Aftermath of Salt Typhoon cyberattack: How to secure U.S. telecom networks?

Salt Typhoon Attack: On December 4, 2024, a top U.S. security agency representative confirmed reports that foreign actors, state-sponsored by the People’s Republic of China, infiltrated at least eight U.S. communications companies, compromising sensitive systems and exposing vulnerabilities in critical telecommunications infrastructure. This was part of a massive espionage campaign that has affected dozens of countries. Salt Typhoon has targeted telcos in dozens of countries for upward of two years, officials added.

Dated legacy network equipment and years of mergers and acquisitions are likely impeding the ability of telecommunications providers to prevent China inspired cyber-attacks. Until telecom operators fully secure their networks, China will keep finding ways to come back in, officials have warned.

  • On Thursday, FCC chair Jessica Rosenworcel proposed a new annual certification requirement for telecom companies to prove they have an up-to-date cybersecurity risk management plan. More below.
  • Senior Cybersecurity and Infrastructure Security Agency and FBI officials confirmed Tuesday that U.S. telcos are still struggling to keep the China-backed hackers out of their networks — and they have no timeline for when total eviction is possible.

FCC Chair Jessica Rosenworcel suggested ‘telecom carriers’ raise their network security methods and procedures: “The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses. “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”

Rosenworcel’s plan is to make U.S. telcos submit some kind of annual certification to the FCC, proving their cybersecurity measures are up to scratch. The clear inference from the attack itself and all the subsequent attempts to shut the stable door after the horse has bolted is that those efforts currently fall short of the mark. Understandably, none of the specific deficiencies have been publicly detailed.

These proposed FCC measures have been made available to the five members of the Commission. They may choose to vote on them at any moment. If adopted, the Declaratory Ruling would take effect immediately. The Notice of Proposed Rulemaking, if adopted, would open for public comment the cybersecurity compliance framework, which is part of a broader effort to secure the nation’s communications infrastructure.

The FCC press release refers to a recent WSJ report based on an unpublished briefing from U.S. national security adviser Anne Neuberger, in which she detailed the scale of the Salt Typhoon attack. “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” she was quoted as saying.

Illustration: Sarah Grillo/Axios

……………………………………………………………………………………………………………………………

Legacy network equipment and years of acquisitions have made it particularly difficult for telcos to patch every access point on their networks, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.

  • Many of the systems in question are nearly 50 years old — like landline systems — and they were “never meant for the type of sensitive data and reliance that we have on them right now,” he said.
  • During an acquisition, a company could also miss a server when taking stock of all its newly acquired equipment, Steinhauer said. Network engineers are often inundated with security alerts that are hard to prioritize, he added.
  • U.S. telecommunications carriers are required to provide a way for law enforcement to wiretap calls as needed — providing another entry point for adversaries.

Many of the security problems telcos face require simple fixes, like implementing multifactor authentication or maintaining activity logs.

  • Even CISA’s recent guidance for securing networks focuses on the security basics.
  • But to keep China out, telcos would have to make sure that every device — including their legacy physical equipment, online servers and employees’ computers — is patched.

Most high-profile cyberattacks across industries come down to the basics: a compute server that didn’t have multifactor authentication turned on or an employee who was tricked into sharing their password.  Even if a company invests all of its resources in cybersecurity, it may not be enough to fend off a sophisticated nation-state like China.

  • These actors are skilled at covering their tracks: They could delete activity logs, pose as legitimate users, and route their traffic through compromised computers in the U.S. so they aren’t detected.
  • “You’ve got a persistent, motivated attacker with vast resources to poke and prod until they get in,” Mr. Steinhauer said.

References:

https://docs.fcc.gov/public/attachments/DOC-408015A1.pdf

https://www.axios.com/2024/12/06/telecom-cybersecurity-china-hack-us

https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca

https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure

WSJ: T-Mobile hacked by cyber-espionage group linked to Chinese Intelligence agency

China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”

WSJ: T-Mobile hacked by cyber-espionage group linked to Chinese Intelligence agency

According to the Wall Street Journal, T-Mobile’s network was hacked in a damaging Chinese cyber-espionage operation that successfully gained entry into multiple U.S. and international telecommunications companies.

Hackers linked to a Chinese intelligence agency were able to breach T-Mobile as part of monthslong campaign to spy on the cellphone communications of high-value intelligence targets. It is unclear what information, if any, was taken about T-Mobile customers’ calls and communications records.

“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman said. “We will continue to monitor this closely, working with industry peers and the relevant authorities.”

The compromise of T-Mobile expands the list of known victims of a cyber-espionage campaign by Chinese hackers—dubbed Salt Typhoon—that some U.S. officials consider to be historic and catastrophic in scope and severity. The WSJ had reported in October that AT&T, Verizon and Lumen Technologies were among the telecom companies that suffered an intrusion.  The widespread compromise is considered a potentially catastrophic security breach. It appeared to be geared toward intelligence collection, people familiar with the matter said.

China’s multipronged spying operations have drawn warnings in the U.S. about their economic implications. Photo: Andy Wong/Associated Press

…………………………………………………………………………………………………………………………………………………………………………..

Salt Typhoon used sophisticated methods to infiltrate American telecom infrastructure through vulnerabilities including Cisco Systems routers, and investigators suspect the hackers relied on artificial intelligence or machine learning to further their espionage operations , people familiar with the matter said. The attackers penetrated at least some of that infrastructure over eight months or more.

In the broader hacking campaign, attackers were able to access cellphone lines used by an array of senior national security and policy officials across the U.S. government, in addition to politicians. The access allowed them to scoop up call logs, unencrypted texts and some audio from targets, in what investigators believe may have significant national-security ramifications.

Additionally, the hackers were able to access information from systems maintained by the carriers to comply with U.S. surveillance requests, raising further counterintelligence concerns. Investigators are still endeavoring to fully understand and have said the attack was carried out by the Salt Typhoon group. At Lumen, which doesn’t provide wireless service, the attackers didn’t steal any customer data or access its wiretap capabilities, according to people familiar with the matter.

Further investigation has revealed that the hackers sought access to data managed under U.S. law enforcement programs, including those governed by the Foreign Intelligence Surveillance Act (FISA).  This act authorizes American intelligence agencies to monitor suspected foreign agents’ communications. By targeting these programs, Chinese hackers may have aimed to infiltrate sensitive government communications channels, gaining insights into U.S. surveillance efforts.

Some foreign telecommunications firms were also compromised in the hacks, including in countries that maintain close intelligence-sharing partnerships with the U.S., people familiar with the matter said.  Earlier this week, the Biden administration acknowledged in a public statement some details about the nature of the “broad and significant” hack that were previously reported by the WSJ.

Chinese government-linked hackers had compromised networks at multiple telecommunications companies “to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,” the statement from the FBI and Cybersecurity and Infrastructure Security Agency (CISA) said.  “We expect our understanding of these compromises to grow as the investigation continues,” they added.

