Cross-Border Cybersecurity Advisory Recommendations to Combat Cyber Threat Actors

The U.S. has joined 12 other nations in releasing a Joint Cybersecurity Advisory providing an update on the Salt Typhoon cyber espionage campaign, as well as new security recommendations for government and private sector investigations.

In December 2024, the White House confirmed that Chinese state-sponsored hacking group Salt Typhoon infiltrated at least nine U.S. communications companies, targeting critical telecommunications infrastructure. These Advanced Persistent Threat (APT) actors, including groups like Salt Typhoon, OPERATOR PANDA, and GhostEmperor, have been conducting global cyber operations since 2021, exploiting vulnerabilities in routers, firewalls, and other devices to maintain long-term access and exfiltrate sensitive data. 

Their activities, linked to Chinese intelligence services, aim to track global communications and movements. The Advisory highlights their evolving tactics, targeting edge devices and exploiting peering connections for data exfiltration. However, the initial access methods remain unclear, prompting calls for organizations to report compromises to improve understanding and defenses.

Threat Hunting & Incident Response—How Organizations Can Best Protect Their Telecom Infrastructure

The authoring agencies urge critical infrastructure organizations, particularly in telecommunications, to conduct threat hunting and incident response activities. 

They recommend reporting suspected or confirmed malicious activity to relevant authorities and emphasize the importance of coordinated, simultaneous defensive measures to fully evict APT actors. Partial responses risk alerting attackers, allowing them to conceal or maintain access across networks.

 APT actors often protect their access by compromising mail servers or admin accounts and monitoring for detection signs. Organizations are advised to safeguard their response efforts and implement actions such as:

• Verifying network configurations, 
• Monitoring non-standard ports, 
• Checking firmware integrity, and 
• Reviewing logs for malicious activity. 

Specific Risk Mitigation Steps

According to the Advisory, APT actors are having considerable success using publicly known common vulnerabilities and exposures to gain access to networks. Organizations are strongly encouraged to prioritize patching in a way that is proportionate to this threat, such as by sequencing patches to address the highest risks first.

General recommendations for mitigation include:  

• Regularly reviewing network device (especially router) logs and configurations for evidence of any unexpected, unapproved, or unusual activity.
• Employing a robust change management process that includes periodic auditing of device configurations.
• Attempting to identify the full scope of a suspected compromise before mitigating.
• Disabling outbound connections from management interfaces to limit possible lateral movement activity between network devices.
• Disabling all unused ports and protocols.
• Changing all default administrative credentials, especially for network appliances and other network devices.
• Requiring public-key authentication for administrative roles.
• Disabling password authentication where feasible.
• Minimizing authentication attempts and lockout windows to slow brute force and sprayed attempts.
• Using the vendor recommended version of the network device operating system and keeping it updated with all patches. 

The Advisory also contains recommended practices for robust logging, routing and VPN usage.

The Joint Cybersecurity Advisory underscores the critical need for proactive measures to combat the evolving threat posed by Salt Typhoon and other APT actors. By prioritizing threat hunting, incident response, and robust risk mitigation strategies, organizations can strengthen their defenses against these sophisticated cyber espionage campaigns. Coordinated efforts, timely reporting to relevant agencies and regulators as required by applicable law and regulations, and adherence to recommended security practices are essential to safeguarding critical telecommunications infrastructure and mitigating the global impact of these persistent threats.