After being sworn into office four years ago, President Joe Biden confronted the fallout from one of the largest cyber incidents in history, discovered only a few weeks before his inauguration: the SolarWinds supply chain attack that U.S. officials eventually traced back to Russia’s Foreign Intelligence Service (or SVR).
Now, with Donald Trump returning to the White House this month, the U.S. is faced with another significant cyber threat. This time, however, officials believe the alleged group behind this attack is from China.
Over the last several months of 2024 and into the New Year, federal agencies (along with Microsoft and other security firms) have been offering details about an attack by a group dubbed Salt Typhoon, which officials believe is an advanced persistent threat group with alleged ties to China’s Ministry of State Security.
In this case, the Salt Typhoon attackers appear to have successfully targeted nine U.S. telecommunications firms and swept up unclassified information and communications among American officials, as well as metadata from an unknown number of private citizens. One of the victimized companies, Verizon, announced on Jan. 10 that its security team had contained the attack.
While details are still emerging, the Wall Street Journal reports that the attackers targeted unpatched flaws in network devices from Fortinet and older, large-scale Cisco routers that were no longer receiving security updates. These incidents also appear part of an escalating series of cyber intrusions by Chinese-affiliated groups targeting critical infrastructure throughout the U.S. (China has denied any connection.)
When these types of large-scale, sophisticated attacks occur, tech and security professionals working at enterprises or even small or midsize businesses (SMBs) must take the time to examine and understand the size and scale of these incidents, learning lessons that they can apply to their organization to help prevent a similar cyber intrusion.
As White House officials overseeing the response to these attacks noted, understanding what happened can prevent similar incidents in the future. Even the most basic cybersecurity hygiene remains important to all organizations and government agencies.
“We wouldn’t leave our homes, our offices unlocked, and yet our critical infrastructure—the private companies owning and operating our critical infrastructure—often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier, and harder for countries and criminals to attack,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology, during a December briefing about the Salt Typhoon attack.
Here is a loo k at three lessons for tech and security pros from the Salt Typhoon attack.
Lesson 1: Identity and Access Management Matter
One of the more head-turning details about the Salt Typhoon attack is that, at one point, the threat group gained access to one compromised administration account that allowed access to 100,000 routers within a network.
After the attackers compromised that account, they gained nearly unfettered entry across the whole infrastructure.
“That one over-entitled admin account represents a jackpot for threat actors—compromising that admin account alone could likely provide widespread access and privileges across an entire network, and there was no multi-factor authentication involved in this widespread access, which would have helped protect the routers from compromised credentials,” Rob Hughes, CISO at RSA, told Dice.
At the heart of this issue is enforcing identity and access management (IAM) across an organization, along with paying attention to security issues such as ensuring all apps are secured through MFA and that tech and security pros are utilizing privilege access management (PAM) to ensure that administrative accounts are not abused or have levels of access beyond what is needed.
These security issues also call for organizations to invest in zero trust principles.
“If you’re not moving to zero trust or at least enforcing least privilege, then there’s a tendency to over-provision access across your environments. That can save your IT team time in the short term, but in the long term, it creates vulnerabilities that put your whole organization at risk,” Hughes added. “Organizations should emphasize identity governance and administration and access control policies to limit the fallout of any single failure. By investing in those capabilities, organizations can know what users can access, what they can do with that access, and whether that access is necessary for them to do their jobs. Moreover, having that visibility allows organizations to revoke unnecessary access—and prevent breaches before they start.”
Other experts agree that these attacks call for rethinking cyber strategies and implementing as many zero trust principles as possible.
“Zero-trust principles require continuous verification of every access attempt, no matter the user or device,” Paul Aronhime, senior vice president of federal sector at Keeper Security, told Dice. “Implementing least-privilege access, enforcing MFA and ensuring strong password hygiene are fundamental steps in mitigating unauthorized access. When paired with network segmentation, these practices can significantly limit an attacker’s ability to gain a foothold or move laterally.”
Other experts such as John Anthony Smith, founder and chief security officer at Conversant Group, also agree that segmenting parts of the network, especially those that contain sensitive administrative credentials and access, is a step more organizations should take.
In many cases, critical administrative consoles, such as access to backups, storage, public clouds, routers, switches, firewalls and hypervisors should be isolated from the production identity plane—the one utilized for user-based systems and backend servers.
“Administrative consoles should use a different identity plane and MFA provider from that employed by the normal user population,” Smith told Dice. “Administrative consoles should be segmented into a highly guarded network segment. The administrative identity plane should not accept logins except for systems within this highly guarded network segment. The IT password vault should be placed in this highly guard network segment.”
Lesson 2: Compromised Credentials and Passwords
As Aronhime pointed out, ensuring good password hygiene is essential.
The Journal analysis also noted that Salt Typhoon and other Chinese-linked advanced persistent threat groups (APTs) have become proficient at stealing passwords and compromising credentials to steal identities, gain access and remain undetected within networks.
Cyber experts noted that tech and security pros must start immediately by reviewing policies and updated procedures to strengthen password protections.
“Credential harvesting was one of the key techniques Salt Typhoon used for initial access. These include weak passwords, lack of password management and insecurely stored credentials,” Venky Raju, field CTO at security firm ColorTokens, told Dice. “It also involved the presence of default passwords on some network equipment. A clear action plan here is to implement privilege access management to eliminate weak passwords and uncontrolled storage of credentials. Adopting a passwordless authentication solution will further improve the defense against initial access.”
Lesson 3: Understanding Supply Chain Attacks
Federal government agencies and those telecoms affected by the Salt Typhoon attack have not released specifics of how the attack unfolded or how the group gained initial access to these networks.
Some security experts suspect the attacks initially compromised companies that supplied services or equipment to the telecom victims, giving the threat group a leaping off point to target their main objectives. These supply-chain compromises are common methods for APT groups that have resources, access to certain technologies and government backing.
“One of the key implications of the Salt Typhoon intrusions is that it highlights the reality of pervasive, well-resourced, opportunistic adversaries targeting organizations who may not have previously considered themselves as ‘on the radar’ for this type of threat actor, especially when it comes to their role in a supply-chain,” Casey Ellis, founder of Bugcrowd, told Dice. “Your value as a target might not be immediately obvious, and these intrusions highlight. Recalibrating threat models to recognize this reality is key, as is understanding the [Tactics, Techniques and Procedures] of the adversaries most relevant to your organization.”
Security and tech pros are well-advised to be vigilant about these types of intrusions, Ellis added. Besides general best practices, there are often specific pieces of advice, attacker TTPs and other useful threat intelligence artifacts that can be used to ensure better cyber hygiene and begin mitigations to reduce risk.
Experts noted that sophisticated nation-state threat groups pose serious risks to organizations through the supply chain and IT, and security professionals need to ensure that they are following the most updated guidance to reduce risks.
“These operations exploit systemic vulnerabilities in the telecommunications sector, including outdated infrastructure and supply chain weaknesses, highlighting the sector’s susceptibility to advanced state-sponsored threats,” Callie Guenther, senior manager for cyber threat research at Critical Start, told Dice. “The recent guidance from CISA, NSA, and FBI emphasizes zero trust principles, robust encryption, timely software updates and enhanced supply chain security as critical defenses. A notable recommendation to use encrypted messaging apps reflects diminishing confidence in the security of traditional telecom systems against sophisticated adversaries.”