt Typhoon hack is a poker game where the cards have been dealt but not yet put on the table. The bottom line is that no one knows what cards the Salt Typhoon hackers are holding, so everyone should plan for the worst and hope for the best.
The hydra that is the Chinese Typhoon family
Interestingly, Salt Typhoon is but one of many within a larger family of Typhoon threat groups, all of which are linked to China. Like the mythical hydra, cutting off one head results in two growing back.
Microsoft’s list of Typhoon groups includes Charcoal Typhoon, Circle Typhoon, Cinnamon Tempest, Citrine Sleet, Volt Typhoon, Flax Typhoon, Salmon Typhoon, Salt Typhoon, and many others. All of these are typically associated with Chinese origin and advanced persistent threat (APT).
Volt Typhoon, for example, was recently linked by US federal authorities to a decade-spanning persistent cyber espionage campaign into American critical infrastructure (government, health, water, energy, etc.). The Volt Typhoon hack on critical infrastructure shares similarities with the Salt Typhoon hack.
Both are highly sophisticated and complex hacks to perform, the full extent of which is unknown, and both attacks targeted services critical for civilian populations and the government.
More importantly, neither of these attacks has, to date, resulted in major disruptions, malware distribution, or damages. Why?
Why would threat groups infiltrate critical infrastructure sectors like water, energy, and telecommunications and not demand ransom, distribute malware, leak data of hundreds of millions, or shut down basic services?
Evidently, the end goal of these groups is intelligence gathering, targeted attacks when necessary, and the establishment of potential backdoors into critical systems for later use — if geopolitical tensions escalate.
Coincidentally, the CISA and the FBI responded similarly to both attacks, issuing a guide for the critical infrastructure sector as well. The guide is also an extremely valuable asset and the first step in the right direction, guiding cybersecurity industry experts in their journey to operate safer IT-OT environments.
Final thoughts
While it is unlikely for an average end user to be targeted by a group like Salt Typhoon, it isn’t impossible. Additionally, reports say that the group exfiltrated the metadata of millions of Americans.
Therefore, the FBI’s call to use encryption apps is a valid one and is noteworthy to all users, especially those connected to the ever-changing world of geopolitical tensions and conflicts.
The most affected sectors in this incident include the government, law enforcement, the court systems, intelligence agencies, and the telecom industry.
These sectors are already working together to make sure the infrastructure used by the people is secure. Their work is now focused on strengthening their posture and monitoring their networks while deploying new tools and best practices.
Each cyberattack leaves a lesson. In this case, the attack reveals the vulnerabilities of international telecommunications systems, exacerbated by a lack of modernization. The Volt Typhoon attacks also leave us with the same lesson. Fortunately, remediating these vulnerabilities is possible.