References:

https://www.wsj.com/politics/national-security/t-mobile-hacked-in-massive-chinese-breach-of-telecom-networks-4b2d7f92

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

https://www.newsweek.com/fbi-chinese-cyber-espionage-multiple-telecom-networks-1985617

China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”

FBI and MI5 Chiefs Issue Joint Warning: Chinese Cyber Espionage on Tech & Telecom Firms

Cybersecurity threats in telecoms require protection of network infrastructure and availability

FT: A global satellite blackout is a real threat; how to counter a cyber-attack?

Demythifying Cyber security: IEEE ComSocSCV April 19th Meeting Summary

StrandConsult Analysis: European Commission second 5G Cybersecurity Toolbox report

Cisco to lay off more than 4,000 as it shifts focus to AI and Cybersecurity

 

Frontier Communications recovering from unknown cyberattack!

Frontier Communications provides fiber optic based gigabit Internet access to millions of consumers and businesses across 25 states.  Frontier Communications said on Thursday that it’s ‘experiencing technical issues with our internal support platforms.’  ​Frontier’s mobile apps are also down, with the same warning message being displayed after launching the application. A company representative did not respond to questions about the situation.

The Texas-based telecommunications company reported a cyberattack to the Securities and Exchange Commission (SEC) on Thursday.  Frontier said it detected unauthorized access to its IT systems on April 14th and began instituting “containment measures” that included “shutting down certain of the Company’s systems.” The shutdowns caused operational disruption that the company said “could be considered material.”

“Based on the Company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information,” the company said in the SEC filing.

“As of the date of this filing, the Company believes it has contained the incident and has restored its core information technology environment and is in the process of restoring normal business operations.  Based on the company’s investigation, it has determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information,” the company said.

Investigations into the incident are ongoing and they have hired cybersecurity experts to help with the incident. Law enforcement agencies have been notified.

Despite saying that the shutdowns could be considered material, Frontier later wrote that it “does not believe the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.”

According to Leichtman Research Group, Frontier is the seventh largest broadband Internet supplier in the US, with almost 3 million customers. The company’s copper and fiber network stretches across large portions of the East and West Coasts.

Light Reading reported on Thursday of warnings from Frontier. “We’re experiencing technical issues with our internal support platforms,” said a message on the company’s website homepage. “Our residential and business networks are not affected by this issue. In the meantime, please call for assistance.”

……………………………………………………………………………………………………………………………

Last week, AT&T reported that more than 51 million people were affected by a recently-disclosed data breach that included troves of customer information including Social Security numbers, AT&T account numbers and AT&T passcodes.

EchoStar’s Dish Network last year reported a “cybersecurity incident” that impacted its ability to install services, take payments and provide customer care for several weeks.

Fierce reported this week about an intentional cable cut in AT&T’s network that interrupted services at Sacramento Airport.

……………………………………………………………………………………………………………………..

The Federal Communications Commission (FCC) updated its data breach rules for the first time in 16 years in December, expanding regulations on how telecommunication companies report cybersecurity incidents.  FCC Chairwoman Jessica Rosenworcel argued that the rules the agency created more than 15 years ago are no longer compatible with a modern world where telecommunication carriers have access to a “treasure trove of data about who we are, where we have traveled, and who we have talked to.”

References:

https://therecord.media/telecom-giant-frontier-cyberattack-sec

https://www.sec.gov/ix?doc=/Archives/edgar/data/20520/000119312524100764/d784189d8k.htm

https://www.bleepingcomputer.com/news/security/frontier-communications-shuts-down-systems-after-cyberattack/

https://www.lightreading.com/security/frontier-we-were-probably-hacked

China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”

On Sunday, FBI Director Christopher Wray said Beijing’s efforts to covertly plant offensive malware inside U.S. critical infrastructure networks [1.] is now at “a scale greater than we’d seen before,” an issue he has deemed a defining national security threat.  He said that China backed Volt Typhoon was pre-positioning malware that could be triggered at any moment to disrupt U.S. critical infrastructure.  “It’s the tip of the iceberg…it’s one of many such efforts by the Chinese,” he said on the sidelines of the security conference.

Wray had earlier told conference delegates, that China was increasingly inserting “offensive weapons within our critical infrastructure poised to attack whenever Beijing decides the time is right.”  The FBI chief said the U.S. is particularly focused on the threat of pre-positioning, which some European officials have described as the cyber equivalent of pointing a ballistic missile at critical infrastructure.  “Those attacks are now being amplified by artificial intelligence tools.  The word ‘force multiplier’ is not really enough,” Wray added.

Note 1. The FBI Director declined to elaborate on what other critical infrastructure had been targeted, stressing that the Bureau had “a lot of work under way.”

Image Credits: imaginima / Getty Images

Machine learning translation has helped Chinese security operatives to more plausibly recruit assets, steal secrets and rapidly process more of the information they are collecting, the Wray said.   “They already have built economic espionage and theft of personal and corporate data as a kind of a bedrock of their economic strategy and are eagerly pursuing AI advancements to try to accelerate that process,” Wray added.

FBI Director Christopher Wray PHOTO: KEVIN DIETSCH/GETTY IMAGES

……………………………………………………………………………………………………………………………

Western intelligence officials say China’s scale and sophistication of cyberattacks has accelerated over the past decade. Officials have grown particularly alarmed at Beijing’s interest in infiltrating U.S. critical infrastructure networks, planting malware inside U.S. computer systems responsible for everything from safe drinking water to aviation traffic so it could detonate, at a moment’s notice, damaging cyberattacks during a conflict.

In California, Wray met with counterparts from the Five Eyes intelligence community—which encompasses the U.S., Australia, New Zealand, Canada and the U.K.—to share respective strategies for cyber defense.  He has also traveled to Malaysia and India to discuss China’s hacking campaign with authorities in both countries.

“I am seeing more from Europe,” he said. “We’re laser focused on this as a real threat and we’re working with a lot of partners to try to identify it, anticipate it and disrupt it.”

The Netherlands’ spy agencies said earlier this month that Chinese hackers had used malware to gain access to a Dutch military network last year. The agency, considered to have one of Europe’s top cyber capabilities, said it made the rare disclosure to show the scale of the threat and reduce the stigma of being targeted so allied governments can better pool knowledge.

A report released this month by agencies including the FBI, the Cybersecurity and Infrastructure Agency and the National Security Agency said Volt Typhoon hackers had maintained access in some U.S. networks for five or more years, and while it targeted only U.S. infrastructure directly, the infiltration was likely to have affected “Five Eyes” allies.

Author’s Note:

This author is very disappointed that the U.S.. Five Eyes and European agencies chartered with combating cybercrime  have done so little to prevent cyber attacks on “critical infrastructure,” especially since Volt Typhoon has been doing so for at least five years according to the referenced January 2024 report.
Recall all the rah-rah talk 11 or 12 years ago about “Smart Grid,” which was supposed to make U.S. electrical grid infrastructure super-secure, resilient, and able to quickly recover from power failures and cyber attacks! Here we are in 2024, where none of that has happened, despite many IEEE, IEC, NTIA, and ETSI Smart Grid initiatives, specifications, and standards.  Hence, our critical infrastructure is at risk of cyber attacks by Volt Typhoon and other bad actors.
There’s even talk of US electric utilities buying and installing China made power transformers that have a back door as per this article.

