T-Mobile US CSO: Spies jumped from one telco to another in a way 'I've not seen in my career'

Interview While Chinese-government-backed spies maintained access to US telecommunications providers' networks for months – and in some cases still haven't been booted out – T-Mobile US thwarted successful attacks on its systems "within a single-digit number of days," according to the carrier's security boss Jeff Simon.

T-Mo's CSO, in an interview with The Register Wednesday, declined to make public the exact timeline of the intrusion attempts by the Beijing-run crew. "They were active for a single-digit number of days, and it was within the last couple of months," was all he would reveal.

Simon spoke with El Reg a day after FBI and CISA officials briefed reporters on the massive cyber-espionage campaign, during which China-affiliated snoops successfully broke into US telecom companies' networks, compromised wiretapping systems used by law enforcement, and used that access to steal customers' call records and metadata. 

A Chinese government-linked group dubbed Salt Typhoon is believed to be behind the attacks. It's understood Verizon, AT&T, and Lumen Technologies, at least, were hit by the crew.

While the Feds said during their Tuesday briefing that the Chinese intruders didn't use any zero-day exploits nor "novel techniques" to gain access to the networks, Simon told us the way the cyber-spies hopped between organizations' networks and tried, ultimately unsuccessfully, to break into T-Mobile US was unique.

Late last week, Simon disclosed that whoever was trying to access T-Mobile US's inner systems compromised an unnamed wireline provider's network that was connected to T-Mo, and used this access for multiple infiltration attempts that we're told were ultimately blocked. He wouldn't name the third-party carrier. 

That's not something that I've seen in my 15-plus-year career in cybersecurity

"But the technique that was used to go from one telecommunications infrastructure to another, I would say, is novel," Simon told us. "That's not something that I've seen in my 15-plus-year career in cyber security. It's not something that is well published or read about. There's no CVE for it."

The FBI began investigating security breaches at US telecommunications providers in late spring and early summer. "We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing," Jeff Greene, CISA's executive assistant director for cyber security, told journos on Tuesday.

"We see ourselves as a bit of an outlier here versus what's been reported about the other telecoms," Simon told The Register, adding that the would-be intruders did not access any sensitive customer data such as calls, voicemails, and texts, nor did they disrupt any T-Mo services. 

T-Mobile US began hunting for Salt Typhoon in early summer, upon hearing reports from law enforcement and other operators about a "large, coordinated attack on telecommunications infrastructure," Simon recalled. 

However, the un-carrier "saw no signs of the behavior indicative of the actor, Salt Typhoon, for many months," he added. "It was only recently when we started to see a small bit of behavior that perhaps is consistent."

This included "reconnaissance-type behavior," but Simon couldn't definitely attribute the attempted snooping to Salt Typhoon. "We have no clue who was on the other side of that keyboard."

We understand miscreants managed to get into some edge network infrastructure devices including a T-Mo-operated router, but got no further as they were stopped there; as above, they weren't able to get to customer information or services, we're told.

We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing

At this point, he's confident whoever the intruders may be, they remain outside T-Mo's systems: "The short answer is yes," Simon declared.

"We have confidence because we're able to trace back the activity with a high degree of detail because it was such a short period," the CSO told us. "We can go through every command that was run and look to see, hey, were they trying to establish secondary access points here? Where did they move, every device that they touched."

Simon declined to say how many of the carrier's devices were accessed, only that "it is less than one percent of our telecommunications infrastructure."

Upon spotting the strange activity, T-Mobile US contacted the Feds and fellow telecom operators to share what it saw and hopefully help mitigate the snooping behavior. 

• T-Mobile US takes a victory lap after stopping cyberattacks: 'Other providers may be seeing different outcomes'
• Salt Typhoon's surge extends far beyond US telcos
• China has utterly pwned 'thousands and thousands' of devices at US telcos
• China's Volt Typhoon crew and its botnet surge back with a vengeance

Simon credits T-Mo's layered defense with stopping any espionage attempts targeting his customers and systems.

"The idea of this really is that against a sophisticated adversary – someone of the level of Salt Typhoon – it's unlikely that we're going to pitch a perfect game. They have extremely sophisticated capabilities, zero-day vulnerabilities that we don't even know exist, and you're going to have a situation where they have some level of success. We design our controls to assume that's going to happen. And when they have success, we want to contain them, and we want to force them to have the hardest time possible."

You're going to have a situation where they have some level of success. We design our controls to assume that's going to happen

This includes implementing FIDO2 authentication for all T-Mo employees – "and it makes credential theft from our workforce extremely difficult," Simon noted. 

In the case of credentials where FIDO2 can't be deployed, T-Mobile US rotates the credentials "extremely regularly, and we see this directly impacting the attacker," Simon told The Reg. "When they get into our environment, they struggle to get credentials. When they get them, we change the credentials on them very quickly, and that slows down their activity."

Plus, there's the fact that T-Mobile US is a wireless-only carrier, so it doesn't have the added burden of wireline networks and legacy technology that many network operators have to manage.

On the other hand, as we're sure you all remember, T-Mo has had its security breached at least seven times since 2018. In September this year, the telco agreed to fork out $31.5 million to improve its cybersecurity and pay a penalty after a series of network intrusions affected tens of millions of customers. At least this latest episode is a welcome turnaround.

PS: Use encryption

Meanwhile, as other network operators struggle to mitigate the damage caused by Salt Typhoon and implement hardening guidance issued yesterday by the Feds and international friends – including shoring up "Cisco-specific features often being targeted" by the Chinese spies – US officials urged folks to use strongly encrypted messaging and communications whenever possible to protect information from theft-in-transit and surveillance.

"Encryption is your friend – whether it is on text messaging or if you have the capacity to use encrypted voice communications," CISA's Greene said. "Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible, if not really hard, for them to detect it. So, our advice is to try to avoid using plain text."

We agree, Uncle Sam. We agree. ®