This breach, confirmed in a recent statement by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), is a serious escalation in cyber espionage threats linked to the People’s Republic of China (PRC).

The FBI and CISA have outlined that PRC-affiliated hackers infiltrated networks across numerous telecommunications companies in the United States, though the specific names of these providers remain undisclosed. 

However, sources such as The Wall Street Journal have noted that companies, including AT&T, Verizon, and Lumen Technologies, may have been impacted by the intrusion. 

The breach allowed attackers to persist within these networks for an extended period, granting them access to large amounts of internet traffic involving millions of Americans and numerous businesses.

This sophisticated hacking operation, reportedly led by a China-backed group called “Salt Typhoon,” enabled attackers to intercept call records and also compromise private communications belonging to specific individuals. 

The targeted individuals primarily include those engaged in political or governmental activities, though U.S. agencies have refrained from identifying these targets. 

Reports reveal that PRC-linked actors previously targeted high-profile figures, such as Donald Trump and his running mate Senator JD Vance, pointing to the high stakes of this cyber campaign.

The breach also enabled the attackers to duplicate sensitive information subject to U.S. law enforcement requests. In compromising systems integral to fulfilling court-ordered surveillance, these hackers gained access to highly classified data, potentially undermining U.S. national security efforts. 

This is the first confirmed instance of foreign hackers successfully breaching wiretap systems within U.S. telecommunication networks.

In response, the FBI and CISA have strengthened their tactics to support the affected providers, offering technical guidance and rapidly disseminating information to strengthen cybersecurity measures across the sector. 

The agencies have urged any organisation suspecting an intrusion to contact their local FBI office or CISA for immediate assistance, stressing the need for strong defences as growing cyber threats from state-backed actors increase.

The investigation aims to clarify the full scope of the breach, with authorities anticipating further developments. 

This incident reveals the risks posed by state-sponsored cyber campaigns, particularly from PRC-affiliated entities, as the U.S. government works to secure its telecommunications infrastructure against future attacks.

The threat landscape has expanded in recent years as our world has become more interconnected. This has resulted in cybercriminals seeking out more opportunities to exploit vulnerabilities for profit.

Cybercriminals are far more organised than ever before and what we would typically call a “gang” is made up of a team of people that look a lot like their own legitimate business with departments for recruitment and finance.

As a result, attacks have moved away from simple virus disruptions to costly incidents that involve ransomware, encryption and Denial-of-Service.

Trend Micro has been tracking and monitoring the evolution of these organised crime groups in an effort to turn the tide against these illicit enterprises and create a safer digital world.

To have a true impact and combat the threat of cybercriminals, we share this threat intelligence with other security vendors, as well as academics and law enforcement agencies.

This “better together” way of thinking has seen us train up hundreds of law enforcers over the past decade or more and has contributed to the dismantling of highly successful criminal organisations.

International collaboration with INTERPOL

One of our longest standing law enforcement partnerships is with INTERPOL. From providing information about malicious actors to the threats and infrastructure used in their many attacks, our information provides valuable intelligence for their use.

This strategic partnership aims to enhance cyber expertise within law enforcement agencies, empowering them to effectively investigate and counter cybercriminal activities.

A key part of Trend’s partnership with INTERPOL is the work we do together under the Africa Cyber Surge Operation.

Started in 2022, the first round of the operation was so successful that a second campaign ran for four months in 2023, which saw law enforcement organisations from 25 countries participate.

During this time, Trend provided investigators with information about over 3,700 malicious command and control servers, 1,500 malicious IP addresses located in South Africa, Egypt, the Seychelles, Algeria and Nigeria, and malicious traffic detections linked to scams, malware, phishing and command and control servers.

From this and other shared insights, police made 14 arrests and identified a massive 20,674 suspicious cybercrime networks linked to losses of over $40 million.

Global police do a fantastic job of hunting down those responsible for cybercrime. But resources and in-house expertise are often stretched.

That’s why public-private partnerships are so important to the ongoing fight against ceaseless malicious online activity.

Operation Cronos locks out LockBit

More recently, we witnessed the takedown of one of the world’s most notorious ransomware gangs, LockBit, thanks to the cooperation between trusted partners and law enforcement agencies.

The Ransomware-as-a-Service (RaaS) group was responsible for between 25% and 33% of all ransomware attacks in 2023, claiming thousands of victims since it was first observed in September 2019.

