The Salt Typhoon cyber-attacks serve as a stark reminder of how a single administrative misstep can cascade into a devastating security breach. In these attacks, Chinese threat actors exploited a compromised administrator account to gain control over 100,000 routers, maintaining persistence with reverse tunnels and evading detection by deleting logs. The aftermath highlights critical gaps in the security architecture of many telecommunications companies and underscores the need for robust best practices.

https://www.cybersecuritydive.com/news/salt-typhoon-telecom-attacks-lax-security/736233/

This article explores the lessons from the Salt Typhoon attacks and provides a roadmap for telecommunications companies to strengthen their cybersecurity defences.

1. The Danger of Exposed Public Interfaces

A critical vulnerability exploited in the Salt Typhoon attacks was the lack of segmentation in the management plane. Many telecommunications companies make the mistake of allowing devices to be accessed from any public interface. This open-door policy is an invitation for disaster, as it provides attackers with a direct route to the infrastructure once they breach an account.

Best Practice: Segmented Management Plane

A management plane should be isolated from public networks and secured as a dedicated, highly segmented environment. This network segment should be accessible only via secure VPN concentrators with multi-factor authentication (MFA). By restricting access to a segmented management plane, companies can significantly reduce the attack surface.

Encryption: All communications within the management plane should be encrypted using strong protocols like TLS or IPsec.
Network Access Control (NAC): Implement NAC policies to ensure that only authorised devices and users can access the management plane.
Zero Trust Principles: Apply a zero-trust security model, assuming that all access requests are potentially malicious until proven otherwise.

2. Learning from the Attackers: Reverse Tunnels for Security

Ironically, the method used by the attackers to maintain persistence—reverse tunnels—can also be one of the most secure ways to protect network devices. Reverse tunnels, when suitably encrypted, authorised, and controlled, can provide a secure channel for device management without exposing devices directly to the internet.

Best Practice: Secured Reverse Tunnels

Encryption and Authentication: Use secure protocols like WireGuard or SSH for reverse tunnels, ensuring strong encryption and certificate-based authentication.
Integration with Management Plane: Configure reverse tunnels to terminate exclusively in the segmented management plane, ensuring all access is routed through the secure environment.
Access Control: Establish strict access policies for reverse tunnels, allowing connections only from authorised management plane users.

3. Logging, Monitoring, and Auditing

One of the reasons the Salt Typhoon attackers evaded detection was their ability to delete logs, leaving no trace of their activities. Robust logging, coupled with real-time monitoring and auditing, is essential for detecting and responding to suspicious behaviour.

Best Practice: Comprehensive Logging and Notification

Immutable Logs: Store logs in an immutable, centralised logging system to prevent tampering. Use write-once-read-many (WORM) storage or cloud-based solutions with versioning.
Real-Time Notifications: Configure the system to notify the Network Operations Centre (NOC) and the account owner whenever access is granted.
Log Audits: Perform regular audits to ensure log integrity and to identify anomalies. Integrate this process into standard operational workflows.

4. Operational Processes to Detect Anomalies

The Salt Typhoon attacks also highlight the importance of integrating security measures into operational processes. Even with robust logging and monitoring, anomalies often go unnoticed without clear processes and automation.

Best Practice: Security-Integrated Operations

Anomaly Detection: Use AI and machine learning tools to identify deviations from normal patterns, such as unusual login locations or times.
Incident Response Plans: Develop and regularly update incident response plans to address detected anomalies promptly.
Access Reviews: Conduct periodic reviews of access permissions and device configurations to ensure compliance with security policies.

5. Multi-Layered Security Approach

Telecommunications companies must adopt a multi-layered approach to security, combining technical measures with policy enforcement and employee training.

Key Elements of a Multi-Layered Defence

MFA Everywhere: Require multi-factor authentication for all critical systems, not just the management plane.
Role-Based Access Control (RBAC): Limit access privileges based on job roles to minimise the impact of compromised accounts.
Employee Training: Provide regular training on recognising phishing attacks and other common tactics used to compromise accounts.

Wrap

The Salt Typhoon attacks were a wake-up call for the telecommunications industry, exposing critical gaps in how infrastructure is secured. By adopting best practices such as segmented management planes, secured reverse tunnels, robust logging and monitoring, and anomaly detection processes, companies can fortify their defences against similar attacks.

Ironically, the tactics used by the attackers to evade detection—like reverse tunnels—can be repurposed as powerful security measures when properly implemented. The lesson is clear: to stay ahead of cyber threats, telecommunications companies must be proactive, innovative, and committed to building a culture of security.

The stakes are high, but with the right approach, the Salt Typhoon attacks can serve as a blueprint for stronger, more resilient networks.

🧂Salt Typhoon Cyber-Attacks | Lessons for Telecommunications Companies🥷