Cybersecurity in Telecom Networks

How would you stop a stealthy telecom APT like #SaltTyphoon? Most only react when it’s too late. After researching the Salt Typhoon exploit chain, from unpatched routers to covert data exfiltration. I developed a layered security architecture designed explicitly for telecom networks, integrating detection, hardening, and proactive validation at every stage. Here’s how I broke it down: 1️⃣ Edge Routers: Exploit attempts, such as CVE-2023-20198, demand firmware lockdown and a Suricata-based IDS. 2️⃣ Infrastructure Core: Rootkits like Demodex evade traditional detection — NDR and FS integrity checks are critical. 3️⃣ Lawful Intercept Systems: Often overlooked, these mediation layers need strict RBAC and mTLS. 4️⃣ CDR & Subscriber DBs: Protecting metadata isn’t just a compliance task — SQL behavior analytics and field-level tokenization help stop insider-style exfil. 5️⃣ Egress Channels (DNS/TLS): Covert exfiltration over DNS or TLS? We apply deception, beacon pattern detection, and strict egress control. But defense isn’t enough; that’s where X-SCAS comes in. Our platform simulates adversarial behaviors (rootkit drops, DNS tunnels, exploit attempts) to validate if your security controls truly work, not just on paper, but in live environments. Security assurance isn’t a checkbox — it’s an active, evolving commitment. I’ve included the architecture diagram that ties it all together — zone by zone, control by control. If you’re in telecom, infrastructure, or critical services, this might save you hours of design and maybe millions in breach costs. Would love your thoughts on how you are validating your defenses against today’s APTs? DM or Comment if you want a detailed guide on the attack analogy of the Salt typhoon cyber incident with detection, prevention, and hardening guidelines. Proud of the work that we do at #xecuritypulse X-LAB, in preparing practical use cases, aimed to secure National Infrastructure and complement the work of #CISA #tahasajid #Cybersecurity #TelecomSecurity #APTDefense #XSCAS #ThreatModeling #ZeroTrust #SaltTyphoon #5GSecurity #RedTeam #NetworkHardening #SecurityArchitecture #CISA #AIRANALLIANCE #3GPP #GSMA #ORAN

On 13 Nov, the Cybersecurity and Infrastructure Security Agency & the Federal Bureau of Investigation (FBI) released a statement (https://lnkd.in/ezrFy_4j) on the US government's investigation into PRC targeting of telco infrastructure: “PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. We expect our understanding of these compromises to grow as the investigation continues." With the investigation ongoing, folks should take basic steps now to protect their personal communications. With gratitude to CISA's Senior Technical Advisor Bob Lord (https://lnkd.in/e-WxWiFF) consider the below steps: - Enable FIDO authentication or FIDO https://lnkd.in/ezzyha7t for email & social media accounts - Migrate off SMS MFA for all other logins. Migrate to FIDO/passkeys if you can, otherwise to an authenticator app - Use a password manager for all passwords. Use a strong pass phrase (https://lnkd.in/ebPpTAU5) for the vault password. - Set a telco PIN to reduce chances of a SIM-swap attack - Update the OS and all apps and turn on auto update Additional tips: 1. Encrypt all text and voice communications (some options): - Signal works well on iPhones & Android phones. - iMessage is great if all your contacts are within the Apple ecosystem, though that’s limiting - Collaboration suites like Google Workspace or Teams can work but don’t always encrypt as you might assume. For example, Teams encrypts data point-to-point, meaning it’s decrypted on Microsoft’s servers before re-encrypting it to the recipient. If you want end-to-end encryption, there’s an option, but it’s off by default and only supports two people on the call. - WhatsApp might be ok for some people based on their threat model but understand metadata it keeps (https://lnkd.in/eQkP-Ety) & how it's used (https://lnkd.in/eiZmxgi4). 2. If you use an iPhone disable these carrier-provided services that increase the attack surface: - Disable: Settings > Apps > Messages > Send as Text Message - Disable: Settings > Apps > Messages > RCS Messaging > RCS Messaging 3. Protect DNS lookups (some options): - Apple iCloud Private Relay - Cloudflare’s 1.1.1.1 resolver - Quad9’s 9.9.9.9 resolver 4. Use recent hardware: Apple (13 or newer) or Google (Pixel 6 or newer) 5. Depending on your threat model, consider enabling Lockdown Mode on iPhones: It will disable some features, but it’s manageable

