Recent examination has connected a string of assaults against vital infrastructure in the US and India to the Chinese state-sponsored hacker collective Volt Typhoon. These assaults, which took use of flaws in software created by a startup company in California, have sparked concerns about the vulnerability of vital systems including communications networks, water facilities, and the electrical grid. The fact that US agencies are still on high alert despite denials from the Chinese government highlights the continuous hazards posed by highly skilled foreign cyber threats.
The Volt Typhoon Cyber Campaign - According to US organizations like the FBI, the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA), Volt Typhoon is a state-sponsored Chinese hacking gang that has been operating for at least five years. Attacks on vital US infrastructure sectors, including communications, energy, transportation, water, and wastewater facilities, have been connected to this group. Volt Typhoon has been charged by the US with breaking into these networks with the intention of causing havoc in the event of a future crisis, like an invasion of Taiwan.[1]
See: https://redskyalliance.org/xindustry/critical-infrastructure-threat-volt-typhoon
The Chinese cyber campaign came into the spotlight when Microsoft named and unveiled Volt Typhoon in May 2023. Since then, US officials have urged companies and utilities to bolster their cybersecurity measures, especially around logging and monitoring, to detect and eliminate the hackers who use vulnerabilities to remain undetected for extended periods.
Exploiting Vulnerabilities in Versa Networks - The recent breaches attributed to Volt Typhoon exploited a vulnerability in a product from Versa Networks, a Santa Clara-based startup specializing in software that manages network configurations. According to Lumen Technologies Inc.’s Black Lotus Labs, which published a report on the breaches, Volt Typhoon managed to exploit an unpatched bug in Versa’s server product, allowing them to infiltrate the networks of four U.S. firms, including internet service providers, and another firm in India.
Versa Networks, backed by prominent investors like Blackrock Inc. and Sequoia Capital, issued an emergency patch for the vulnerability at the end of June 2023, after being notified by a customer who had experienced a breach. However, it wasn’t until July that Versa began widely informing customers of the issue. The company stated that the affected customer had not followed previously published guidelines to protect their systems through firewall rules and other measures.
Response and Mitigation Efforts – US federal agencies were given an urgent directive by CISA to either patch Versa products or stop using them by 13 September 2024, in response to the vulnerabilities. The National Vulnerability Database has given the vulnerability a “high” rating, which accurately represents the seriousness of the threat it poses. The “tip of the iceberg” in terms of potential victims is represented by these cyber actions, as stressed by CISA Director Jen Easterly, underscoring the need for increased awareness and strengthened cybersecurity defenses.
Versa Networks, for its part, has since taken steps to make its systems “secure by default,” meaning that customers will no longer be exposed to certain risks even if they have not adhered to company guidelines. Dan Maier, Versa’s chief marketing officer, noted that the company had advised customers as far back as 2015 to close off internet access to a specific port, which could have prevented the breach if followed.
The Chinese Government’s Denial and US Accusations - The Chinese government has categorically denied any involvement in the Volt Typhoon attacks, instead labeling the group as a ransomware cybercriminal outfit called “Dark Power,” which they claim is not state-sponsored. A spokesman for the Chinese Embassy in Washington, Liu Pengyu, further alleged that the US intelligence community has collaborated with cybersecurity companies to fabricate claims of Chinese involvement in cyberattacks, as part of a strategy to inflate congressional budgets and government contracts. These claims remain unverified, and the US continues to hold China accountable for the actions attributed to Volt Typhoon.
Conclusion - The Volt Typhoon intrusions have exposed serious weaknesses in India’s and the United States’ critical infrastructure cybersecurity defenses. Governments and businesses alike must prioritize cybersecurity measures as the threat landscape changes to guard against state-sponsored hacking attacks. Future plans to ward off increasingly complex cyberattacks will be heavily influenced by the lessons discovered from the Volt Typhoon hacks.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://techstory.in/report-chinese-hackers-breach-into-us-indian-internet-companies-chinese-govt-denies-claims/#google_vignette
Comments