……………………………………………………………………………………………………………………………

Volt Typhoonthe China-sponsored hacking group, has been targeting U.S. critical infrastructure, including satellite and emergency management services and electric utilities, according to a new report from the industrial cybersecurity firm Dragos.  That report outlines how the notorious hacking group is positioning themselves to have disruptive or destructive impacts on critical infrastructure in the U.S.

Robert M. Lee, founder and CEO of Dragos, warned during a media briefing that Volt Typhoon is not an opportunistic group, but is instead targeting specific sites that assist U.S. adversaries “trying to hurt or cripple U.S. infrastructure.  It’s hitting the specific electric and satellite communication providers that would be important for disrupting major portions of the U.S. electric infrastructure,” Lee added.

The report comes shortly after the National Security Agency, FBI, and Cybersecurity and Infrastructure Security Agency, revealed that Volt Typhoon has been in some critical infrastructure networks for at least five years. That alert warned of Volt Typhoon operations that targeted the aviation, railways, mass transit, highway, maritime, pipeline, and water and sewage sectors.

……………………………………………………………………………………………………………………………………………………………………………………………………………………………………

The NSA, CISA and FBI said in a joint advisory report that Volt Typhoon has been burrowing into the networks of aviation, rail, mass transit, highway, maritime, pipeline, water and sewage organizations — none of which were named — in a bid to pre-position themselves for destructive cyberattacks, published on February 7th.  The release of the advisory, which was co-signed by cybersecurity agencies in the United Kingdom, Australia, Canada and New Zealand, comes a week after a similar warning from FBI Director Christopher Wray. Speaking during a U.S. House of Representatives committee hearing on cyber threats posed by China, Wray described Volt Typhoon as “the defining threat of our generation” and said the group’s aim is to “disrupt our military’s ability to mobilize” in the early stages of an anticipated conflict over Taiwan, which China claims as its territory.

According to Wednesday’s technical advisory, Volt Typhoon has been exploiting vulnerabilities in routers, firewalls and VPNs to gain initial access to critical infrastructure across the country. The China-backed hackers typically leveraged stolen administrator credentials to maintain access to these systems, according to the advisory, and in some cases, they have maintained access for “at least five years.”

This access enabled the state-backed hackers to carry out potential disruptions such as “manipulating heating, ventilation, and air conditioning (HVAC) systems in server rooms or disrupting critical energy and water controls, leading to significant infrastructure failures,” the advisory warned. In some cases, Volt Typhoon hackers had the capability to access camera surveillance systems at critical infrastructure facilities — though it’s not clear if they did.

Volt Typhoon also used living-off-the-land techniques, whereby attackers use legitimate tools and features already present in the target system, to maintain long-term, undiscovered persistence. The hackers also conducted “extensive pre-compromise reconnaissance” in a bid to avoid detection. “For example, in some instances, Volt Typhoon actors may have abstained from using compromised credentials outside of normal working hours to avoid triggering security alerts on abnormal account activities,” the advisory said.

Earlier this year, the FBI and U.S. Department of Justice announced that they had disrupted the “KV Botnet” run by Volt Typhoon that had compromised hundreds of U.S.-based routers for small businesses and home offices. The FBI said it was able to remove the malware from the hijacked routers and sever their connection to the Chinese state-sponsored hackers.

According to a May 2023 report published by Microsoft, Volt Typhoon has been targeting and breaching U.S. critical infrastructure since at least mid-2021.

……………………………………………………………………………………………………………………………………………………………………………………………………………………………..

References:

https://www.wsj.com/politics/national-security/u-s-disables-chinese-hacking-operation-that-targeted-critical-infrastructure-184bb407

Volt Typhoon targeted emergency management services, per report

https://www.wsj.com/politics/national-security/fbi-director-says-china-cyberattacks-on-u-s-infrastructure-now-at-unprecedented-scale-c8de5983

China-backed Volt Typhoon hackers have lurked inside US critical infrastructure for ‘at least five years’

https://www.wsj.com/articles/wave-of-stealthy-china-cyberattacks-hits-u-s-private-networks-google-says-2f98eaed

US disrupts China-backed hacking operation amid warning of threat to American infrastructure

https://www.controlglobal.com/home/blog/11293192/information-technology

StrandConsult Analysis: European Commission second 5G Cybersecurity Toolbox report

by John Strand, StandConsult (edited by Alan J Weissberger)

European Commissioner Thierry Breton presented the European Commission’s plan for banning High-Risk Suppliers like Huawei and ZTE from European telecommunications networks.  Here is the first portion:

The security of 5G networks is essential. They are critical infrastructures in their own right and for other sectors that depend on them, such as energy, transport, health and finance.

This is why, in January 2020, the EU unanimously adopted a toolbox on the security of 5G networks. The “5G cybersecurity toolbox” defined the risks and the measures to be taken by Member States and telecoms operators to address them.

In particular, it recommended that the use of equipment in the core and access (RAN) parts of the networks should be restricted or prohibited for entities considered to be “high-risk suppliers”, notably because they are subject to highly intrusive third-country laws on national intelligence and data security.

3 years on, almost all Member States have transposed the toolkit’s recommendations into their national law. In other words, they can now decide to restrict or exclude suppliers on the basis of security risk analysis. But to date, only 10 of them have used these prerogatives to restrict or exclude high-risk vendors.

……………………………………………………………………………………………………………………………………………..

The Commission also released a status report on “Member States’ Progress in implementing the EU Toolbox on 5G Cybersecurity.”

Breton’s message is that the member must move more quickly to implement the 5G toolbox.

Image Credit:  European Union

Here are Breton’s key points with Strand Consult’s assessment (SC):

  1. All EU member states are committed to implementing the EU´s 5G Toolbox. To date, 24 Member States have adopted or are preparing legislative measures giving national authorities the powers to perform an assessment of suppliers and issue restrictions.
    • SC: This means that all EU countries support the 5G Toolbox, the implement of which will work to remove Huawei and ZTE from European networks.
  2. 10 Member States have imposed such restrictions, and an additional 3 Member States have relevant national legislation underway.
  3. The Commission considers that decisions adopted by Member States to restrict or exclude Huawei and ZTE from 5G networks are justified and compliant with the 5G Toolbox.
  4. The Commission will take measures to avoid conducting its official communications via mobile networks built with Huawei and ZTE equipment.
  5. The Commission also intends to reflect this decision in all relevant EU funding programs and instruments.
    • SC: The EU will further restrict grants, subsidies, and financing to European entities which use Huawei and ZTE equipment. This will have consequences for rural EU operators which receive EU money and recipients of European Investment Bank (EIB) loans.

Strand Consult is not surprised by today’s announcements. They are consistent with the security analyses and recommendations Strand Consult has published for years.

Some EU countries and operators will find it difficult to implement the EU’s new security and procurement policy. However Strand Consult believes that it is good business for an operator communication that it takes security seriously and backs it up with a clean network free of Huawei and ZTE equipment.

