Security

China's Volt Typhoon reportedly breached Singtel in 'test-run' for US telecom attacks

Alleged intrusion spotted in June


updated Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators.

The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies."

In February, the feds and other nations' governments warned that the Beijing-backed crew had compromised "multiple" critical infrastructure orgs' IT networks in America and globally, and were "disruptive or destructive cyberattacks" against those targets.

Volt Typhoon's targets include communications, energy, transportation systems, and water and wastewater systems. 

"Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the US, Canada, UK, Australia, and New Zealand said at the time.

More recently, another Chinese-government-backed group Salt Typhoon was accused of breaking into US telecom companies' infrastructure. These intrusions came to light in October with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies, although all three have thus far declined to comment to The Register about the hacks.

Salt Typhoon also reportedly targeted phones belonging to people affiliated with US Democratic presidential candidate Kamala Harris, along with Republican candidate Donald Trump and his running mate, JD Vance.

China has repeatedly denied the Western governments' accusations — and that Volt Typhoon even exists.

Singtel did not immediately respond to The Register's questions about the alleged Volt Typhoon attack, but sent the following statement to Bloomberg:

"We understand the importance of network resilience, especially because we are a key infrastructure service provider. That's why we adopt industry best practices and work with industry-leading security partners to continuously monitor and promptly address the threats that we face on a daily basis. We also regularly review and enhance our cybersecurity capabilities and defenses to protect our critical assets from evolving threats."

Also according to Bloomberg, citing people in the know, Volt Typhoon used a web shell in the Singtel breach.

This echoes a similar report from Lumen Technologies' Black Lotus Labs, which in August warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers' networks.

The researchers attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems." ®

Updated to add at 1600 UTC on November 6, 2024

In a post-publication email to The Register, Singtel confirmed it detected malware in June, “as subsequently dealt with and reported to relevant authorities,” but the telecom giant can’t confirm that it’s linked to Volt Typhoon.

No data was stolen in the attack, and no services were impacted, we’re told.

“Like any other large organisation and key infrastructure provider around the world, we are constantly probed,” a Singtel spokesperson said, adding that it’s always reviewing and improving its infosec processes and procedures.

“Singtel conducts regular malware sweeps as part of its cyber posture,” the spokesperson said. “Network resilience remains critical to our business, and we adopt industry best practices and work with leading security partners to continuously monitor and address the threats that we face on a daily basis.”

Send us news
5 Comments

How Chinese insiders are stealing data scooped up by President Xi's national surveillance system

'It's a double-edged sword,' security researchers tell The Reg

How Androxgh0st rose from Mozi's ashes to become 'most prevalent malware'

Botnet's operators 'driven by similar interests as that of the Chinese state'

US reportedly mulls TP-Link router ban over national security risk

It could end up like Huawei -Trump's gonna get ya, get ya, get ya

US names Chinese national it alleges was behind 2020 attack on Sophos firewalls

Also sanctions his employer – an outfit called Sichuan Silence linked to Ragnarok ransomware

Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibility

But can you really take crims at their word?

China's Salt Typhoon recorded top American officials' calls, says White House

No word yet on who was snooped on. Any bets?

Blocking Chinese spies from intercepting calls? There ought to be a law

Sen. Wyden blasts FCC's 'failure' amid Salt Typhoon hacks

Critical security hole in Apache Struts under exploit

You applied the patch that could stop possible RCE attacks last week, right?

Suspected LockBit dev, facing US extradition, 'did it for the money'

Dual Russian-Israeli national arrested in August

Don't fall for a mail asking for rapid Docusign action – it may be an Azure account hijack phish

Recent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warns

Phishers cast wide net with spoofed Google Calendar invites

Not that you needed another reason to enable the 'known senders' setting

Iran-linked crew used custom 'cyberweapon' in US critical infrastructure attacks

IOCONTROL targets IoT and OT devices from a ton of makers, apparently