Following cyber espionage by PRC-affiliated actors against multiple US-based telcos, #CISA and partners have released guidance for telcos, which offers some clues as to what might have happened. The espionage campaign by PRC-based actor nicknamed Salt Typhoon (presumed to be PRC MSS), enabled theft of customer call data records, private communications of government and political individuals, and copying of lawful intercept information, from AT&T, Verizon, and Lumen. In other words, Salt Typhoon were presumably able to spy on US government comms, track everyone's movements and calls, and see who is being wiretapped - potentially for several years. The "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" was released on Tuesday by #CISA, #NSA, #FBI, and cyber agencies from Australia, NZ, and Canada, and includes advice on how to defend telco networks. The guidance states up front that "no novel activity" was observed - the threat actors exploited existing vulnerabilities. At a high level, the key points for hardening are: 🔒 Do not expose management interfaces to the Internet, and make sure they do not use default passwords! This seems to be a problem in a lot of critical infra. 🔒 Keep management networks separate from data networks, and default deny inbound and outbound network traffic that is not needed. 🔒 Deploy security patches (especially on vulnerable Cisco hardware) - note that these attackers are not using 0-days. 🔒 Log authn, configuration changes, and network traffic on critical interfaces, then send logs encrypted to a central logging system (SIEM). 🔒 Use only strong, approved encryption algorithms. 🔒 Use phishing resistant MFA for accounts accessing sensitive systems. For telco customers (ie. everyone!) this means we need to take attacker-in-the-middle threats seriously. The FBI and CISA have warned that SMS and phone calls are not secure, and you should use an end-to-end encrypted messaging app (eg. iMessage/FaceTime, Signal, WhatsApp). I never thought I would see the day!

The NSA, together with CISA, FBI, and international partners, issued a major joint cybersecurity advisory exposing how Chinese state-sponsored actors have been compromising critical networks worldwide to fuel a global espionage system. The advisory highlights persistent campaigns targeting telecoms, transport, lodging, defense, and government networks using leveraging vulnerabilities on large backbone routers of major telecommunication providers, as well as provider edge (PE) and customer edge (CE) infrastructure. These operations are attributed to multiple advanced threat clusters, including Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and others. The report highlights the TTPs, IOCs, and list of CVEs commonly exploited by this APT group. The recommendations are clear: strengthen threat hunting at the edge, enforce centralized logging and network visibility, and close off known vulnerabilities before they are exploited. 𝗖𝗮𝗹𝗹 𝘁𝗼 𝗮𝗰𝘁𝗶𝗼𝗻 If you're responsible for network security in a critical infrastructure organization, prioritize reviewing the detailed technical guidance provided in this advisory. Implement the recommended mitigations, conduct thorough audits of your network edge devices, and ensure your security teams are equipped to detect the specific TTPs outlined in the report. #Cybersecurity #APT https://skd.so/UXMrof

China’s Salt Typhoon Hackers Still Targeting U.S. Telecoms, Exploiting Cisco Routers Despite high-profile exposure and U.S. sanctions, the Chinese state-sponsored hacking group Salt Typhoon continues to breach telecommunications and internet service providers, including two more U.S. telecom firms. A new report from cybersecurity firm Recorded Future reveals that Salt Typhoon has expanded its attacks, now targeting telecoms, universities, and internet infrastructure worldwide. Key Findings from the Report • Salt Typhoon’s Cyber Espionage Continues Unabated: • The group has breached five more telecom companies and over a dozen universities worldwide, including institutions in the U.S. and Vietnam. • Two newly breached U.S. telecom firms include: • A major internet service provider • A U.S.-based subsidiary of a UK telecom company • The hacks occurred between December 2024 and January 2025, following earlier exposure of Salt Typhoon’s attacks on nine major U.S. phone carriers. • Exploiting Cisco Routers for Persistent Access: • Salt Typhoon is now leveraging vulnerabilities in Cisco routers to bypass traditional security defenses. • Hijacking core networking hardware allows attackers to monitor communications in real time, stealing texts, calls, and sensitive network traffic. • Universities Also Under Attack: • Hackers have compromised over a dozen universities, including institutions in Utah and Vietnam, likely for intellectual property theft and espionage. Why This Matters • Mass Surveillance of American Communications: • By breaching U.S. telecom networks, Salt Typhoon can intercept real-time calls, texts, and sensitive data from American users. • This poses a severe national security risk, especially for government officials, military personnel, and critical industries. • Failure of Sanctions to Stop Cyber Espionage: • Despite U.S. countermeasures, including sanctions and public exposure, Salt Typhoon has not slowed its activities. • This suggests that China remains undeterred by diplomatic or economic consequences. • Exploiting Networking Infrastructure for Long-Term Access: • Compromising Cisco routers gives China a foothold deep inside telecom networks, making it harder to detect and remove their presence. • Unlike typical malware-based intrusions, router-level attacks can persist through reboots and software updates. China’s Salt Typhoon remains an active and dangerous cyber threat, undeterred by U.S. sanctions and global exposure. With U.S. telecom networks still compromised, securing critical infrastructure against future attacks will be a top priority for national security officials.