Strand Consult predicts that Huawei will make the road ahead difficult and will attempt to sabotage the European Commission’s efforts. Nations and operators should prepare for pushback by reading Strand Consult’s reports on Huawei’s tactics. Moreover, non-Chinese employees will likely find that working for Huawei has reputational risks.

How foreign network equipment is treated in China.

The foundation of any economy, be it the EU, the US or China, is national security. Some may find the EU approach tough, but it pales in comparison the blockade that China has imposed on foreign technology providers for years.

China restricts these technologies for ideological and economic reasons. Most people take for granted that the websites and media they access everyday are not available in China. These foreign technologies and their operators have been denied access to the world’s single largest online market, hundreds of millions of internet users, and a multi-trillion-dollar opportunity. Moreover, the Chinese people are denied to freedom to engage on an open internet.

Building upon censorship frameworks in traditional media which had been in place for decades in China, its State Council adopted rules and regulations to control internet traffic beginning in 1996.

The media focuses mainly on US and EU network security and associated vendor policies. However few if any investigate the rules in China.

A detailed review is available from White & Chase, February 2022. In general, China’s rules are significantly more rigid than those of the US and EU. These rules do not entail the same process and transparency which are standard and expected in the West.

The New Measures list the following main factors for assessing national security risk during cybersecurity review.

  • The risk of any critical information infrastructure being illegally controlled, tampered with or sabotaged after any product or service is used.
  • The risk of an interruption in the supply of any product or service endangering the continuity of any critical information infrastructure.
  • The security, openness, transparency, diversity of sources and reliability of any supply channel of any product or service, and the risk of its supply being interrupted due to political, diplomatic, trade or other factors.
  • The compliance of the provider of any product or service with the laws, administrative regulations, and departmental rules of China.
  • The risk of any core data, important data or a large amount of personal information being stolen, leaked, destroyed, illegally used, or illegally transferred abroad.
  • The risk of any critical information infrastructure, core data, important data, or a large amount of personal information being affected, controlled, or maliciously used by foreign governments, as well as any network information security risk.
  • Any other factor that may endanger the security of any critical information infrastructure, network security or data security.

The effect of these rules is to limit foreign providers from the market from the start and to favor Chinese providers.

While the media sensationalizes cases like Huawei and TikTok, these pale in comparison to the systematic restriction undertaken by China against foreign technology for the last 20 years. Moreover, Chinese technology companies enjoy more freedom abroad than foreign technologies do in China.

Conclusions:

Technological and informational control and restriction are widely practiced across China. This fulfills many political, social, cultural, economic, and religious objectives for the PRC,and is practiced by the government, corporations, and individual themselves. It has increased under General Secretary Xi. This Censorship is coupled with pervasive surveillance of people. Meanwhile PRC has attempted to export this “new world media order.”

Strand Consult addresses Chinas restrictions in its 2020 report You Are Not Welcome: An Analysis of Thousands Foreign Technology Companies Blocked by China Since 1996. It describes how and why China has systematically restricted thousands of foreign internet technologies like online news and media outlets, social media platforms, virtual private networks, content delivery networks, mobile applications, telecommunications equipment, cloud services, and other technologies.

With its new 2023 report The Market for 5G RAN in Europe: Share of Chinese and Non-Chinese Vendors in 31 European Countries, Strand Consult brings valuable evidence of the location, amount, and share of Chinese and non-Chinese equipment in European telecom networks. This report, the second of its kind, describes the respective amounts of 5G equipment from Huawei, ZTE, and non-Chinese vendors in European mobile networks and the share of such in equipment in the 5G Radio Access Network (RAN).

References:

https://ec.europa.eu/commission/presscorner/detail/en/statement_23_3312

StrandConsult: 2022 Year in Review & 2023 Outlook for Telecom Industry

IEEE ComSoc/SCU SoE March 22, 2022 event: OpenRAN and Private 5G – New Opportunities and Challenges.  Video: https://www.youtube.com/watch?v=i7QUyhjxpzE

Strand Consult: Open RAN hype vs reality leaves many questions unanswered

O-RAN Alliance tries to allay concerns; Strand Consult disagrees!

 

IoT Sensor Standards Are Absolutely Essential for Security

By Logan Kugler (edited by Alan J Weissberger)

Companies making and using IoT sensors can have a high degree of confidence their technology uses the best security features and practices if they adhere to established, credible security standards. There are plenty of security standards that IoT devices can—or should—follow. Some are related to how IoT devices use networks and transmit data. Some are related to the underlying technologies IoT devices rely upon (such as Wi-Fi). Others offer comprehensive guidance on how to create and use IoT devices in a secure way.

One well-known IoT standard is ISO/IEC 30141 which “provides a standardized IoT Reference Architecture using a common vocabulary, reusable designs, and industry best practices.”  Another IoT standard, TS 103645 from ETSI aims to create a security baseline for Web-connected devices, including guidelines for password usage, software updates, and user data standards for consumer IoT devices.

In another example, the U.S. National Institute of Standards and Technology (NIST) has created a list of six prescribed security characteristics that manufacturers should incorporate into IoT devices. The list includes security features such as device identification, device configuration features, data protection features, logical access to interfaces, adequate software and firmware updates, and adequate cybersecurity event logging.

There are dozens of organizations that publish helpful standards to guide IoT manufacturers and device customers on how to design, manufacture, and use IoT sensors and sensor-enabled devices in the safest way possible. However, the diversity of organizations and standards also presents problems.

Some standards organizations may aim to publish universal standards across different IoT technologies, while others may only publish standards for certain countries or devices and technologies. While these organizations are usually highly credible and undergo rigorous processes to ensure their standards are comprehensive, many such standards are not legally binding.  However, there is no single, well accepted standard for IoT security.  The existing standards are not always designed for the unique risks IoT technologies face, says Izzat Alsmadi, a computer science professor at Texas A&M University in San Antonio, who does work on IoT security. Existing standards may not adequately apply to significant numbers of IoT sensors, he explained, and some IoT devices and networks use proprietary technology that does not follow more widely accepted or used industry standards.

 

“Today’s IoT standards are relevant, but not enough and in some cases not up to date or not up to security challenges,” says Alsmadi. That’s because some of today’s existing security mechanisms were initially designed for desktop computers and are difficult to implement on resource-constrained IoT devices, he says.  There also is the problem of compliance. Standards are often voluntary—and many companies do not adhere to them due to business pressures.

“Currently, the IoT segment sacrifices security due to resource allocation and price,” says Marion Marincat, founder and CEO of Mumbli, an IoT company. It is often faster and cheaper to limit security options in order to get to market, he says. As such, the standards for IoT mainly end up being adopted by the companies with deep-enough pockets and wide-enough competitive moats to afford to implement better security in their devices.

 

“Although there are a lot of methods to design low-cost devices with security in mind, business decisions usually push back the implementation for these solutions in order to speed up the route to market or reduce the price of devices even further,” says Marincat.

The issues with IoT sensor standards have larger implications for the overall security of the Internet of Things.

