Salt Typhoon Hack Keeps Getting Worse, Telecoms Tell Employees To Stop Looking For Evidence Of Intrusion
from the if-you-ignore-the-problem-it-goes-away dept
Late last year, eight major U.S. telecoms were the victim of a massive intrusion by Chinese hackers who managed to spy on public U.S. officials for more than a year. The “Salt Typhoon” hack was so severe, the intruders spent a year rooting around the ISP networks even after discovery. AT&T and Verizon, two of the compromised companies, apparently didn’t think it was worth informing subscribers this happened.
Like most hacks, the scale of the intrusion was significantly worse than originally stated. Last week, insiders told NextGov that Comcast and data center giant Digital Realty were also caught up in the hack and had their systems compromised. The same insiders stated that government officials still aren’t really sure that they have a full grasp on the attack’s impact:
“Various agencies across the U.S. government are in possession of lists of confirmed or potential victims, but it’s not clear if the tallies are consistent with each other, adding to confusion about who may have been accessed, targeted or marked for investigation, one of the people said.”
But it’s this little bit in the report that I thought was of particular note:
“Inside two major U.S. telecom operators, incident response staff have been instructed by outside counsel not to look for signs of Salt Typhoon, said one of the people, declining to name the firms because the matter is sensitive.”
So big telecoms are so afraid of liability and government oversight they’ve just stopped looking for evidence of intrusion in one of the worst hacks the U.S. has ever seen. That’s sure to fix the problem.
The U.S. business press covering the hack refuse to talk about it, but a major catalyst for the hack was the steady and mindless deregulation of the U.S. telecom sector. Libertarians and right wingers, “free market” think tanks in tow, spent the better part of the last thirty years insisting that gutting all meaningful state and federal oversight would result in vast, near-Utopian outcomes.
Instead, freed of both pesky competition and competent oversight, major U.S. telecoms saw zero incentive to compete on price, shore up spotty access, improve quality, or even consistently, adequately invest in privacy and security standards. The results are everywhere you look, from sloppy handling of consumer location data, to companies like T-Mobile being hacked eight times in five years.
And this was all before the Trump 2.0 authoritarians came to town. Now, we’re disemboweling our telecom and cybersecurity regulators at a much faster rate, stocking our regulators with weird, incompetent, and unqualified zealots, and building a court system in which it’s genuinely impossible for telecom giants to see any sort of real-world accountability for fraud or incompetence.
Again, the second Trump administration is utterly indistinguishable from a foreign attack. Because it’s dressed up in so much domestic religious and pseudo-populist propaganda and bullshit, it’s in many ways worse.
Filed Under: broadband, china, deregulation, hacked, national security, privacy, salt typhoon, security, spying, surveillance, telecom
Comments on “Salt Typhoon Hack Keeps Getting Worse, Telecoms Tell Employees To Stop Looking For Evidence Of Intrusion”
Good thing our federal regulators take cybersecurity and consumer protection so seriously. If they were sleeping on (or fired from) the job right now, this would be poised to get significantly worse from here.
Innnteresting. Is hindering an investigation with national security implications sufficiently criminal to override attorney-client privilege?
Re:
Is there a government agency actually heading up the investigation?
National Lab research and responses for ApTs has already taken a significant hit, and it’s about to get much, much worse.
Koby and Matt certainly voted for this.
Re:
Not sure why Koby and Matt want to turn our nation’s infrastructure over to our adversaries, but it’s definitely what they’ve voted to do. And they never miss an opportunity to remind us that they voted for this.
Re: Re:
They’re impotent pissants who truly think the world owes them and that they were somehow robbed. So instead of dealing with it, fixing it, or otherwise addressing it like competent, productive members of society their goal is cut everyone down to their pathetic, mean spirited, intellectually void and morally bankrupt level.
If they are truly real people that that think they way they post, they’re the worst.
So they instructed their employees to hide evidence of hacking.
Off with these fuckers heads. If any normal person said they would refuse they would be hauled off
While the lack of U.S. regulation doesn’t help things, basically no telco in the world has adequate privacy standards. The ultimate way to prevent private data from being leaked is to not collect it.
Bruce Schneier wrote, in 2016: Data Is a Toxic Asset, So Why Not Throw It Out?. But the essay goes beyond “throw it out”, stating that “We need to regulate what corporations can do with our data at every stage: collection, storage, use, resale and disposal.”
Still, the European Union regulates that stuff, and their telcos collect and store all the same data. Actually, even more, because one can’t even buy phone service without giving government identity documents in many member countries. Ostensibly for security—but people had anonymous (pay)phone access for a hundred years during which the police had many fewer tools, and it wasn’t a huge problem. In other words, it’s the usual “going dark” bullshit.
It’s not even that hard to design a system such that phone location data can’t be linked to any particular person or account; the technology’s been known for decades, but no regulation has been sufficiently strict for telcos to actually implement it. Similar technology can prevent telcos from knowing who is contacting whom (and could also be used by ISPs, credit card providers, and others). To have an account not linked to a person is even easier, and could be done without any network changes: just let people top up anonymous pre-paid accounts with cash or gift cards.
Re:
“The ultimate way to prevent private data from being leaked is to not collect it.”
There are still laws in Europe that amount the act of non collection to treason. That’s how much they want telcos to scoop up everything, data minimization non withstanding…
Re: Re:
In terms of E.U. courts, that’s been all over the place. Some courts have declared it obvious an illegal and harmful invasion of privacy, others say “nah, it’s fine”, and I don’t fully know the current status.
Legal “protections” don’t mean shit, as we’ve seen time and time again (like the Greek wiretapping case, 2004-2005, in which a “lawful access” backdoor was turned against government employees; and, obviously, this Salt Typhoon thing, and every other “data leak” in history).
“Data minimization” is a term mostly used incorrectly, because the actually-minimal amount of data to store (for more than a few hours) would be zero. Anyway, this badly-named system is often implemented by forwarding a lot of data somewhere, and having that “somewhere” not store all of it. Except, of course, after it’s been compromised to make use of all that “extra” data…
Still, the “going dark” narrative prevails: we couldn’t possibly live without all this data, and never mind that we had none of it 40 years ago.
It’s not an administration, it’s a regime.
Salt Typhoon wasn’t a hack.
The telecoms giants decided they were going to SELL customer data en-masse to China.
To do this they had illegal cartel meetings and agreed to all be “attacked” at nearly the same time.
And the directors and CEOs of these companies made several BILLION dollars.
Re:
Source?
Re: Re:
Their own asshole