In early November, it was reported that Singapore telecommunications company, Singtel, had been compromised by Volt Typhoon, a hacking group considered to be backed by the Chinese state. While details about the intrusion remain limited, no data is thought to have been stolen. However, the attack signaled a wider threat to the world, as it was believed to be a trial run for China’s cyber capabilities before moving on to other nations.
Unfortunately, numerous reports from the U.S. government at the end of 2024 revealed otherwise. Salt Typhoon, another Chinese state-sponsored hacking group, had already infiltrated U.S. telecommunications networks, in some cases for as long as 18 months. This significant cyber espionage campaign allowed them to gather a vast amount of confidential information, including data on over a million people and communications involving high-ranking officials and key locations like Washington, D.C.
These incidents raise serious red flags about the security of critical infrastructure and the threat posed by Chinese hacking groups. Telecommunications networks are essential for everyday life—supporting businesses, government operations, and daily communication. For groups like Volt or Salt Typhoon, they are a single entry point that can unlock valuable intelligence, disrupt vital services, and even act as a launchpad for more widespread attacks.
The Escalating Threat Landscape
The attacks by Volt and Salt Typhoon are great examples of recent escalations in state-sponsored attacks. The tactics and determination shown in these incidents highlight a growing pattern in cyber espionage, where state-backed hackers are zeroing in on critical infrastructure to underpin national security and economic stability.
By compromising telecommunications networks, adversaries gain more than just access to sensitive communications; they gain a foothold in systems vital to emergency response, military coordination, and financial transactions. Imagine the consequences if emergency services were disrupted during a natural disaster or if critical military communications were jammed during a conflict. This threat extends far beyond telecommunications. Power grids, water systems, healthcare and transportation are all vulnerable to similar attacks. These sectors share common weaknesses: outdated legacy systems, reliance on third-party vendors and the constant struggle to balance operational needs with robust security.
That being said, securing telecommunications infrastructure presents unique challenges. These networks must remain operational 24/7, which leaves little room for downtime to implement security upgrades or conduct thorough testing. Even encryption, which is vital for protecting data, requires a delicate balance to ensure its effectiveness while complying with regulatory requirements. Additionally, the rapid growth of IoT devices has significantly increased the attack surface, introducing more vulnerabilities that need to be managed. The scale and complexity of these networks also make it extremely difficult to differentiate between legitimate activity and malicious behavior.
How Telecommunications Providers Can Enhance Their Security Posture
These incidents serve as a stark reminder of the urgent need to fortify critical infrastructure against sophisticated threats. Telecommunications providers, in particular, must prioritize proactive and layered defense strategies. Here’s how:
- Comprehensive Monitoring and Threat Detection: Telecommunications networks are vast and complex, handling enormous volumes of data. Network detection and response tooling that analyzes network activity in real-time are essential. Quickly detecting anomalies in either volume, destination or origin of traffic can make the difference between containing an intrusion and allowing it to escalate into a full-blown breach.
- Routine Security Audits and Penetration Testing: Legacy systems, often the backbone of telecommunications infrastructure, are particularly vulnerable. Regular security assessments and penetration testing can uncover weaknesses, like outdated software, misconfigurations, and security control failures before attackers exploit them. These evaluations should extend beyond internal systems to include third-party hardware and software providers. Additionally, security assessments should always include an assessment of staff in addition to the hardware and software. As tradecraft moves to an identity-first approach, ensure your humans are ready to face these threats.
- Strengthening Resilience Through Redundancy: Critical systems should be designed with resilience in mind. Implement redundancy by having backup systems and alternate communication pathways to ensure operational continuity in case of compromise. Conduct regular incident response drills to prepare for worst-case scenarios and formulate disaster recovery plans that include both technical and business operations continuity. Identify your organization’s critical vendors and processes and establish plans for continued operation even if a supply chain partner becomes unavailable.
- Securing the Supply Chain: Telecommunications rely heavily on third-party vendors for hardware and software, creating a sprawling supply chain that adversaries can exploit. To mitigate these risks, rigorous vetting processes, contractual security requirements and ongoing monitoring of supply chain partners need to mature. In addition to evaluating supply chain partners for their cybersecurity resilience, be sure to inspect their preparedness for their own continued operations in the event of an intrusion or supply chain impact.
The Path Forward
The recent attacks on Singtel and U.S. telecommunications networks demonstrate that our adversaries are becoming more capable, persistent and willing to target critical infrastructure. A single company or government entity can’t address this issue. The public and private sectors must collaborate to effectively combat threats like Volt and Salt Typhoon.
Governments bring valuable intelligence, a national security perspective, and regulatory power to the table, while the private sector offers innovation, agility, and deep domain expertise. This collaboration can take many forms, from joint cybersecurity exercises and information sharing centers to public-private partnerships focused on research and development. By sharing threat intelligence, coordinating responses, and jointly developing security solutions, both sectors can combine resources and expertise to proactively address cyber threats and ensure rapid and unified responses to incidents.
Telecommunications providers and other critical industries must also prioritize proactive security measures. This includes continuous monitoring and threat detection, regular security audits and penetration testing, building redundancy into critical systems and securing the supply chain. By investing in these measures, we can enhance the resilience of our critical infrastructure and mitigate the risks posed by sophisticated adversaries.
While the threat landscape constantly evolves, we have the tools and expertise to defend our critical infrastructure. Through collaboration, innovation and a commitment to continuous improvement, we can stay ahead of our adversaries and ensure the security and stability of our essential services.
About the Author
Chris Henderson is the Senior Director of Threat Operations at Huntress. He has been securing MSPs and their clients for over 10 years through various roles in Software Quality Assurance, Business Intelligence, and Information Security.
Chris can be reached online at https://www.linkedin.com/in/chenderson-cissp/ and at our company website https://www.huntress.com/.
