Hacking Ourselves

It played like a spy movie you’ve seen dozens of times. An expert hacker is given an assignment to break into a complex, seemingly impervious corporate system that could have drastic implications for the American government. Slowly and methodically, the hackers find the keys to this massive cyber system, then carefully navigates their way through the twisting electronic corridors. At every locked door, the hacker discovers a way through it, until at last, the data trove being sought is revealed. With a few keyboard strokes, the critical, and no longer protected, data is captured and downloaded. The elaborate passwords and digital protections were no match for the expertise of the nefarious electronic criminals.

Just like these movies, this is essentially what happened when teams in China were given the mission to break into American communication systems recently. At first, the hacking seemed to be surprisingly widespread. The hacking teams were notorious enough to receive a suitably evil name by authorities, “Salt Typhoon”. The hackers gained deep entrance to cell phone networks of major mobile providers including Verizon and AT&T. They were also able to penetrate the Lumen network. This company is not generally known to the public, because Lumen does not provide cell phone service. Instead, they are a major part of the electronic backbone of the internet, used by mobile providers to allow communication though various internet gates and connections.

Salt Typhoon’s hack was not a one-time data grab, like in the movies. Investigators from the official-sounding Cyber Safety Review Board estimate that the Chinese hacker intrusion lasted at least eight months, and possibly went on much longer, undetected by American communication corporations and their security teams. It may be continuing today.

The investigation appears to reveal two key goals of Salt Typhoon. One was to hack into the mobile phones of potentially thousands of US citizens. This access includes call logs, unencrypted texts and audio clips. But Typhoon was not currently interested in the average American cell phone conversations. Rather, they wanted to look into the phones used by politicians and key government employees. This included phones used by both major presidential campaign aides and the candidates themselves. Officials within the Biden administration had their communications hacked, as well as Senate Majority Leader Chuck Schumer, and now it seems, President-elect Donald Trump and members of his team.

The second, and probably most important hacking goal was to gain a deep understanding of how American mobile phone networks operate. This entailed studying, layer by layer, the way our systems function. At each stage of the infrastructure, the team was able to access the data required to unlock access to deeper levels, all the while being undetected by security systems. They did this by stealing credentials in the system that granted them permission to access areas of the networks that were considered highly secure.

Inside the networks, the hacking squads were able to compromise routers made by Cisco and others, which allowed them to build access to be used in the future. This came in handy when US security officials discovered the Typhoon incursions and locked them out with security patches. Or so they thought. To the surprise of the security agencies, the hackers were able to reinsert themselves and remain in the system, collecting compromising data.

Eventually, the Cyber Safety agency believed it had managed to eject the hackers and lock them out, but no one knows for certain. By consulting with other countries, we discovered that others had been invaded by the hacking groups including government agencies and hotels in Slovakia, France, Taiwan, Brazil, Israel and Saudi Arabia.

A Slovakia cybersecurity company uses a different name for Salt Typhoon, calling them FamousSparrow. They discovered that the group was made up of more than ten Chinese teams that specialized in hacking Microsoft Exchange servers.

The compromise is considered very serious. As Politico reports: “The leak of Call Detail Records would constitute a significant national security risk, potentially allowing Beijing to identify American spies, glean intimate details on the lives of U.S. political or business figures, or trace the movements of American troops and law enforcement personnel.”

To date, the administration has not been able to confirm that the Chinese intrusion has been ejected from our phone networks. What a brilliant group of evil hackers this must be, to have managed to unlock our seemingly secure phone networks and internet connections – connections that were supposed to be using the most secure and up to date technology available – technology that is largely developed by US companies.

But just like in the movies, it now appears that Salt Typhoon/Famous Sparrow had a very powerful partner that helped them to gain access to these seemingly impervious systems. That partner was the FBI and other American law enforcement agencies.

These agencies have long objected to the heavy encryption protections used by phone software. This is most notable with Apple’s encryption system which led to a high-profile court case when the phone maker refused to provide the ability to unlock a suspect’s phone. The bureau found alternate means of breaking into the phone. Note that in this case, the phone owner was a suspect, not a convicted criminal.

To get into American’s mobile phones, law enforcement instead turned to the cell phone carriers. Using warrants, the FBI and others can have providers turn over data. Mobile phone providers have also had to build “Back Door Access” to systems. This allows secret intrusion to a user’s phone.

This Back Door system has long been criticized by technology experts. There is no such thing as a secure back door. This is the method that appears to have been used for the hacking teams to break inside our networks. The WSJ reported that “the hackers are believed to have targeted systems used by companies to comply with court-authorized surveillance wiretaps.”

Building in electronic wiretaps raises a host of concerns. These include Privacy, Security, Trust and both Legal and Ethical problems. It now turns out that the Security challenges are very serious. So serious, in fact, that we may now have exposed ourselves to very serious dangers.

The current administration has been supportive of law enforcement’s demands to provide ever increasing access to the personal communications of private citizens. There have been attempts to curtail this surveillance, but the Department of Justice has resisted congressional efforts. If nothing else, perhaps the incoming congress will act against this intrusive danger.

Reform Congress is a collaboration between Liz Terwilliger and Stephen Wahrhaftig.