China’s Volt Typhoon reportedly breached Singtel in ‘test-run’ for US telecom attacks

Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators.

The digital break-in was discovered in June, according to Bloomberg, citing “two people familiar with the matter” who told the news outlet that the Singtel breach was “a test run by China for further hacks against US telecommunications companies.”

In February, the feds and other nations’ governments warned that the Beijing-backed crew had compromised “multiple” critical infrastructure orgs’ IT networks in America and globally, and were “disruptive or destructive cyberattacks” against those targets.

Volt Typhoon’s targets include communications, energy, transportation systems, and water and wastewater systems. 

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the US, Canada, UK, Australia, and New Zealand said at the time.

More recently, another Chinese-government-backed group Salt Typhoon was accused of breaking into US telecom companies’ infrastructure. These intrusions came to light in October with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies, although all three have thus far declined to comment to The Register about the hacks.

Salt Typhoon also reportedly targeted phones belonging to people affiliated with US Democratic presidential candidate Kamala Harris, along with Republican candidate Donald Trump and his running mate, JD Vance.

China has repeatedly denied the Western governments’ accusations — and that Volt Typhoon even exists.

Singtel did not immediately respond to The Register‘s questions about the alleged Volt Typhoon attack, but sent the following statement to Bloomberg:

Also according to Bloomberg, citing people in the know, Volt Typhoon used a web shell in the Singtel breach.

This echoes a similar report from Lumen Technologies’ Black Lotus Labs, which in August warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers’ networks.

The researchers attributed “with moderate confidence” both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are “likely ongoing against unpatched Versa Director systems.” ®

READ MORE HERE