Telecom exec: Salt Typhoon inspiring other hackers to use unconventional techniques
Hackers are increasingly adopting the techniques of the Chinese group that successfully infiltrated major telecommunications providers in attacks that made headlines last year by looking for unconventional weak spots, an AT&T executive said Monday.
AT&T was one of the major providers to fall victim to the sweeping campaign from the group, known as Salt Typhoon, but the company has since said it evicted the hackers from its networks.
“We’re seeing adversaries really change the way they’re doing things, very similar to what Salt Typhoon did,” Rich Baich, chief information security officer at AT&T, said at the Google Cloud Cyber Defense Summit.
There were three things that stood out about the way Salt Typhoon approached its campaign, he said. One was hunting for weak points in the company’s ability to find and track malicious activity on physical devices like phones or laptops, known as endpoint detection and response (EDR).
“Traditionally as practitioners, we focused on putting endpoint detection on our devices to help us provide a certain level of protection” Baich said. “Salt Typhoon’s approach was a little bit different. They said, ‘Well, what about all the other platforms that traditionally don’t have an EDR?’ And those platforms then can be utilized in many fashions, carrying out different types of actions.”
“What we need to think about is this: Do we need to have endpoint protection elsewhere, in different platforms?” Baich added. ”So that’s one: They’re going to the areas of least resistance and not spending time trying to combat traditional security controls.”
Another technique that’s growing in use since the Salt Typhoon attacks is “looking for things where we don’t have logs,” he said. Baich said attackers are “re-engineering and thinking of tradecraft techniques that allow them to circumvent known controls, and things that we may do today, but in certain parts of our networks, we may not have those things enabled.”
Lastly, Salt Typhoon and its mimics have been turning to what’s called “living off the land” attacks, where attackers rely on legitimate tools that already exist in a victim’s networks.
“Third thing that they are doing is using the actual administrative tools that we use to perform those functions, so [a lesson for potential victims is] making sure that those are locked down and you understand all the administrative tools that you have in your environment,” Baich said. “All of that is because they’re actually trying to be part of your network.”
The combination of those techniques, as well as a dedication to covering and wiping their tracks to avoid digital forensics probes, means that “we have to be much more efficient operators,” he said. “We have to think outside the box. It’s not just about just having the technology; it’s understanding how to use the technology and understanding how your technology can be used against us.”
Ironically, network defenders might be a victim of their own success, said Rob Joyce, the former cybersecurity director of the National Security Agency.
Defenses for the most-used technology in society today — from mobile phones to web browsers — have gotten very good, Joyce said at the same conference. Vulnerability management, patch management, threat intelligence — all have bolstered defenses, he said.
Because of that, “it just takes exploits chained together in multiple paths to get to success,” said Joyce, who now runs his own cybersecurity consulting firm.
“All of that has advanced us,” he said. “At the same time, we’ve evolved the attackers through that activity. I think by calling out some of the bad behavior, by highlighting the things that have worked or not worked, we’ve pushed people into new exploit methodology.”
