Chris McHenry is Vice President of Product Management at Aviatrix.
Last year, the hacker group known as Salt Typhoon, believed to be linked to China’s government, made headlines for orchestrating one of the largest hacks in U.S. infrastructure history. Having compromised major telecom and internet service providers—including AT&T, Verizon and others—Salt Typhoon has sent tidal waves (pun intended) across the network security ecosystem.
At the same time, another advanced persistent threat (APT) known as Silk Typhoon has emerged, demonstrating an even more sophisticated approach. Silk Typhoon has been observed abusing stolen API keys and credentials associated with privileged access management (PAM) systems, cloud application providers and cloud data management companies. This has allowed the threat actor to infiltrate multiple downstream enterprise customer environments.
Like Salt Typhoon, this group is highly proficient in cloud exploitation, using lateral movement techniques to transition from on-premises to cloud environments, maintain persistence and rapidly exfiltrate data.
In January, in an effort to address and defend against escalating cyber threats, the Biden Administration released an Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. While the Trump administration has since disbanded the Cyber Security Review Board investigating Salt Typhoon, the lesson in the hack is still just as relevant to the private sector because it illuminated a critical vulnerability in many organizations’ current network strategies.
Reducing Trust In The Security Of Private Circuits From Service Providers
Before the Salt Typhoon attack, many businesses entrusted their service providers and subscribed to the long-held belief that private circuits are inherently “private.”
The Salt Typhoon attack forced companies to rethink the meaning of “private” since service providers own the networking equipment through which enterprise traffic flows. If an attacker—such as Salt Typhoon or Silk Typhoon—compromises those devices, the data running on those devices can be insecure.
This misplaced confidence exposes sensitive data to cyberattacks. Now, some companies are recategorizing these cloud service providers to a similar trust level as when they would send sensitive data over the internet.
The Case For In-Flight Encryption
One tactic is “in-flight” encryption, which safeguards network traffic as it flows through untrusted networks. Unfortunately, encryption can be challenging—especially when balancing trade-offs such as complexity, cost and application performance.
This is particularly apparent in the most high-performance environments involving enterprise backbones and hybrid applications that straddle traditional data centers and hyperscale cloud providers.
Despite these challenges, the Salt Typhoon and Silk Typhoon incidents underscore the need for robust encryption practices.
Evaluating Encryption Options
Organizations have two primary encryption approaches: application-level and network-level.
While there has been a concerted effort to push for application-level encryption—such as Transport Layer Security (TLS)—many critical application flows remain unencrypted, creating potential vulnerabilities.
For comprehensive protection, network-level encryption is essential. This method ensures that all data in transit is encrypted, albeit with its own set of challenges.
Traditional VPN solutions often incur significant performance trade-offs, making technologies like Media Access Control Security (MACsec) a more common choice for network-level encryption. However, MACsec’s hop-by-hop encryption process can increase costs, operational complexities and performance bottlenecks, undermining its effectiveness for today’s interconnected cloud applications.
Exploring Stronger Encryption Alternatives
Because of these challenges, businesses should explore more robust encryption solutions.
The Cybersecurity and Infrastructure Security Agency (CISA) advocates for end-to-end encryption—a call that they reiterated after the Salt Tycoon attack—which continuously safeguards data as it traverses networks, effectively mitigating vulnerabilities associated with less secure practices.
One option for end-to-end encryption is Internet Protocol Security (IPSec), which encrypts data traffic between two endpoints, ensuring sensitive information remains protected even when traversing external networks. IPSec is generally simple, secure and widely supported. While it may face performance challenges in cloud environments, organizations can enhance its efficiency through simultaneous connections or by collaborating with third-party vendors specializing in high-performance encryption solutions.
The Growing Risk Of APTs And Lateral Movement To Cloud
Silk Typhoon highlights how APTs are growing more sophisticated in their ability to move laterally within environments. Once an environment has been successfully compromised, Silk Typhoon has been observed utilizing common yet effective tactics to move laterally from on-premises environments to cloud environments.
This underscores the urgent need for enterprises to adopt zero-trust networking principles, implement stricter identity and access controls, and closely monitor cloud environments for unauthorized activity.
Moreover, Silk Typhoon has demonstrated an advanced ability to evade detection using covert networks. As Microsoft explains, “Covert networks, tracked by Microsoft as ‘CovertNetwork,’ refer to a collection of egress IPs consisting of compromised or leased devices that may be used by one or more threat actors.” This tactic allows adversaries to obfuscate their malicious activities and maintain persistence within enterprise networks for extended periods, making detection and mitigation far more challenging.
With APTs continuing to refine their techniques and attack vectors, organizations must take a proactive approach to security, ensuring their network encryption, access controls and monitoring capabilities are strong enough to withstand these evolving threats.
Strengthening Security Through Proactive Measures And Strategic Partnerships
The rise of APTs like Salt Typhoon and Silk Typhoon highlights a fundamental shift in enterprise security. Attackers are exploiting not just individual organizations but also cloud service providers and PAM solutions to scale their attacks.
These incidents reveal vulnerabilities in traditional network security frameworks. With major service providers exposed to cyber threats, both the public and private sectors must adapt their strategies. Businesses can no longer rely solely on private circuits and outdated security measures; they must embrace modern encryption technologies, enhance network visibility and adopt zero-trust principles.
To combat these threats, enterprises should:
• Reduce trust in private circuits, recognizing that even trusted vendors can be compromised.
• Encrypt all data in transit.
• Enforce zero-trust networking principles to prevent lateral movement in cloud environments.
• Monitor for covert network activity and abnormal traffic patterns that may indicate intrusions.
• Partner with cloud security experts to develop a robust security strategy.
By proactively addressing these vulnerabilities, organizations can safeguard sensitive data and contribute to a more secure digital future. With APTs evolving rapidly, the time to act is now to avoid becoming the next target.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
