CISA Director Offers Further Details About Salt Typhoon Attacks

The Salt Typhoon cyber intrusion, a wide-ranging campaign attributed to a Chinese state-backed espionage group, was first detected on U.S. federal networks, according to Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. Speaking at the Foundation for Defense of Democracies this week, Easterly confirmed that the initial discovery of the hackers on government systems allowed law enforcement to investigate further and ultimately uncover the group’s broader activities.

Salt Typhoon, linked to China’s Ministry of State Security, targeted telecommunications providers in the U.S. and abroad. Nine American telecom providers were directly affected, and 80 other telecom firms also reported breaches. Several hundred organizations were subsequently warned of potential risks related to the campaign, which is believed to have persisted for one to two years before being identified. This campaign represents one of the most extensive telecommunications-focused cyber espionage operations discovered since the 2020 SolarWinds breach.

While major U.S. providers have since stated that the hackers have been removed from their networks, it remains uncertain whether all vulnerabilities have been fully addressed. The breach’s discovery came amid CISA’s recent push for enhanced cloud security standards across federal agencies, highlighting the growing sophistication of state-sponsored cyber threats.

Easterly elaborated that CISA’s visibility into federal systems played a critical role in piecing together the extent of the breach. “We saw it as a separate campaign called another goofy cyber name,” she said, adding that the detection on government systems “enabled law enforcement to unravel and ask for process in virtual private servers.” Collaboration with private sector partners also proved essential, as tipsters helped connect the dots and reveal the true scale of Salt Typhoon’s operations.

The hacking group’s activities involved the use of actor-leased virtual private servers, which law enforcement accessed to gain further insights. These efforts allowed officials to assist affected telecom providers and understand the broader implications of the campaign. Easterly emphasized that this discovery underscores the importance of ongoing cooperation between the government and private sector in addressing cyber threats, building on CISA’s established public-private partnership initiatives.

Salt Typhoon is part of a larger threat landscape tied to Beijing-backed cyber espionage actors. Easterly cautioned that groups like Salt Typhoon and the related Volt Typhoon are “the tip of the iceberg,” warning that other Chinese state-linked actors have already infiltrated critical U.S. infrastructure. These intrusions, she said, are likely intended to enable disruptive or destructive attacks in the event of a geopolitical crisis, such as one involving the Taiwan Strait.

To mitigate future risks, Easterly stressed the need for resilience rather than prevention alone. “At the end of the day, we need to be prepared for disruption,” she said. “It is really about architecting our systems, building our infrastructure, and training and exercising our people to be prepared for this disruption so that we can respond to it and recover as rapidly as possible.”

Meanwhile, as Nextgov/FCW has reported, the Government Accountability Office is considering the costs of replacing telecommunications equipment vulnerable to cyber intrusions, underscoring the ongoing challenges of securing critical infrastructure. This evaluation comes as part of a broader federal initiative to strengthen national cybersecurity infrastructure, supported by recent increases in cybersecurity grant funding for state and local governments.

Source: Nextgov/FCW

–

January 17, 2025 – by Ali Nassar-Smith