Real-time Security Monitoring Detection and Mitigation in 5G Networks  9 AM EDT Friday July 18 Abstract:  Johns Hopkins University in collaboration with IEEE has been building a security and monitoring testbed for the last year that serves as a proof of concept of some of the security controls in 5G Standalone (SA) architecture. This testbed report highlights the results from four different prototypes addressing cybersecurity requirements for mission critical users. This includes generating, detecting, and mitigating attacks on the control plane (e.g., Next-Generation Application Protocol [NGAP]), the user plane [General Packet Radio Services (GPRS) Tunnelling Protocol User Plane (GTP-U)], Voice over Internet Protocol (VoIP) services (including Session Initiation Protocol [SIP] and Real-time Transport Protocol [RTP]), and service-oriented interfaces within the control plane (e.g., Hypertext Transfer Protocol 2.0 [HTTPv2]). The service providers and enterprise providers will find the results and methodologies from these experiments useful as they plan to deploy security controls either to fulfill the security requirements or further mitigate cyber-attacks on their commercial networks. These security controls and mitigation techniques will help provide desired quality of service to mission critical users in spite of denial-of-service (DoS) attacks. Results from four use cases demonstrate that many of the attacks in the control plane and user plane can be mitigated if proper security controls are applied. As part of this talk, I will provide some technical details about the security monitoring methods, controls, and mitigation. Eman Hammad, PhD Craig Polk Fawzi Behmann Dr. Ashutosh Dutta Web URL - https://lnkd.in/e9XSQupg

FBI and CISA have warned that some US telecommunication companies have been breached by China-backed Salt Typhoon to snoop on US secrets and maintain access. Multiple US telecommunications companies were hacked into by a People’s Republic of China (PRC)-backed threat actor to carry out a full-blown cyber-espionage attack, according to a joint FBI and CISA statement. It’s long past the time to seriously address these ongoing threats. To defend against evolving state-sponsored threats, telecoms and other critical infrastructure operators should integrate advanced technologies with cybersecurity best practices. Key measures include: Deploying AI-driven threat detection systems for real-time intrusion identification and maintaining a proactive security posture. Regularly updated incident response plans with clear protocols for containment and recovery are essential for minimizing damage. Conducting frequent security audits and vulnerability assessments, especially on legacy systems, helps identify and mitigate weaknesses. Active threat intelligence sharing with peers and government agencies enhances awareness and speeds up threat mitigation. Regular employee training on cybersecurity best practices, including phishing simulations to reduce insider threats and ensure a robust cybersecurity strategy. Best practices notwithstanding, it is important to incorporate advanced security technologies that embody the concept of "enterprise digital sovereignty" to further enhance an organization's defense capabilities. This approach provides a Zero Trust security architecture that includes data-in-flight protection, enhanced authentication verification, and data loss prevention. It operates as a control plane management system for cryptographic operations, offering a streamlined path to implementing Zero Trust principles. By eliminating the need for traditional public key infrastructure and automating multi-factor authentication, this technology reduces the complexity and potential vulnerabilities associated with cryptographic operations. The flexibility of deploying such technologies—whether on-premises, in the cloud, or in hybrid environments—ensures that organizations can tailor their security solutions to their specific needs. By integrating these advanced technologies, telecoms and critical industries can significantly enhance their security posture, making it more difficult for state-sponsored actors to exploit vulnerabilities. #china #nationalsecurity #cyber #cybersecurity KnectIQ Cybersecurity and Infrastructure Security Agency Federal Communications Commission Federal Trade Commission National Security Agency U.S. Cyber Command FBI Cyber Division U.S. Department of Energy (DOE) Buchanan Ingersoll & Rooney PC

