U.S. Agency Cautions Employees to Limit Phone Use Due to Salt Typhoon Hack of Telco Providers

Summary:
The US government’s Consumer Financial Protection Bureau (CFPB) has advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon breached major telecom providers. The CFPB, established in 2011 to protect consumers in the financial sector and promote fair, transparent markets, issued a directive urging employees to limit phone use and rely on Microsoft Teams and Cisco WebEx for meetings involving nonpublic data. According to a Wall Street Journal report, the CFPB’s chief information officer informed staff via email that work-related meetings or conversations involving sensitive data should not occur on work-issued or personal phones. The email emphasized, “Do NOT conduct CFPB work using mobile voice calls or text messages,” referencing a recent government acknowledgment of the telecom attack. While there is no indication that the CFPB has been specifically targeted, employees were urged to comply with the directive to mitigate risk. Salt Typhoon, a China-linked cyber espionage campaign, has targeted several U.S. internet service providers to gather intelligence or disrupt operations. Experts are currently investigating whether Cisco Systems routers, which are integral to ISP infrastructure, were compromised as part of this cyber campaign.

Security Officer Comments:
A Cisco spokeswoman confirmed that the company is investigating recent cyber activity but emphasized that “at this time, there is no indication that Cisco routers are involved” in the Salt Typhoon activity. The cyber campaign is attributed to the China-linked APT group Salt Typhoon, also known as FamousSparrow and GhostEmperor. According to the Wall Street Journal, “Hackers linked to the Chinese government have broken into a handful of U.S. internet-service providers in recent months in pursuit of sensitive information.” The Salt Typhoon hacking campaign, previously undisclosed, highlights the ongoing success of Beijing’s cyber operations against critical computer networks in the U.S. and worldwide. Historically, China has targeted global internet service providers, and recent attacks align with past operations. Cybersecurity experts warn that Chinese state actors are focusing on infiltrating critical U.S. infrastructure, potentially shifting from stealing secrets to targeting America’s digital networks' core. Unlike the infrastructure-focused attacks of Volt Typhoon, Salt Typhoon appears to prioritize intelligence gathering. Chris Krebs from SentinelOne suggested that Salt Typhoon may be affiliated with China's Ministry of State Security and APT40, specializing in intelligence collection, and highlighted in July by the U.S. and allies for their hacking activities. In July, Cisco addressed a zero-day vulnerability (CVE-2024-20399) affecting NX-OS switches, exploited by another China-linked group, Velvet Ant, to install malware. Cybersecurity firm Sygnia reported these attacks in April 2024, detailing how Velvet Ant used the zero-day to execute malware on Cisco Nexus devices. In August, Volexity researchers revealed that a China-linked APT group, tracked as StormBamboo (also known as Evasive Panda, Daggerfly, and StormCloud), compromised an undisclosed ISP to poison DNS responses, targeting insecure software update mechanisms to deliver malware to macOS and Windows systems.

Link(s):
https://securityaffairs.com/170737/hacking/u-s-agency-limit-phone-use-due-to-salt-typhoon-hack.htmlhttps://www.wsj.com/us-news/u-s-age...ut-phone-use-amid-ongoing-china-hack-dd459273