China Compromised Telecom Firms Using Known Vulnerabilities, Federal Agencies Warn

Chinese government hackers have successfully exploited flaws that have been around for years in the systems of U.S. network providers, redirecting traffic to their own infrastructure, federal agencies warn, urging organizations to regularly patch the kinds of products that are affected.

The threat actors have targeted public and private-sector organizations across the globe, according to an alert the Cybersecurity and Infrastructure Security Agency issued Tuesday along with the NSA and FBI. 

“The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—associated with network devices routinely exploited by the cyber actors since 2020,” the agencies wrote.

While the vulnerabilities have been documented, and fixes are available, the agencies said defenders tend to overlook them—despite their severity—prioritizing others, such as those in internet-facing services. 

The vulnerabilities—in products from companies like Cisco, Netgear and others—ultimately allowed the adversary to “execute router commands to surreptitiously route, capture and exfiltrate traffic out of the network to actor-controlled infrastructure,” according to the alert.

Officials associated the techniques described in the alert with the People’s Republic of China, noting, “PRC state-sponsored cyber actors typically conduct their intrusions by accessing compromised servers called hop points from numerous China-based Internet Protocol (IP) addresses resolving to different Chinese internet service providers. The cyber actors typically obtain the use of servers by leasing remote access directly or indirectly from hosting providers. They use these servers to register and access operational email accounts, host C2 domains and interact with victim networks.”

Perpetrators of the now-infamous SolarWinds intrusion used a similar technique, among others, to ultimately remove data from victim networks, including several federal agencies. U.S. officials attributed the SolarWinds hack to the Kremlin, and described it as an espionage campaign. That label complicated U.S. efforts to hold Russia accountable, as certain types of intelligence gathering are seen as fair game by governments, including the U.S.  

Ultimately the U.S. levied sanctions on Russian entities in association with SolarWinds, due to the potential for large-scale disruption of the mostly private-sector entities the government said were affected.

The alert on China’s sweeping intrusion comes as the U.S. continues negotiations at the United Nations toward establishing “a comprehensive international convention on countering the use of information and communications technologies for criminal purposes.”

The U.S. recently expressed a commitment to the existing Budapest Convention—which does not include China and Russia—as the “premier international legal instrument for fighting cybercrime.” But a State Department official on Monday told reporters negotiations on the new treaty are proceeding because of “political” issues associated with the Budapest Convention.  

Eric Greenwald, general counsel of the cybersecurity firm Finite State, and a former advisor to President Barack Obama, did not seem optimistic about the negotiations.

“While the approach each of those two countries takes is different, neither has much interest in helping protect U.S. victims of cybercrime - whether related to espionage or pure economics,” he said in an email to Nextgov. “What does unify the two countries is their interest in shaping UN cyber policy to better enable their government's ability to censor speech and activity on the internet.”

The State Department official said the U.S. is striving to maintain a very narrow definition of cybercrime to avoid that eventuality, but Greenwald said, “As U.S. negotiators approach the UN Ad Hoc Committee’s deliberations over cybercrime, they [also] have to be increasingly aware of the growing attack surface and how hackers are looking to new vectors like software flaws in routers and other networking gear.”