LockBit’s business model revolved around affiliates that would be responsible for the attacks with the group claiming a 20% cut of the ransomware payment.

In February this year, the UK’s National Crime Agency initiated Operation Cronos which saw the seizure of the group’s source code, its technical infrastructure used to carry out attacks and its leak site. With these in hand, law enforcement announced arrests, sanctions and cryptocurrency confiscations.

The operation was well publicised across LockBit’s network and site, which has helped to cast doubt on the gang’s once powerful reputation as a RaaS group.

Following Operation Cronos, Trend Micro received a sample of what is believed to be a new version of LockBit’s software.

With this sample, we have been able to pass on intelligence to our law enforcement partners and bolster our defences for customers.

These attacks will keep on coming unless we discomfort and disrupt the threat actors themselves. By sharing resources and intelligence, the cybersecurity industry has demonstrated it can cripple cybercriminals and their infrastructure.

We are after all working towards the same goal: a safer online environment for all.

According to the report, among organizations surveyed, 97% of those hit by ransomware over the past year engaged with law enforcement and/or official government bodies for help with the attack.

In addition, more than half (59%) of those organizations that did engage with law enforcement found the process easy or somewhat easy.

Only 10% of those surveyed said the process was very difficult.

Based on the survey, impacted organizations reached out to law enforcement and/or official government bodies for a range of assistance with ransomware attacks.

Sixty-one percent reported they had received advice on dealing with ransomware, while 60% received help investigating the attack.

Fifty-eight percent of those that had their data encrypted received help from law enforcement to recover their data from the ransomware attack.

“Companies have traditionally shied away from engaging with law enforcement for fear of their attack becoming public. If they are known to have been victimized it could impact their business reputation and make a bad situation worse. Victim shaming has long been a consequence of an attack, but we’ve made progress on that front, both within the security community and at the government level. New regulations on cyber incident reporting, for example, appear to have normalized engaging with law enforcement, and this survey data shows organizations are taking steps in the right direction,” said Chester Wisniewski, director, Field CTO, Sophos. “If the public and the private sectors can continue to galvanize as a group effort to help businesses, we can continue to improve our ability to recover quickly and gather intelligence to protect others or even potentially hold those conducting these attacks responsible.”

Recent in-the-field findings from Sophos X-Ops’ Active Adversary report highlighted the continued threat of ransomware to small-and-medium sized businesses.

Data from more than 150 incident response (IR) cases in 2023 found that ransomware was, for the fourth year running, the most frequently encountered attack type, occurring in 70% of IR cases Sophos X-Ops investigated.

“While improving cooperation and working with law enforcement after an attack are all good developments, we need to move from simply treating the symptoms of ransomware to preventing those attacks in the first place. Our most recent Active Adversary report showed that many organizations are still failing to implement key security measures that can demonstrably reduce their overall risk profile; this includes patching their devices in a timely manner and enabling multi-factor authentication. From the law enforcement side, while they have had some recent successes with takedowns and arrests from LockBit to Qakbot, these successes have proven to be more akin to temporary disruptions than longer term or permanent wins.

“Criminals are successful in part due to the scale and efficiency with which they operate. To beat them back, we need to match them in both these areas. That means that, going forward, we need even greater collaboration, both within the private and public sector—and we need it at a global level,” said Wisniewski.

“Today’s threat environment is constantly evolving—and it’s more severe and more complex than ever before. The bad guys aren’t constrained by international borders, so we shouldn’t be, either. \

“At the Bureau, we’ve been doubling down in particular on our work with the private sector, in their capacity as victims of cyberattacks, of course, because the mission of the FBI always has been—and always will be—victim-centric—but also as integral partners, who can share valuable information about threats and trends, and, increasingly, join in our operations themselves,“ said Christopher Wray, FBI director.

Data for the State of Ransomware 2024 report comes from a vendor-agnostic survey of 5,000 cybersecurity/IT leaders conducted between January and February 2024. Respondents were based in 14 countries across the Americas, EMEA and Asia Pacific.

Organizations surveyed had between 100 and 5,000 employees, and revenue ranged from less than $10 million to more than $5 billion.

Read the full State of Ransomware 2024 report on Sophos.com for additional global findings and data by sector.

https://www.youtube.com/channel/UCGFTUpJPqMl23UvPravjShg