On Dec. 3, the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and international partners issued guidance on strengthening systems against intrusions by threat actors targeting telecommunications. The guidance was notably informed by recent breaches affiliated with the Chinese government.
The recommendations come weeks after the FBI and CISA identified that China-affiliated threat actors had “compromised networks at multiple telecommunications companies.” Initially, the breaches were believed to target specific individuals in government or political roles. However, on Dec. 3, the FBI clarified that these individuals may not have been the intended targets but were instead “swept up” in the operation. T-Mobile was allegedly one of the affected companies.
“Threat actors affiliated with the People’s Republic of China (PRC) are targeting commercial telecommunications providers to compromise sensitive data and engage in cyber espionage,” Assistant Director Bryan Vorndran of the FBI’s Cyber Division, said in a press release. “Together with our interagency partners, the FBI issued guidance to enhance the visibility of network defenders and to harden devices against PRC exploitation.”
SEE: Live: AWS re:Invent brings new AI infrastructure, foundation models, and more.
Guide includes recommendations for improving visibility and hardening security
The guide focuses on enhanced visibility — defined as “organizations’ abilities to monitor, detect, and understand activity within their networks” — and hardening systems and devices.
Strengthening monitoring includes:
- Implementing comprehensive alerting mechanisms to detect unauthorized changes to your networks.
- Using a strong network flow monitoring solution.
- Limiting exposure of management traffic to the Internet, if possible, including restricting management to dedicated administrative workstations.
“Hardening systems and devices” covers many aspects of securing device and network architecture. This advisory section is split into two subsections: protocols and management processes and network defense. These recommendations include:
- Using an out-of-band management network physically separate from the operational data flow network.
- Employing a strict, default-deny ACL strategy to control inbound and egressing traffic.
- Managing devices from a trusted network rather than from the internet.
- Sending all authentication, authorization, and accounting (AAA) logging to a centralized logging server with modern protections.
- Disabling Internet Protocol (IP) source routing.
- Storing passwords with secure hashing algorithms.
- Requiring multi-factor authentication.
- Limiting session token durations and requiring users to reauthenticate when the session expires.
- Using role-based access control.
FBI and CISA recommend disabling a host of Cisco defaults
A section of the report provides guidance for using Cisco-specific devices and features. It states that Cisco operating systems are “often being targeted by, and associated with, these PRC cyber threat actors’ activity.”
For those using Cisco products, the FBI and CISA have a laundry list of recommendations for disabling services and how to safely store passwords. Namely, IT and security professionals in vulnerable organizations should disable Cisco’s Smart Install service, Guest Shell access, all non-encrypted web management capabilities, and telnet.
When using passwords on Cisco devices, users should:
- Use Type-8 passwords when possible.
- Avoid using deprecated hashing or password types when storing passwords, such as Type-5 or Type-7.
- Secure the TACACS+ key as a Type-6 encrypted password if possible.
The guide goes hand in hand with Secure by Design principles.
“The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses,” said CISA Executive Assistant Director for Cybersecurity Jeff Greene. “This guide will help telecommunications and other organizations detect and prevent compromises by the PRC and other cyber actors.”
The full list of recommendations can be found in the guide.
