Compromising nation-wide infrastructure and the state of the cyberwarfare

In a world that is more and more connected and depending upon the core infrastructure, be it an ISP¹ or telecom providers, it becomes critical that these infrastructure becomes hardened and relevant to any government.

Today we see war coming more and more into the cyberspace, since kinetic war² that takes place in the real world would mean mutual destruction between the evolves parties that holds under their arsenal of weapons the infamous weapons of mass destruction (WMD), like nuclear and biological weapons, is ironically what makes the world live in “peace” but these is far from being the complete picture of what is truly happening.

Cyberwarfare³ has going on for sometime now (at least dating back as 2010 with Stuxnet malware) but nothing could predict how big of deal cyberwarfare would becomes (specially in cyber-espionage) to the point of compromising entire nation-state telecom infrastructure to gain access to value information of the enemy core infrastructure and espionage to further have knowledge of enemy tactics or movements without direct war conflict.

❓ What, Where and Who?

The USA has seen one of the most tragic events in their history in cyberwarfare, their entirely telecom infrastructure being compromise further and further by an APT⁴ tracked down as Salt Typhoon⁵ that achieved a very broad infiltration on USA’s telecom infrastructure in late 2024. This specific APT has gain unprecedented access to the infrastructure of the major telecoms providers in the USA, like T-Mobile, AT&T, Verizon and recently even the satellite communications company, Viasat

The method, scale and the information that this APT used and harvested from the major telecom providers was also far from being a simple invasion that could be handled. The Cisco Talos group, Cisco’s leading threat‑intelligence and cyber security research division, has discovered a very clever method that the APT used to be stealthy while spying deep inside the USA’s core network and telecom infrastructure for over 3 years⁶, it also could infiltrate deeper and deeper inside the USA’s network telecom providers.

The infiltration do not target only companies but also the US’s government system that is used by court-authorized network wiretapping requests, as federal agencies in the USA has confirmed their access to the wiretapping system used by the US government. So there was a great deal of intelligence gathering from APT to their state-sponsored what bring us again to how sophisticate these attacks has become to cyberwarfare between nation-states.

The Cyber security and Infrastructure Security Agency (CISA), that is a federal agency within the US Department of Homeland Security (DHS), with other big names in the federal agency in US (like FBI and NSA) in coordination with other nation-states federal agency in cyber security like Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS), has create guidelines to help telecoms to defend against this specific APT and similar attacks, further emphasizing how critical this kind of cyberwarfare is becoming.

❓ How and When?

It was believed that late 2024, according to Cisco Talos group, it started all started with one very critical CVEs attributed to Cisco’s IOS XE, the CVE-2018-0171, with impressive CVE score of 9.8, this score in cyber security world is considered the gold mine for malicious activity and even more for APTs, since almost all (if not all of them) US’s telecom infrastructure uses Cisco’s solutions. The vulnerability enables the attacker to remotely access the vulnerable device using the most critical vulnerability of all remote code execution (RCE).

The Cisco’s 2018 vulnerability enabled the APT to successfully compromised tens of thousands Cisco’s device, together with other CVEs on Cisco’s devices ( like CVE-2023-20198, CVE-2023-20273 and CVE-2024-20399) vulnerable devices from major telecom and gain root level access to each one of them, once inside they began to infiltrate adjacently in the network and further compromised other devices that could not be compromised from outside (or from the open internet). By now, they are inside the “trusted” network and continue to deep infiltrate in the US’s digital infrastructure and goes beyond just telecom providers but start targeting collocation and data center such as Digital Reality according to NSA and CISA. Digital reality has a global infrastructure footprint and between their clients are the three major players in cloud service providers (CSP) like: Microsoft Azure, Google Cloud and Amazon making this a very relevant achievement for the APT in question

Even Cisco’s device being the main target of Salt Typhoon APT, its far from being the only one that the APT is using to achieve their goal. Besides Cisco, there are also indications of APT using Fortigate’s vulnerabilities and further compromise telecom from other nation-states, like Canada as news pointed out:

“The development comes as the U.K. National Cyber Security Centre (NCSC) revealed two different malware families dubbed SHOE RACK and UMBRELLA STAND that have been found targeting FortiGate 100D series firewalls made by Fortinet.”

and even going beyond north America continent:

“The findings dovetail with an earlier report from Recorded Future that detailed the exploitation of CVE-2023-20198 and CVE-2023-20273 to infiltrate telecom and internet firms in the U.S., South Africa, and Italy, and leveraging the footholds to set up GRE tunnels for long-term access and data exfiltration.”

The APT (according to Cisco’s Talos group⁶) is further using extremely sophisticate techniques like living-off-the-land (LOTL⁷) to stay out of the radar of scanners and network defender solutions, what makes the detection and eradication of the infiltration even more problematic for telecoms and CSPs to deal with.

🛡️ Countermeasures?

Besides the very detailed and well documented CISA guidelines in this matter for telecoms to follow the best practices and hardening guides, its clear that for today scenario and how interconnect we have become from one another, we need to clearly make devices even more resilient and less blacklist⁸ by default and more whitelist⁹ by default directly from the manufacture. What does these means? Well, the CVEs was only possible that many of these devices’ administration page (web UI) and ports for administration is wide open to the wide internet, if the malicious actor can not even start to communicating with these devices (whitelist by default) from open wide internet it could not even compromise it in the first place. As the Cisco’s Talos group pointed out⁶ in their extensive blog post about Salt Typhoon, the Indication of Compromise comes from 2 IPs that is not even inside North America but in United Arab Emirates. So making these devices only accepting connection from trusted IPs or domains would solve almost the entire problem in the first place.

Besides this simple change in mindset from the device’s manufacture perspective, also need to have support of government agency to make manufactures and core infrastructure providers being held accountable for these vulnerabilities. Mistakes happens, we are all human after all but an CVE from 2018 (almost 7 years of vulnerability from the date of this post) still being present from today environment and inside the core infrastructure of major telecom providers is clearly far from being a mistake and more about weak regulations and cyber security governance from the companies.

💡 Conclusion

So today we clearly have a world more connected than ever before, with the coming of the AI and more services being created, critical assets, like core infrastructure providers have to be held accountable for these and manufactures has to make their devices hardened by default, even more if it is clearly being used in critical areas like these.

If the government agencies do not force ways to make manufacture and critical infrastructure providers “hardening” their way of thinking and implement new governance in their core business its clearly how these story will going to end.

It’s clear that updating and hardening guidelines from manufactures is not enough to make these problem go away, even more if the APT is already deep infiltrate inside the core infrastructure of nation-states.

As the famous Chinese military general, Sun Tzu, says in one of its military tactics:

“The supreme art of war is to subdue the enemy without fighting.” — Sun Tzu’s The Art of War