“The Internet of Things is very vulnerable in comparison with other categories of information systems,” says Alsmadi, because so many IoT applications are publicly visible and can be remotely controlled.

These vulnerabilities become even more pronounced as the adoption of IoT grows, especially as the industrial Internet of Things becomes a growing attack vector.

“The biggest change in operational technology systems over the past decade is that they have recently become more vulnerable to attacks from the outside as they are moving away from isolated, air-gapped environments and embracing more automation and digitally connected devices and systems,” says Fortinet’s Nelson.

Industrial IoT devices often run on hardware with little or no management interface and often are not able to be upgraded in the field. Physically, IoT devices in industrial use-cases frequently are installed in hard-to-reach or publicly inaccessible places (such as on top of a building). As such, they must be able to operate unattended for long periods and be resistant to physical tampering, he says.

“An attack on industrial IoT, especially on a device or system used to monitor critical operations and processes, can have a very significant impact on not only the business itself but also on the environment, even on the health and safety of staff and the public at large,” Nelson says.

Marincat advocates rolling out minimum standards to broad categories of IoT devices, but acknowledges many manufacturers will still see complying with such standards as a luxury in a competitive marketplace.

However, even with smarter standards approaches, making security updates to combined IoT software/hardware can be slower and more complicated than bug fixes and security updates for software alone.  One possible fix is having companies adopt smarter risk-mitigation policies in how they use IoT devices, says Nelson. Companies should consider employing a zero-trust access (ZTA) model that verifies users and devices before every application session.  “Zero-trust access confirms that users and devices meet the organization’s policy to access that application and dramatically improves the organization’s overall risk posture,” he says.

Nelson also recommends companies use micro-segmentation in their networks. This approach segments and isolates attack surfaces into specific zones. Data flows are then controlled into these zones. The result is companies can limit attacks to a small subset of the business, minimizing the chance bad actors move laterally through networks into other core business functions.

Even basic risk mitigation techniques can help. Other popular risk mitigation techniques employed by businesses include encrypting internet connections, using alternate networks in addition to primary ones, and investing in higher-quality (and more costly) devices from companies that have, in turn, invested in stronger IoT security.  Despite all this, however, the vast majority of organizations can still expect at least one cybersecurity attack attempt in a given year. Research from Fortinet found only 6% of organizations experienced no cybersecurity intrusions in 2022.

Putting better cybersecurity measures in place still requires proactive, voluntary compliance from companies—compliance that has not always been forthcoming in the past. While the need for speed may win markets, it is not going away as a major obstacle to safer IoT devices and networks.  That leaves experts skeptical about just how much of the problem can be solved by expanded standards—and how much is a result of human nature and incentives in the technology sector.  “We tend to rush and enjoy advances in technology, then deal with security problems later on or when they become serious,” says Alsmadi.

References:

Communications of the ACM, June 2023, Vol. 66 No. 6, Pages 14-16

2022 State of Operational Technology and Cybersecurity Report, Fortinet, Jun. 21, 2022, https://bit.ly/3G6HTDO

IoT Standards and Protocols Explained, Behrtechhttps://behrtech.com/blog/iot-standards-and-protocols-explained

Number of IoT connected devices worldwide 2019–2021, with forecasts to 2030, Statista, Nov. 22, 2022, https://www-statista-com.libproxy.scu.edu/statistics/1183457/iot-connected-devices-worldwide

 

Cybersecurity threats in telecoms require protection of network infrastructure and availability

Telecommunications companies have become an attractive target for attackers, as their networks can be used as a back door to other organizations, thereby making it attractive for cybercriminals to gain unauthorized access. These telecoms networks are also used to build, control and operate other critical infrastructure sectors, including energy, information technology, and transportation systems. Given the interconnected nature of telecom networks between critical infrastructure sectors, organizations need to focus on safeguarding network infrastructure and enabling network availability for critical infrastructure communication.

Telecoms face mounting threats due to various factors, such as the absence of technical knowledge, use of legacy systems, presence of sensitive information, inadequate password security, and increasing threat landscape. Operators are also transforming themselves from network infrastructure companies to cloud service companies to improve efficiencies in business operations, roll out new services and applications, and store and distribute content. As telcos are often a gateway into multiple businesses, threats can either target a specific telecom company, its third-party providers, or the subscribers of a telecom service. These attacks can come in various forms.

Trend Micro disclosed that telecoms have a larger cyber-attack surface than most enterprises, often stretching from their base station infrastructure to call centers and home workers’ laptops. The surface area provides ample opportunity for threat actors looking for customer or organizational data, trying to hijack customer accounts, or seeking to disrupt services via DDoS (distributed denial of service) and ransomware. Furthermore, supply chain providers, cloud services, IoT systems and new infrastructure needed to support 5G and network slicing create additional risk.

Industrial Cyber reached out to experts in the telecoms sector to examine the key factors that make the communications sector vulnerable to cyber attacks. They also weigh in on the unique challenges that the communications sector faces when it comes to securing and safeguarding its OT/ICS environments.

Teresa Cottam, the chief analyst at Omnisperience, told Industrial Cyber that in the past, where security was considered in telecoms the focus tended to be how it affected performance – such as minimizing DDoS traffic and attacks. “More recently, as everything has become more interconnected and the threat landscape has evolved, cyberattacks specifically against telecoms firms have increased,” she added.

Cottam pointed out that ultimately four challenges stand out – complexity, exposure, volume and variety, and cost.

On complexity, Cottam said that each individual ‘network’ actually comprises several generations of technology with some of it being decades old, and it might include fixed, mobile, and even satellite infrastructure. “Moving data from one side of the world to another requires multiple networks, each owned by a different company with a different risk profile. The move from 4G to 5G introduces even more complexity. In the 5G era, cloud, data, and IoT are combined – increasing security risks. Breaches now have a company-wide impact from production through supply chains and logistics to corporate systems,” she added.

Cottam also added that “when you consider how much equipment is in public places it’s actually surprising it’s not attacked more often. Malign actors don’t even need to mount a cyberattack, they can simply vandalise equipment to target specific regions or industries.”

Elaborating on volume and variety, Cottam said that the sheer volume of endpoints is staggering and continually increasing. “IoT has already massively increased the number of endpoints and will continue to do so. Many of these so-called smart objects aren’t very smart and are highly vulnerable. Many of the most vulnerable devices are in the home, but wherever they are, each device has the potential to inject malign traffic into the network,” she added.

On cost, Cottam said that the cost of securing a network end-to-end is significant and the reality is that telecoms firms and their customers are having to continually juggle risk versus security.

Turning the question around, Grant Lenahan, partner and principal analyst at Appledore Research, said that one of the huge transitions underway is from fundamentally private data centers and networks to outsourced or managed, secure networks that interconnect distributed enterprise to their digital partners, remote employees, public cloud, and SaaS facilities. Therefore, there is a blurring of public and private targets.

“We certainly can look at those who attack public networks because of the private data and traffic. We can also look at those who attack not an underlying enterprise target per se, but the network infrastructure itself,” Lenahan told Industrial Cyber. “These attacks, rather than going after specific data, or intended either to disrupt, for example, terrorism or to gain control that can later be used to target intellectual property the transit to the network. The very fact that public networks are public, complicates securing them.”