In CXOTalk episode 873 featuring Anand Oswal, from Palo Alto Networks, we explore the pressing concerns of securing 5G networks. As the sophistication of cyber threats continues to grow, it's no longer about "if" you'll face an attack but "when." Oswal emphasizes the need for proactive strategies to safeguard your digital infrastructure from these evolving risks. Here are some key takeaways from the discussion: 𝗭𝗲𝗿𝗼 𝗧𝗿𝘂𝘀𝘁 𝗔𝗽𝗽𝗿𝗼𝗮𝗰𝗵: Implement a zero trust framework by continually validating users, devices, and sessions. This strategy ensures comprehensive oversight and security across all digital interactions within your 5G network. 𝗟𝗮𝘆𝗲𝗿𝗲𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆: Ensure protection across all layers – signaling, application, data, and management. Many security solutions focus only on certain layers, leaving gaps vulnerable to threats. 𝗖𝗼𝗺𝗽𝗿𝗲𝗵𝗲𝗻𝘀𝗶𝘃𝗲 𝗩𝗶𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆: Gain visibility into every facet of your network, including edge, core, cloud, and more. This comprehensive view helps identify and mitigate threats swiftly and efficiently. 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗧𝗵𝗿𝗲𝗮𝘁 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁: Address evasive attacks with advanced security measures across all devices and services. This approach secures all potential threat vectors, safeguarding your infrastructure against breaches. This topic is vital for security professionals, CIOs, and telecom operators. If you fall into one of those groups, watch the entire conversation. #CISO #CIO #5GSecurity #Cybersecurity #ZeroTrust #CXOTalk

For those who do not closely track the cyber landscape, the name Salt Typhoon may not mean much. But behind it lies an advanced and persistent Chinese hacking group actively targeting the #US telecom networks on which we all rely. These aren’t just attacks on governments or corporations—they’re breaches of the systems that carry your calls, texts, and private #data. When hackers break into these systems, it puts all of us at risk. Salt Typhoon uses advanced malware to infiltrate these systems, exploiting weaknesses in software like VPNs and email servers. Once inside, their tools let them spy on communications, steal sensitive data, and quietly stay hidden potentially for YEARS. Telecom networks are the foundation of modern life. A compromised system not only exposes personal information—it can disrupt economies, jeopardize #nationalsecurity, and leave entire societies vulnerable.

The Salt Typhoon cyberattacks on U.S. telecom networks are a wake-up call, not just for the telecommunications industry but for all of us invested in safeguarding critical infrastructure. As Jen Easterly aptly pointed out, these attacks are "just the tip of the iceberg," underscoring how deeply vulnerable our systems are to sophisticated nation-state campaigns. Here’s the real concern: Our response continues to lag behind the speed and scale of these threats. While investigations are essential for uncovering root causes, the time gap between detection and action leaves organizations and entire industries exposed. In my discussion with Axios last week: "As long as humans have been humans, we have been playing the games of war and crime, and it's always been about information (and insights) versus information (an insights)." In my conversations with security leaders, there is one clear common theme: understanding and managing your exposure swiftly with data-driven insights and automation is the only way to fight threats like Salt Typhoon. At Balbix, we focus on maximally automated exposure management because it’s not just about knowing what vulnerabilities exist, but also the context and risk of each exposure instance, and then prioritizing which of these matter most, and then taking swift mitigating action. Nation-state attackers aren’t waiting for us to finish drafting policies or debating strategies. They’re operating now, exploiting every gap they can find. As an industry, we need tools and processes that operate at the same speed as the attackers, tools that provide real-time visibility, prioritization, and actionable insights. Let’s not let hesitation be our greatest vulnerability. https://lnkd.in/gEdiEZjP #cybersecurity #ciso #exposuremanagement