Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,750 words, this briefing is about an 8-minute read.
At a Glance.
- Chinese hackers used broad telecommunications access to record calls and geolocate millions of Americans.
- Treasury Department suffers a major breach.
Salt Typhoon’s hack on US telecommunications companies continues to grow.
The News.
Last Friday, updates continued to emerge regarding the significant telecommunications cybersecurity breach. In this latest update, reports have detailed how the Chinese hacking campaign, known as Salt Typhoon, was able to both record phone calls at will and was able to use geolocation services to track millions of Americans. For greater context, this breach was initially discovered in September earlier this year, when the Wall Street Journal reported that these Chinese-affiliated hackers were able to breach several telecommunications providers gaining access to cell phone records as well as listening to conversations of top United States (US) political figures, including Donald Trump, JD Vance, and other top officials. Since this initial discovery, reports have continued to emerge, almost weekly, detailing the scope of this incident, which has now become known as the greatest telecommunications attack in the US to date.
While it is still unclear how many Americans were impacted by this breach, Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, highlighted how the US believes these phone tracking efforts centered around targeting citizens in the Washington, D.C. area. Neuberger also commented that “we believe it was the [hacking campaign’s] goal of identifying who those phones [belonged] to and if they were government targets of interest for follow-on espionage and intelligence collection of…texts and phone calls on those particular phones.” With this announcement, officials are still unable to confirm that if Chinese hackers have been fully removed from all telecommunications networks and are still unable to confirm the full scope and scale of the hacking campaign.
The Knowledge.
Aside from this update, other news has emerged surrounding this significant breach. Apart from gaining insights into the scale of the attack, Neuberger released another statement that expanded the scope of the attack highlighting that there was another telecommunications company that was compromised in this campaign, bringing the total number of companies impacted to nine. However, US officials have still not provided a comprehensive list of the impacted companies as well as how many Americans were impacted nor exactly what metadata was harvested by the attackers.
While widespread and impactful, US officials are responding aggressively with agency leaders calling for and drafting policy changes. On December 5th, Jessica Rosenworcel, the Federal Communications Commission Chairwoman, commented that her agency is proposing new rules that would require telecommunication carriers to better secure their networks. The Cybersecurity and Infrastructure Security Agency (CISA), alongside the National Security Agency, has also established a working group of experts to help address national security concerns in the critical infrastructure sectors to provide greater guidance on what policies and requirements are needed to secure these key industries.
Aside from drafting official policies, agencies are also lending immediate support to impacted telecommunication companies providing companies with “hunting guides” and “hardening guides” that detail Chinese hacking methods and were designed to help companies “look for those techniques in their networks and call for help if they discover it.” With these efforts, Neuberger commented that “the first step is creating a defensible infrastructure.” Neuberger continued emphasizing that “we wouldn’t leave our homes, our offices unlocked, and yet our critical infrastructure, the private companies owning and operating our critical infrastructure, often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier, and harder for [hostile actors] to attack.”
The Impact.
Despite the consistent negative updates that have continued to emerge surrounding the Salt Typhoon hacking campaign, it is clear that US officials are taking this incident very seriously and are taking action to remediate it as soon as possible. While many of the potential policy changes have not been made publically available at this moment, it is clear that officials are deeply concerned about how vulnerable critical infrastructure sectors are and how attackers could potentially exploit existing vulnerabilities. Aside from these potential agency policies that will likely raise security and regulatory requirements, citizens and businesses should also be aware that this issue will likely be a key topic for the incoming Congress to better address in 2025.
Organizations and citizens involved in key infrastructure industries should be prepared to monitor for relevant policies and legislations as well as work with government officials to craft policies that are both impactful and practical.
Treasury Department Breached by Chinese Hackers.
The News.
On Monday, the Treasury Department confirmed that the agency was successfully hacked by Chinese state-sponsored actors at the beginning of December. During this attack, the agency believes that the attackers were able to access unclassified documents from workstations. According to a letter that the agency sent to lawmakers, the hackers were able to gain access to the agency by stealing a key from BeyondTrust, a third-party software service provider, and then used the key to override security systems and gain access to the workstations. In response to the incident, the Treasury Department also announced that it had ended its relationship with BeyondTrust and that it had removed the hackers’ access.