On the other hand, Lenahan added that there is scale and scope, allowing for concentrations of security expertise and automated protections, that might not be possible or affordable by individual enterprises. “We have spent hundreds of pages covering this seismic shift in our security research stream. Some readers might be interested in consulting it,” it added.

Andrei Elefant, CEO of EdgeHawk Security told Industrial Cyber that the key factors that make the communication sector vulnerable to cyber attacks are that the CSPs (communication service providers) face multiple and large attack surfaces. They also have a limited security budget and have to prioritize the security measures they take compared to the cost and priorities.

He also added that security expertise in CSPs is limited. “The various types of attack scenarios, attack methods, the type of data and systems that need to be protected are huge. CSPs cannot build expertise in all the required security domains and have to prioritize focus areas. The CSPs are defined as critical infrastructure and are frequently a target of Nation State Actors, which means higher expertise and more budget on the attackers’ side.”

Elefant added that these challenges are even more noticeable when it comes to protecting the OT/ICS environment. “Attack surfaces grow exponentially with the growth in the number and variety of the endpoints. Many of the OT endpoints have limited inherent protection capabilities (due to resources limitation, legacy devices, etc.,), which means they can be a perfect attack surface to harm CSPs or penetrate their networks. In many cases, these devices are being exploited for DDoS attacks, as they are available in masses with limited protection.”

Addressing ​​the essential components that make cybersecurity in telecoms a vital and fundamental part of protecting the telecommunications landscape, as it also serves much of/all the other critical infrastructure sectors, Cottam said that not having complete visibility of the complexity of the telecoms landscape is one of the biggest challenges. “For example, there could be vulnerabilities in equipment and devices – which is often the focus of analyst reports – but equally there can be vulnerabilities in core processes which were put in place decades ago and haven’t been updated,” she added.

Cottam identified that a typical attack occurs by a criminal convincing the telecoms firm they are the customer and want to move to a new provider. “The telecoms firm – often with only minimal checking – provides the ‘customer’ with the means to do so. In the UK the system is designed to make it as easy as possible for the customer to do this, which also makes it easy for criminals. Such an attack against employees is bad; now consider it targeted at IoT devices. This is a great example of how cybersecurity often focuses on securing equipment (endpoints) but ignores vulnerable processes,” she added.

“Many countries have acted to secure number portability and in this respect, the UK is particularly vulnerable as its current system is so old-fashioned and inefficient,” according to Cottam. “Another problem this causes for IIOT is that the UK system also struggles to port large volumes of numbers such as would need to happen with a large corporate or IoT customer. This has the potential of decreasing competition in the connectivity part of the market since it’s a blocker to switching operators.”

Lenahan said that he doesn’t “believe we need to emphasize how important telecom infrastructure is. Not only is it critical infrastructure and it’s all right, but it is often the control plane for other infrastructure such as water, gas, electricity, emergency services, and many other essential components of both private public, and industrial life. It is, what’s on call, a target rich environment. That said, let’s look at what success looks like,” he added.

Elefant said that the CSPs are becoming a part of the critical infrastructures in any state. “National defense strongly relies on communication availability on the state level, in addition to the fact that these networks provide essential communication infrastructure to many other critical infrastructure facilities,” he added.

The essential components needed to keep CSPs networks available and reliable focus on two main aspects, according to Elefant. “Protecting the network infrastructure from unauthorized access and malicious attacks. This includes implementing firewalls, intrusion detection and prevention systems, and other security measures to prevent unauthorized access.”

He also pointed to protecting network availability for critical infrastructure communication by identifying and blocking attempts to saturate the network and accessibility to specific applications/devices using DDoS attacks.

The telecoms industry has had to reconsider its cybersecurity protocols in light of the digitization and incorporation of Industrial Internet of Things (IIoT) technologies. The executives looked into the main threats posed by increased connectivity techniques and how this shift affects the cybersecurity posture of these communication companies.

Cottam said that often today’s IIoT devices use the same networks as other systems, which presents a double-edged risk. “If a criminal can compromise an IIoT device they could use this as an access point to corporate systems; if they compromise corporate systems or user devices they can hijack IIoT devices. Again, this speaks to the interconnectedness of networks and often the poor understanding of how criminals can utilise connections and access points to compromise industrial customers.”

“The main concerns from customers include exposure of their data, compromised network equipment, attacks on devices and network signaling, as well as creating a gateway for further attacks. Network segmentation is a useful technique to limit the scope of such attacks,” according to Cottam. “Reliable security frameworks are built into 3GPP standards to ensure 4G and 5G cellular connections are secure. But as we move to 5G a range of new exciting techniques are also delivered.”

Another technique is to utilize private networks – effectively campus networks within a factory or industrial complex with limited connections to the public network but complex connections within the private network, Cottam said. “Connectivity is only provided to authorised devices (more secure than WiFi, as it can be based on SIM authentication) and data is processed on-site,” she added.

“The simplest way to look at this is that complexity is increasing dramatically in enterprise networks. There will be an order of magnitude more endpoints; applications and data will reside in various clouds; and dynamically changing ecosystems of digital trading partners will continuously evolve,” Lenahan said. “This implies a complex network that crosses ownership boundaries, and is constantly changing.”

Lenahan noted that the only apparent constant throughout this ‘web’ is the telecom CSP that undertakes end-to-end connectivity, orchestration, and in our view, security. “This is a huge opportunity for our industry. However, it also means we need to think completely differently about security. It cannot be a separate island; it must be integrated into network automation. Furthermore, it must be automated, something tacos in security professionals have long been uncomfortable with,” he added.

Elefant identified some of the threats brought by these increased connectivity techniques, including increased attack surface, unsecured devices, protocol vulnerabilities, and DDoS attacks. With “the exponential increase in the number of connected devices, the attack surface of the network has increased, creating more opportunities for malicious actors to gain unauthorized access to the network. Many IoT devices are not designed with security in mind, and may have weak passwords, unpatched vulnerabilities, or lack encryption, making them easy targets for attackers.”

He also pointed out that IoT devices often use proprietary protocols, which may have vulnerabilities that are not well understood and are difficult to patch. IoT devices can be easily compromised and used to launch DDoS attacks, overwhelming the network with traffic and causing availability issues.

Elefant highlighted that the new threats have led to a shift in the cybersecurity posture of CSPs. “Implementing more strict network segmentation, both on their infrastructure and also as a service to their customers. Specifically for the IIoT environment, access control services, delivered by the CSPs, are being applied on a larger scale. Protecting the network from DDoS attacks on the edge and access points became a mandatory consideration. Additionally, there is a need to continuously monitor and assess the security of the network edge and access as more attacks may come from exploited devices connected to the network.”

Like other critical infrastructure sectors, the communications sector has also faced mounting cybersecurity rules and regulations in recent times. The executives address how the communication sector responded to the increase in cybersecurity regulations for critical infrastructure owners and operators, as well as analyze the impact these initiatives have had in enhancing reporting procedures and improving the cybersecurity posture of the telecoms sector.

