Canadian Telecom Hacked By Suspected China State Group

Hackers suspected of working on behalf of the Chinese government exploited a maximum-severity vulnerability, which had received a patch 16 months earlier, to compromise a telecommunications provider in Canada, officials from that country and the US said Monday. ArsTechnica: "The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies," officials for the center, the Canadian government's primary cyber security agency, said in a statement. "The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon." The FBI issued its own nearly identical statement.

Salt Typhoon is the name researchers and government officials use to track one of several discreet groups known to hack nations all over the world on behalf of the People's Republic of China. In October 2023, researchers disclosed that hackers had backdoored more than 10,000 Cisco devices by exploiting CVE-2023-20198, a vulnerability with a maximum severity rating of 10. Any switch, router, or wireless LAN controller running Cisco's iOS XE that had the HTTP or HTTPS server feature enabled and exposed to the Internet was vulnerable. Cisco released a security patch about a week after security firm VulnCheck published its report.

"an unnamed telephone company"

[innocent_white_lamb]

"an unnamed telephone company"

Well, that's helpful.

Since this hack is the result of negligence on the part of this unnamed company (as the patch was provided by the vendor months before), it would be useful to know who it is for the purpose of knowing who not to trust with your business.

Not that there's likely to be much accountability in any case since folks living in any particular area won't have many competing service providers to choose from, but not providing the name removes even the chance of a customer being able to takes steps to mitigate his own risk.

Re:

[Ocker3]

But hey, patching requires downtime, and that might reduce quarterly profits! And that'd affect the CEO's bonus right now, they'll have left by the time they get hacked, right?

Telecoms not interested in security

[N7DR]

About twenty years ago, I was privileged to be one of the authors of a security specification written at the behest of cable-based telecom companies that described the detailed design of a system for securing phone conversations that were carried over their networks. https://www.cablelabs.com/spec... [cablelabs.com]. The design specifically started with the assumption that the network was penetrated, and was designed to ensure that the attacker could neither disrupt service nor learn anything useful about the traffic (for example, taken from the specification: "All media packets and all sensitive signaling communication across the network [are] safe from eavesdropping. Unauthorized message modification, insertion, deletion and replays anywhere in the network [are] easily detectable and [do] not affect proper network operation").

Once the specification was completed and it came time to deploy, all the telecom companies decided (whether in concert or individually, I do not know) that they were not going to deploy the design. When the lead security VP at one of the major telecom companies explained their decision to me: "We don't need gold-plated security like you've designed: we have firewalls"; I knew that the battle was lost. I also wondered how long it would be before the kind of intrusion like the one described in the article would occur.

Frankly, I'm amazed that it took this long; perhaps, though, what took the time was not the fact of a thorough intrusion, but, rather, the detecting of one.

Re:

[AleRunner]

You mean this? https://account.cablelabs.com/... [cablelabs.com]

Re:

[N7DR]

You mean this? https://account.cablelabs.com/... [cablelabs.com]

Yes; that more-direct link works too. The link I suggested provides a little more context, perhaps, although to download the document it ends up using exactly the same link that you suggested.