Aside from ending its relationship with BeyondTrust, the department announced that it is working with the CISA, the Federal Bureau of Investigation, the intelligence community, and third-party investigators. In this letter, the department wrote that “over the last four years, [the department] has significantly bolstered its cyber defense, and we will continue to work with both private and public sector partners to protect our financial systems from threat actors.”
The Knowledge.
While the details regarding the full scope and scale of this incident have not been fully released, government officials have already begun to take action with the ranking member of the Senate Banking Committee, Tim Scott, requesting a briefing about the hack. However, it is unclear if this briefing or the Treasury Department’s meetings with security agencies will result in the creation of any new policies or regulations.
Given this latest incident, the massive telecommunications hack mentioned above, and several others that occurred throughout 2024, it is clear that Chinese hackers are increasing both the scope and sophistication of their hacking efforts. Aside from the two incidents already outlined, the US saw another major incident earlier this year. In this instance, a Chinese-affiliated hacking group, known as Volt Typhoon, was attributed to targeting critical infrastructure sectors, such as communications, energy, transportation, water, and wastewater systems, utilizing a botnet posing great risks to supply chains and national security. While federal authorities were able to mitigate this incident by removing the bot malware, this attack as well as the others discussed have all significantly contributed to the growing calls for increased cybersecurity and regulation.
The Impact.
As news continues to emerge regarding the details of this latest incident, it is unlikely that federal authorities will take any major actions until the new administration and Congress take office later this month. However, given the growing scale and scope of these various cybersecurity incidents, people should expect this issue to be a top priority to address in 2025 both through agency policies and through new legislation.
Those involved in the critical infrastructure industries should be aware that their sectors are prime targets for hostile state-sponsored hackers, remain vigilant, and monitor for suspicious behavior. Additionally, security professionals should be aware that government officials are likely to reevaluate existing regulations and standards and be prepared to implement any changes.
Highlighting Key Conversations.
In this week’s Caveat Podcast, our team talked about the growing involvement of technology in law enforcement. This conversation centered around discussing how law enforcement agencies have begun to equip themselves with advanced cell-site simulators and the impacts of this implementation. Our team also highlighted the growing bipartisan efforts emerging in Congress that aim to penalize platforms for hosting harmful deepfakes.
Like what you read and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other Noteworthy Stories.
Biden administration proposes new cybersecurity rules to limit the impact of healthcare data leaks.
What: A new cybersecurity rule would require healthcare organizations to have better sensitive information protections.
Why: On Friday, the Office for Civil Rights within the Department for Health and Human Services proposed a new rule that would require healthcare organizations to better secure PHI (Personal Health Information). Anne Neuberger, the US Deputy National Security Advisor for Cyber and Emerging Technology, commented on this proposed rule emphasizing that it comes in response to the substantial breaches that occurred earlier this year. More specifically, this rule would require healthcare organizations to ensure that their encrypted data could not be accessed by unauthorized parties, even if leaked, and would require compliance checks to ensure that networks meet these security rules. If implemented, the rule is estimated to cost nine billion dollars to implement in the first year and an additional six billion dollars annually for the following four years.
With this announcement, a government official stated that “we’ve made some significant proposals that we think will improve cybersecurity and ultimately everyone’s health information, if any of these proposals are ultimately finalized.” With this proposal, the rule has a sixty-day public comment period before final decisions are made.
Trump asks Supreme Court to pause law that could ban TikTok.
What: President-Elect Donald Trump has urged the Supreme Court to delay the implementation of the “TikTok Ban Law,”
Why: On Friday, Donald Trump released a statement requesting that the Supreme Court delay the start date of the Protecting Americans from Foreign Adversary Controlled Applications Act, which is better known as the “TikTok Ban Law.” With this statement, the President-elect argued that he should have time after he takes office to attempt to pursue a “political resolution” to the issue.
Currently, the Supreme Court is set to start hearing arguments in the case on January 10th. If the court does not impose a delay or rule in the application's favor, the bill is set to go into effect on January 19th, which would ban the application unless the application’s parent company, ByteDance, finds another to sell the application to.