Cottam said that one of the biggest challenges stems from the ‘democratisation’ of IoT. “As it becomes the norm in manufacturing supply chains, smaller and newer industrial firms are drawn in or adopt IoT to increase their efficiency. These firms often don’t fully understand the importance or complexity of securing their IoT devices and lack the budget and expertise in-house,” she added.

Another challenge is that many enterprises deploy and secure IoT from an IT perspective, according to Cottam. “Traditional IT security largely focuses on end-point and perimeter security. But with hundreds of thousands of IoT endpoints and more permeable boundaries, the emphasis has to shift to securing and managing the network rather than trying to put security into every device – not all of which are designed to be secured,” she added.

“Likewise, while cellular IoT is reasonably secure – and that based on 5G even more so – it is not unhackable. IoT network security isn’t just about securing the network either, it’s about network-based security that can monitor all the connected objects, processes, and applications,” Cottam said. “Neither is it just about hackers anymore. Nation states, protestors, and terrorists are just as likely to want to attack critical infrastructure and their objectives are different and their budgets and expertise are huge. While there has been much talk of bringing together IT/OT/IoT into a single process to make it more manageable and auditable, the risk is that the complexity and volume become overwhelming.”

Lenahan said that details on how telcos are handling critical infrastructure security are hard to get, and in my opinion, rightly so. “That said, we can see many trends in the industry to prepare telecoms to not only be more secure on its own but to be in a good position to secure infrastructure for others. Some things are as simple as the collaborative work in the MEF, on secure transport services — or the transport service in security or considered as one. Similarly, the managed services, with security at their core, that many leading telcos are offering to their enterprise clients, can be applied to protecting public and shared infrastructure as well,” he added.

“One thing we believe they must change is that these ‘managed’ services, which, by definition, are semi-custom, must become more standardized products,” according to Lenahan. “We say this because that is the only way telcos can afford to invest in the level of automation that will truly illuminate errors and omissions and stay ahead of the bad actors. It’s simply a matter of operating a process at scale and concentrating one’s fire, so to speak.”

The CSPs responded in various methods to address the increase in cybersecurity regulations for critical infrastructure, Elefant said. “Increase in network segmentation to protect critical infrastructure, the CSPs designed their networks in a way they can segment their network based on the type of service they need to deliver. Applying more protection capabilities at the edge of the network to protect the network from threats that may come from the access side, in addition to more traditional protection methods they apply on the network core,” he added.

Elefant also suggested adding more secure communication channels, like segmentation and encryption for critical elements, such as the control plane, and adding more monitoring tools to identify security risks in real time. “These initiatives help CSPs to identify security threats in real-time and apply faster response and mitigation, leveraging the new control points, mainly at the edge of the network,” he concluded.

References:

https://industrialcyber.co/features/cybersecurity-issues-in-telecoms-sector-call-for-protection-of-network-infrastructure-and-availability/

https://industrialcyber.co/features/cybersecurity-issues-in-telecoms-sector-call-for-protection-of-network-infrastructure-and-availability/

https://www.trendmicro.com/en_se/research/22/b/the-telecoms-cyber-threat-landscape-in-2021.html

https://www.enisa.europa.eu/news/enisa-news/cyber-threat-warnings-the-ins-and-outs-of-consumer-outreach

Cybersecurity to be a top priority for telcos in 2023

IEEE/SCU SoE Virtual Event: May 26, 2022- Critical Cybersecurity Issues for Cellular Networks (3G/4G, 5G), IoT, and Cloud Resident Data Centers

 

Cybersecurity to be a top priority for telcos in 2023

Telecom has always been susceptible to cyberattacks and data breaches.  With increasing deployment of IoT devices, attackers will have more opportunities to obtain our data as more gadgets are connected to our network.  OpenRAN, with many more exposed interfaces, widens the attack surface for bad actors.

Different security risks brought on by 5G will leave the sector open to cyberattacks. To strengthen security surrounding connected devices, cloud systems, and the networks that connect them, telecom operators must invest in implementing stringent cybersecurity measures because there is a significant amount of sensitive data dispersed across intricate, private, and private networks.

According to Gartner, there will be 43 billion IoT-connected devices by the end of 2023. For those in charge of cybersecurity, it’s necessary to keep in mind IoT devices, such as smartwatches or human-wearable biometrics, monitoring systems, robotics, alarm systems, sensors, IT devices, and industrial equipment. IoT security is essential as more telecoms embrace the industry and implement these devices in their networks because they can remotely access base stations and data centers.

Finally, enterprises deploying SD-WANs and other private or virtual private networks. In particular:

  • Secure Access Service Edge (SASE) combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (e.g. SD-WAN) to support businesses’ secure access needs. Previously, security for SD-WAN was an open, unresolved issue.
  • Secure Service Edge (SSE) is the security components of SASE focusing largely on the cloud access security broker, secure web gateway, and zero-trust network access products to enable secure use of the internet and cloud services for a hybrid workforce working from anywhere,”  said Gartner analyst Charlie Winckless.

Dell’Oro group July 2022 report found that the SSE market grew 40% year-over-year to more than $800 million in the first quarter.  A December report noted that SSE  achieved its tenth consecutive quarter of sequential revenue expansion in 3Q-2022. Dell’Oro’s Director of Network Security, SASE, and SD-WAN Mauricio Sanchez said the strong growth is a testament to more enterprises preferring cloud-delivered security over traditional on-premises solutions.  Sanchez told SDX Central:  “The growth factors that have existed largely since the pandemic started are still with us.  That’s the shift to hybrid work, the shift of workloads to the cloud, and the importance of the digital experience.”

References:

https://insidetelecom.com/a-look-at-the-telecommunication-industry-trends/

Summary of EU report: cybersecurity of Open RAN

IEEE/SCU SoE Virtual Event: May 26, 2022- Critical Cybersecurity Issues for Cellular Networks (3G/4G, 5G), IoT, and Cloud Resident Data Centers

U.S. cybersecurity firms seek tech standards to secure critical infrastructure

Enterprises Deploy SD-WAN but Integrated Security Needed

Have we come full circle – from SD-WAN to SASE to SSE? MEF’s SD-WAN and SASE standards

FBI and MI5 Chiefs Issue Joint Warning: Chinese Cyber Espionage on Tech & Telecom Firms

Chinese government-backed hackers have attacked major telecom businesses throughout the world in a cyber-espionage effort that has lasted at least two years and has successfully compromised at least 13 telecommunications groups.

In a recent advisory, the FBI, NSA and CISA stated that hackers linked to the People’s Republic of China (PRC) had targeted and hacked major telecommunications businesses by exploiting simple and well-known network and system vulnerabilities.

According to the report, Chinese espionage is often initiated with hackers surveying target networks and exploring the manufacturers, models, versions, and known vulnerabilities of routers and networking equipment using open-source scanning tools such as RouterSploit and RouterScan. The Chinese government consistently disputes charges of hacking.

The heads of the FBI and Britain’s domestic security service have just issued sharply worded warnings to business leaders about the threats posed by Chinese espionage, especially spying aimed at stealing Western technology companies’ intellectual property.

