US recommends encrypted messaging as Chinese hackers linger in telecom networks

A US government security official urged Americans to use encrypted messaging as major telecom companies struggle to evict Chinese hackers from their networks. The attack has been attributed to a Chinese hacking group called Salt Typhoon.

There have been reports since early October that Chinese government hackers penetrated the networks of telecoms and may have gained access to systems used for court-authorized wiretaps of communications networks. Impacted telcos reportedly include Verizon, AT&T, T-Mobile, and Lumen (also known as CenturyLink).

T-Mobile has said its own network wasn’t hacked but that it severed a connection it had to a different provider whose network was hacked. Lumen has said it has no evidence that customer data on its network was accessed.

The US Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners yesterday urged telecommunications providers to upgrade their security and published a guide with recommended practices. Officials also spoke to the media, saying that it isn’t clear when telecom providers will be able to close their networks to the hackers.

“I think it would be impossible for us to predict a time frame on when we’ll have full eviction,” CISA Executive Assistant Director for Cybersecurity Jeff Greene said, according to Bloomberg. “We’re still figuring out just how deeply and where they’ve penetrated, so until we have a complete picture, it’s hard to know the exact parameters of how to kick them off.”

US backs encryption but also wants backdoors

Greene’s advice for Americans? Use encryption. “Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” he said, according to NBC News.

An unnamed FBI official was quoted in the same report as saying that phone users “would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption, and phishing-resistant” multifactor authentication for email accounts, social media, and collaboration tools.

The FBI official reportedly said the hackers obtained metadata showing the numbers that phones called and when, the live phone calls of some specific targets, and information from systems that telcos use for court-ordered surveillance.

Despite recognizing the security benefits of encryption, US officials have for many years sought backdoors that would give the government access to encrypted communications. Supporters of end-to-end encryption have pointed out that backdoors can also be used by criminal hackers and other nation-states.

“For years, the security community has pushed back against these backdoors, pointing out that the technical capability cannot differentiate between good guys and bad guys,” cryptographer Bruce Schneier wrote after the Chinese hacking of telecom networks was reported in October.

Noting the apparent hacking of systems for court-ordered wiretap requests, Schneier called it “one more example of a backdoor access mechanism being targeted by the ‘wrong’ eavesdroppers.”

1994 surveillance law in focus

CISA issued a statement on the Chinese hacking campaign in mid-November. It said:

The US government’s continued investigation into the People’s Republic of China (PRC) targeting of commercial telecommunications infrastructure has revealed a broad and significant cyber espionage campaign.

Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to US law enforcement requests pursuant to court orders.

The hacks raise concerns about surveillance capabilities required by a 1994 law, the Communications Assistance for Law Enforcement Act (CALEA), which requires “telecommunications carriers and manufacturers of telecommunications equipment design their equipment, facilities, and services to ensure that they have the necessary surveillance capabilities to comply with legal requests for information.”

“These telecommunications companies are responsible for their lax cybersecurity and their failure to secure their own systems, but the government shares much of the blame,” US Sen. Ron Wyden (D-Ore.) wrote in an October 11 letter to the FCC and Justice Department. “The surveillance systems reportedly hacked were mandated by federal law, through the Communications Assistance for Law Enforcement Act (CALEA). CALEA, which was enacted in 1994 at the urging of the Federal Bureau of Investigations (FBI), forced phone companies to install wiretapping technology into then-emerging digital phone networks. In 2006, acting on a request from the FBI, the Federal Communications Commission (FCC) expanded this backdoor mandate to broadband Internet companies.”

A Lumen spokesperson told Ars today that “to date, there is no evidence that customer data was accessed on our network, and there was no impact to our CALEA (wiretap) systems.” The spokesperson noted that Lumen, which is known for its CenturyLink broadband network, does not provide wireless phone service.

T-Mobile severed link to compromised network

T-Mobile addressed the hacks in a November 27 blog post that did not mention CALEA or wiretapping. T-Mobile’s post suggested that its own network wasn’t compromised.

“Within the last few weeks, we detected attempts to infiltrate our systems by bad actors. This originated from a wireline provider’s network that was connected to ours… We quickly severed connectivity to the provider’s network as we believe it was—and may still be—compromised. We do not see these or other attackers in our systems at this time,” T-Mobile Chief Security Officer Jeff Simon wrote.

Simon wrote that T-Mobile “cannot definitively identify the attacker’s identity, whether Salt Typhoon or another similar group, but we have reported our findings to the government for assessment.”