A joint warning issued by several United States federal government agencies indicates that Chinese hackers are feasting on the unpatched equipment of telcos, and that the companies may not even be aware that they have been breached.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI and other agencies warn that teams of state-sponsored Chinese hackers have been found nested deep in the networks of telcos, sometimes for years. Their favorite target as an entry point? Unpatched routers and network equipment that can be fairly easily compromised via published vulnerabilities. The focus seems to be on devices that are numerous in quantity including Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices.
The purpose of the campaign at this point is espionage, but there are indications that the threat actors are building some sort of shadow infrastructure that might be used for more complex attacks in the future.
Telcos being exploited for intelligence, used as “command and control centers”
While the Chinese hackers have to this point been engaging in traditional and expected espionage, some government cybersecurity experts believe that they are also using this compromised equipment to build long-term “command and control” systems that could be used for more directly damaging attacks in the future. While the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) draw up relevant security regulations, and agencies like CISA provide some level of assistance, most of the nuts and bolts of the defense of critical communications infrastructure falls on private telcos.
Chinese hackers have shown an increased interest in US government agencies and telcos in the past few years. One of the biggest breaches attributed to their state-backed teams was that of Syniverse, a third-party SMS routing contractor widely used by telcos to transfer customer text messages between their networks. While it was not necessarily attributable to unpatched equipment, the Syniverse breach is emblematic of how advanced Chinese hackers work; the firm was breached in 2016 but did not discover the backdoor hackers were smuggling sensitive information out of until 2021.
Chinese hackers linking some compromised telco equipment together
The government agencies issued the advisory based on observations of the movements of Chinese hackers since 2020, but as the Syniverse breach indicates telcos have been in their crosshairs for much longer and may have also been compromised prior to that.
The Chinese hackers are very straightforward in their approach, essentially going after the lowest-hanging fruit: vulnerabilities that have been disclosed to the public due to use by threat actors and/or issuance of a patch. The problem is that telcos are simply not keeping up with patching all of their devices. The most frequent targets for initial network penetration are routers used for small offices and remote work setups, and network attached storage devices.
While telcos may not be quick to patch all of this equipment, the Chinese hackers are quick to exploit it. CISA has observed them running large and well-organized campaigns to begin scanning for and exploiting vulnerabilities in this sort of equipment as soon as they are made public.
The US believes that state-backed Chinese hackers are the culprits due to the intelligence targets, organization and advanced techniques used in evading network security. China routinely denies that it participates in any sort of foreign cyber espionage.