In a rare joint appearance on Wednesday July 6th at the headquarters of MI5 in the UK, Christopher Wray, director of the Federal Bureau of Investigation (FBI), and Ken McCallum, director-general of MI5, urged executives not to underestimate the scale and sophistication of Beijing’s campaign.

“The Chinese government is set on stealing your technology—whatever it is that makes your industry tick—and using it to undercut your business and dominate your market,” Mr. Wray told the audience of business people.

“They’re set on using every tool at their disposal to do it.” China uses state-sponsored hacking on a large scale, along with a global network of intelligence operatives in its quest to gain access to technology it considers important, Messrs. Wray and McCallum said.

“The Chinese government poses an even more serious threat to Western businesses than even many sophisticated business people realize,” Mr. Wray added.

PHOTO CREDIT: DOMINIC LIPINSKI/ASSOCIATED PRESS

“We want to send the clearest signal we can on a massive shared challenge—China,” Mr. Wray said in his appearance with his U.K. counterpart. Tackling the threat is essential, he said, “if we are to protect our economies, our institutions and our democratic values.”

“The most game-changing challenge we face comes from the Chinese Communist Party,” Mr. McCallum said. “It’s covertly applying pressure across the globe. This might feel abstract, but it is real and it is pressing.”

China is engaged in “a coordinated campaign on a grand scale” that represents “a strategic contest across decades,” Mr. McCallum said. “We need to act.”

While American law enforcement and intelligence officials have been warning about the problem for years, it is a far more recent phenomenon for British security officials, who until last year made few public comments about the Chinese threat.

MI5 is running seven times more investigations involving Chinese espionage than it did in 2018, and plans to double the current number in the coming years, Mr. McCallum said.

…………………………………………………………………………………………………………………………………………

The statement from the American security agencies did not name the victims of the hacking, nor did it specify the extent of the damage. However, US authorities did list specific networking equipment, such as routers and switches, that Chinese hackers are suspected of routinely targeting, exploiting serious and well-known flaws that basically gave the attackers full control over their targets.

Cisco, Citrix, Fortinet and Netgear equipment were among the most often attacked devices.  Cisco and Netgear, according to the warning, have already published software updates for the majority of the identified vulnerabilities. The organizations recommended that operators take certain actions to minimize possible threats in addition to applying available patches and system upgrades. These include removing or isolating suspected compromised devices as soon as possible, segmenting the network to limit or prevent lateral movement, disabling unused or unnecessary network services, ports, protocols, and devices, and requiring multi-factor authentication for all users, including those connected via a VPN.

For intelligence organizations, telecommunications companies are particularly valuable targets. These service providers develop and operate the majority of the Internet’s infrastructure, as well as numerous private networks throughout the world. Successfully hacking of these networks can open the door to an even larger universe of valuable surveillance opportunities.

References:

Chinese hackers breach telecom giants around the world

https://www.wsj.com/articles/heads-of-fbi-mi5-issue-joint-warning-on-chinese-spying-11657123280

https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/

https://www.nytimes.com/2022/07/06/world/asia/fbi-china-taiwan-sanctions.html

Summary of EU report: cybersecurity of Open RAN

The EU has published a report on the cybersecurity of Open RAN, a 4G/5G (maybe even 2G?) network architecture the European Commission says will provide an alternative way of deploying the radio access part of 5G networks over the coming years, based on open interfaces. The EU noted that while Open RAN architectures create new opportunities in the marketplace, they also raise important security challenges, especially in the short term.

“It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realized,” the report said.

The report found that Open RAN could bring potential security opportunities, provided certain conditions are met. Namely, through greater interoperability among RAN components from different suppliers, Open RAN could allow greater diversification of suppliers within networks in the same geographic area. This could contribute to achieving the EU 5G Toolbox recommendation that each operator should have an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier.

Open RAN could also help increase visibility of the network thanks to the use of open interfaces and standards, reduce human errors through greater automation, and increase flexibility through the use of virtualisation and cloud-based systems.

However, the Open RAN concept still lacks maturity, which means cybersecurity remains a significant challenge. Especially in the short term, by increasing the complexity of networks, Open RAN could exacerbate certain types of security risks, providing a larger attack surface and more entry points for malicious actors, giving rise to an increased risk of misconfiguration of networks and potential impacts on other network functions due to resource sharing.

The report added that technical specifications, such as those developed by the O-RAN Alliance, are not yet sufficiently secure by design. This means that Open RAN could lead to new or increased critical dependencies, for example in the area of components and cloud.

The EU recommended the use of regulatory powers to monitor large-scale Open RAN deployment plans from mobile operators and if needed, restrict, prohibit or impose specific requirements or conditions for the supply, large-scale deployment and operation of the Open RAN network equipment.

Technical controls such as authentication and authorization could be reinforced and a risk profile assessed for Open RAN providers, external service providers related to Open RAN, cloud service/infrastructure providers and system integrators. The EU added that including Open RAN components into the future 5G cybersecurity certification scheme, currently under development, should happen at the earliest possible stage.

Following up on the coordinated work already done at EU level to strengthen the security of 5G networks with the EU Toolbox on 5G Cybersecurity, Member States have analysed the security implications of Open RAN.

Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age, said: “Our common priority and responsibility is to ensure the timely deployment of 5G networks in Europe, while ensuring they are secure. Open RAN architectures create new opportunities in the marketplace, but this report shows they also raise important security challenges, especially in the short term. It will be important for all participants to dedicate sufficient time and attention to mitigate such challenges, so that the promises of Open RAN can be realised.”

Thierry Breton, Commissioner for the Internal Market, added: “With 5G network rollout across the EU, and our economies’ growing reliance on digital infrastructures, it is more important than ever to ensure a high level of security of our communication networks. That is what we did with the 5G cybersecurity toolbox. And that is what – together with the Member States – we do now on Open RAN with this new report. It is not up to public authorities to choose a technology. But it is our responsibility to assess the risks associated to individual technologies. This report shows that there are a number of opportunities with Open RAN but also significant security challenges that remain unaddressed and cannot be underestimated. Under no circumstances should the potential deployment in Europe’s 5G networks of Open RAN lead to new vulnerabilities.”

Guillaume Poupard, Director General of France’s National Cyber Security Agency (ANSSI), said: “After the EU Toolbox on 5G Cybersecurity, this report is another milestone in the NIS Cooperation Group’s effort to coordinate and mitigate the security risks of our 5G networks. This in-depth security analysis of Open RAN contributes to ensuring that our common approach keeps pace with new trends and related security challenges. We will continue our work to jointly address those challenges.”

Finally, a technology-neutral regulation to foster competition should be maintained., with EU and national funding for 5G and 6G research and innovation, so that EU players can compete on a level playing field.

References:

https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2881

https://digital-strategy.ec.europa.eu/en/library/cybersecurity-open-radio-access-networks

https://www.telecompaper.com/news/open-ran-creates-new-opportunities-but-also-security-risks-eu-report–1424010

Page 1 of 2
1 2