Dec. 28 (UPI) — Chinese hackers called Salt Typhoon have infiltrated a ninth telecommunications firm, gaining access to information about millions of people, U.S. cybersecurity officials say.
The FBI is investigating the Salt Typhoon attacks, which are spurring new defensive measures, deputy U.S. national security adviser Anne Neuberger told reporters on Friday.
“As we look at China’s compromise of now nine telecom companies, the first step is creating a defensible infrastructure,” she said.
The hackers primarily are targeting individuals and organizations involved in political or governmental activities and a significant number of hacking victims are located in the Washington D.C.-Virginia area.
The hackers can geolocate millions of people in the United States, listen to their phone conversations and record them whenever they like, Politico reported.
Among recent victims are President-elect Donald Trump, Vice President-elect JD Vance and several Biden administration officials.
Neuberger did not name the nine telecommunications firms that have been hacked, but said telecommunications firms and others must do more to improve cybersecurity and protect individual customers.
“We wouldn’t leave our homes, our offices unlocked,” she said. “Yet, the private companies owning and operating our critical infrastructure often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier and harder for countries and criminals to attack.”
She said companies need better management of configuration, better vulnerability management of networks and better work across the telecom sector to share information when incidents occur.
“However, we know that voluntary cybersecurity practices are inadequate to protect against China, Russia and Iran hacking our critical infrastructure,” Neuberger said.
Australian and British officials already have enacted telecom regulations “because they recognize that the nation’s secrets, the nation’s economy relies on their telecommunications sector.”
Neuberger said her British counterparts told her they would have detected and contained Salt Typhoon attacks faster and minimized their spread and impact.
“One of the most concerning and really troubling things we deal with is hacking of hospitals [and] hacking of healthcare data,” Neuberger said. “We see Americans’ sensitive healthcare data, sensitive mental health procedures [and] sensitive procedures being leaked on the dark web with the opportunity to blackmail individuals with that.”
She said federal regulators are updating existing rules and implementing new ones to counteract the cyberattacks and threats from Salt Typhoon and others.
The Department of Justice on Friday issued a rule prohibiting or restricting certain types of data transactions with certain nations or individuals who might have an interest in that data.
The protected information includes those involving government-related data and bulk sensitive personal data of individuals that could pose an unacceptable risk to the nation’s national security.
The Department of Health and Human Services likewise issued a proposed rule to improve cybersecurity and protect the nation’s healthcare system against an increasing number of cyberattacks.
The proposed HHS rule would require health insurers, most healthcare providers and their business partners to improve cybersecurity protections for individuals’ information that is protected by the Health Insurance Portability and Accountability Act of 1996.
“The increasing frequency and sophistication of cyberattacks in the healthcare sector pose a direct and significant threat to patient safety,” HHS Deputy Secretary Andrea Palm said Friday.
“These attacks endanger patients by exposing vulnerabilities in our healthcare system, degrading patient trust, disrupting patient care, diverting patients and delaying medical procedures.”
The proposed rule “is a vital step to ensuring that healthcare providers, patients and communities are not only better prepared to face a cyberattack but are also more secure and resilient,” Palm added.
Neuberger estimated the cost to implement improved cybersecurity to thwart attacks by Salt Typhoon and others at $9 billion during the first year and $6 billion for years 2 through 5.
“The cost of not acting is not only high, it also endangers critical infrastructure and patient safety,” she said, “and it carries other harmful consequences.”
The average cost of a breach in healthcare was $10.1 million in 2023, but the cost is nearing $800 million from a breach of Change Healthcare last year.
Those costs include the costs of recovery and operations and, “frankly, in the cost to Americans’ healthcare data and the operations of hospitals affected by it,” Neuberger said.
The Federal Communications Commission also has scheduled a Jan. 15 vote on additional proposed rules to combat Salt Typhoon and other hackers.