China’s Volt Typhoon Reportedly Breached Singtel In Test Run For US Attack

updated Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators.

The digital break-in was discovered in June, according to Bloomberg, citing “two people familiar with the matter” who told the news outlet that the Singtel breach was “a test run by China for further hacks against US telecommunications companies.”

In February, the feds and other nations’ governments warned that the Beijing-backed crew had compromised “multiple” critical infrastructure orgs’ IT networks in America and globally, and were “disruptive or destructive cyberattacks” against those targets.

Volt Typhoon’s targets include communications, energy, transportation systems, and water and wastewater systems. 

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the US, Canada, UK, Australia, and New Zealand said at the time.

More recently, another Chinese-government-backed group Salt Typhoon was accused of breaking into US telecom companies’ infrastructure. These intrusions came to light in October with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies, although all three have thus far declined to comment to The Register about the hacks.

Salt Typhoon also reportedly targeted phones belonging to people affiliated with US Democratic presidential candidate Kamala Harris, along with Republican candidate Donald Trump and his running mate, JD Vance.

China has repeatedly denied the Western governments’ accusations — and that Volt Typhoon even exists.

Singtel did not immediately respond to The Register‘s questions about the alleged Volt Typhoon attack, but sent the following statement to Bloomberg:

Also according to Bloomberg, citing people in the know, Volt Typhoon used a web shell in the Singtel breach.

This echoes a similar report from Lumen Technologies’ Black Lotus Labs, which in August warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers’ networks.

The researchers attributed “with moderate confidence” both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are “likely ongoing against unpatched Versa Director systems.” ®

Updated to add at 1600 UTC on November 6, 2024

In a post-publication email to The Register, Singtel confirmed it detected malware in June, “as subsequently dealt with and reported to relevant authorities,” but the telecom giant can’t confirm that it’s linked to Volt Typhoon.

No data was stolen in the attack, and no services were impacted, we’re told.

“Like any other large organisation and key infrastructure provider around the world, we are constantly probed,” a Singtel spokesperson said, adding that it’s always reviewing and improving its infosec processes and procedures.

“Singtel conducts regular malware sweeps as part of its cyber posture,” the spokesperson said. “Network resilience remains critical to our business, and we adopt industry best practices and work with leading security partners to continuously monitor and address the threats that we face on a daily basis.”

READ MORE HERE