The Cybersecurity and Infrastructure Security Agency spotted Salt Typhoon on federal networks before defenders discovered the China-sponsored threat group intruded into U.S. telecom systems, Director Jen Easterly said Wednesday.
CISA’s sleuthing “enabled law enforcement to unravel and ask for process on virtual private servers,” Easterly said during an onstage interview at the Foundation for Defense of Democracies. Details gathered from that investigation and response allowed CISA to discover Salt Typhoon and its activities, Easterly said.
The widespread compromise of U.S. telecom networks, spanning at least 9 companies, was part of a campaign that went undetected for months and has been underway for up to two years, U.S. officials said last month. Federal cyber authorities are still struggling to contain and determine the scope of damage caused by the sweeping attacks on critical infrastructure.
Easterly declined to say when or how CISA observed the malicious activity but noted it occurred before the agency understood it to be the threat group later designated as Salt Typhoon.
“We saw it as a separate campaign called another goofy name, and we were able to, based on the visibility that we had within the federal networks, to be able to connect some dots over two separate entities within the federal civilian executive branch,” Easterly said.
CISA’s observations didn’t prevent Salt Typhoon from attacking the telecom networks en masse, but Easterly presented the agency’s threat hunting and intelligence gathering capabilities as an example of intra-government and public-private collaboration improvements made under her stewardship of the agency.
Easterly is scheduled to step down as CISA director when the President-elect Donald Trump takes office next week.
Progress, but threat remains
Collaboration between CISA, the FBI, the intelligence community and the private sector is “almost seamless,” Easterly said. “That's very, very different from what it was several years ago, when it was, frankly, a little bit more tribal.”
Information gathered on Salt Typhoon by CISA threat hunters and industry tippers allowed law enforcement agencies to gain access to images of actor-leased virtual private servers, Easterly said in a Wednesday blog.
“This, in turn, gave us and our federal government partners visibility into the breadth of the campaign and allowed us to notify and provide technical assistance to known or suspected private-sector victims,” Easterly said in the blog.
While CISA helped eradicate numerous China government-sponsored intrusions into critical infrastructure across multiple sectors, the threat remains active and persistent.
“We know that what we have found is likely just the tip of the iceberg,” Easterly said in the blog. During her interview with Mark Montgomery, senior director of the Center on Cyber and Technology and Innovation at the Foundation for Defense and Democracies, Easterly said federal officials don’t know the size of the iceberg.
Salt Typhoon is one of three highly motivated and active threat groups affiliated with China’s government, which cyber authorities are tracking with increasing concern. One of the threat groups, Volt Typhoon, already infiltrated numerous transportation, energy, communications, and water and wastewater systems, federal officials warned last year.
Threat groups sponsored by China’s government are intent on disruption in the case of conflict in the Asia-Pacific region, and that activity could be accompanied by disruptive attacks against “everything, everywhere, all at once,” Easterly said.
Progress made to secure the federal civilian executive branch has been transformational and impressive, Easterly said.
“Are we still going to have issues like what we saw in Treasury? Yes, we will, until you have vendors that we know are specifically focused on secure-by-design software,” Easterly said.
“But we are identifying it earlier, we're detecting it earlier, we're collaboratively responding to it, and then we are driving down risk by remediating and mitigating very aggressively.”
