December 11, 2024
Chinese hackers appear to have broken into eight US telecom companies' networks with the primary goal of spying on high-level US political figures, according to White House officials. For the most part, hackers focused their efforts on collecting data on who people called or texted, from where, when, and for how long. However, for some government officials, the hackers did manage to intercept the contents of calls and texts. The FBI is currently working with phone companies to remove the hackers, but there's no set timeline for when this will be completed.
This cyber incident, carried out by a hacking ring called "Salt Typhoon," has profoundly disturbing ramifications, not only for our national security, but also for organizations and individuals throughout the world. In this blog, I'll explore how this hack could affect you and add our recommendations moving forward.
How the Chinese Hackers' Cyber Attack Affects You
The initial focus of these hackers may have been on collecting information that could compromise our national security, but don't kid yourself. National political figures haven't been their only targets, and collecting data from them wasn't their only focus.
The types of metadata they collected on thousands of Americans through their telecom use can be more revealing than you might think. When hackers know who you called, from where, when, and for how long, they can start painting a detailed picture of your business and private life. Even more concerning, unless your text messages and calls are encrypted, their contents are also ripe for the plucking until the hackers are kicked out of your telecom company's system.
Here's where your information is especially vulnerable.
iPhone to Android/Android to iPhone Texting
When an iPhone user texts an iPhone user, it's encrypted. Same for Android-to-Android texts and back-and-forth Google messages. So even if hackers were to intercept these messages, they couldn't read them. The problem arises when one platform has to share with another, so proprietary encryption methods can no longer be applied.
You should already assume that your Social Security Number was probably leaked on the dark web during the National Public Data Breach, so go ahead and assume that any text messages shared between Android and iPhone users may be intercepted.
Multi-Factor Authentication Using SMS
Multi-factor authentication (MFA) remains a vitally important way to protect your sensitive data. Even if your login credentials were to be stolen in a phishing attack or found on the dark web, In just a few extra seconds, MFA could help you make sure that no unauthorized person could access your accounts. And one of the most popular methods of authentication is, of course, SMS (short message service) — a.k.a. text messages.
Unfortunately, authentication messages are also being sent between two platforms and, therefore, are not encrypted. And that means — you guessed it — these hackers could possibly intercept your code and access your accounts.
Okay — reality check time.
Authentication by text message hasn't been the most secure form of MFA for a few years now. Cybercriminals have thoroughly demonstrated their ability to trick telecom companies into transferring a legitimate user's SIM card into their hands in order to bypass MFA. However, this took a lot more work. Just being able to read your text messages is a much faster way to get into your accounts, and if there's one thing that cybercriminals are notorious for, it's taking the easy way out.
Let's not give them one.
Our Recommendations To Counter Recent Chinese Telecom Hacks
When (or if) these hackers are prohibited from actively spying, that doesn't mean any of this will go away. You should assume that any valuable data they collect will be sold to other threat actors around the world.
Here are my recommendations in the aftermath of this attack as well as the National Public Data Breach:
- Get out of the habit of sharing any sensitive information over texts, such as passwords, social security numbers, or payment information
- Update any passwords that you have shared through an unencrypted message
- Consider using encrypted messaging applications when exchanging any sensitive information
- Keep using MFA, but when possible, use biometrics or number-matching style secondary authentication methods (like Google Authenticator) instead of text
- Log in to sensitive accounts from a smart device, where biometric data like fingerprints and facial recognition can be used to authenticate you
- Review your credit card and bank statements regularly
- Freeze your credit and consider investing in identity theft protection and 24/7 credit monitoring
- Don’t respond to any unsolicited requests for information
Key Takeaways for Businesses
When we say cybersecurity is constantly evolving, it's because of stories like this. Keeping on top of new ways cybercriminals have exploited weaknesses for their own gain is a big job, and it's one that's rapidly becoming too much for most internal IT teams of small to mid-sized businesses.
But that doesn't mean you're helpless, either. I hinted at this earlier, but aside from high-value political and commercial targets, most cybercriminals are out to make a quick buck. Taking reasonable precautions with your data and your organization's data is typically enough to avoid becoming a target of a devastating attack.
The National Institute of Standards and Technology (NIST) and the Center for Internet Security (CIS) are both well-respected organizations that have put together a number of resources that American businesses can use to make sure they're well-protected. In fact, my colleague Charles Brandt just wrote a recent blog on how to implement CIS controls at your organization according to your level of risk.
We've also designed an online checklist to make sure you've got the basics down. Click the link below to access it.
