China's Volt Typhoon reportedly breached Singtel in 'test-run' for US telecom attacks
Alleged intrusion spotted in June
updated Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators.
The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies."
In February, the feds and other nations' governments warned that the Beijing-backed crew had compromised "multiple" critical infrastructure orgs' IT networks in America and globally, and were "disruptive or destructive cyberattacks" against those targets.
Volt Typhoon's targets include communications, energy, transportation systems, and water and wastewater systems.
"Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the US, Canada, UK, Australia, and New Zealand said at the time.
More recently, another Chinese-government-backed group Salt Typhoon was accused of breaking into US telecom companies' infrastructure. These intrusions came to light in October with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies, although all three have thus far declined to comment to The Register about the hacks.
- US says China's Volt Typhoon is readying destructive cyberattacks
- China again claims Volt Typhoon cyber-attack crew was invented by the US to discredit it
- Volt Typhoon suspected of exploiting Versa SD-WAN bug since June
- Feds investigate China's Salt Typhoon amid campaign phone hacks
Salt Typhoon also reportedly targeted phones belonging to people affiliated with US Democratic presidential candidate Kamala Harris, along with Republican candidate Donald Trump and his running mate, JD Vance.
China has repeatedly denied the Western governments' accusations — and that Volt Typhoon even exists.
Singtel did not immediately respond to The Register's questions about the alleged Volt Typhoon attack, but sent the following statement to Bloomberg:
"We understand the importance of network resilience, especially because we are a key infrastructure service provider. That's why we adopt industry best practices and work with industry-leading security partners to continuously monitor and promptly address the threats that we face on a daily basis. We also regularly review and enhance our cybersecurity capabilities and defenses to protect our critical assets from evolving threats."
Also according to Bloomberg, citing people in the know, Volt Typhoon used a web shell in the Singtel breach.
This echoes a similar report from Lumen Technologies' Black Lotus Labs, which in August warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers' networks.
The researchers attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems." ®
Updated to add at 1600 UTC on November 6, 2024
In a post-publication email to The Register, Singtel confirmed it detected malware in June, “as subsequently dealt with and reported to relevant authorities,” but the telecom giant can’t confirm that it’s linked to Volt Typhoon.
No data was stolen in the attack, and no services were impacted, we’re told.
“Like any other large organisation and key infrastructure provider around the world, we are constantly probed,” a Singtel spokesperson said, adding that it’s always reviewing and improving its infosec processes and procedures.
“Singtel conducts regular malware sweeps as part of its cyber posture,” the spokesperson said. “Network resilience remains critical to our business, and we adopt industry best practices and work with leading security partners to continuously monitor and address the threats that we face on a daily basis.”