Chinese government-backed hackers have recently penetrated deep into U.S. internet service providers (ISPs) to spy on their users, according to sources familiar with the ongoing investigation and private security researchers, according to reports from the Washington Post.
The attacks, described as unusually aggressive and sophisticated, have targeted at least two major providers with millions of customers and several smaller ISPs.
Security researchers have identified the group responsible as Volt Typhoon, a hacker collective believed to be working for the Chinese government, Tech Crunch reported.
According to Black Lotus Labs, a division of cybersecurity firm Lumen, the group exploited a zero-day vulnerability — an unknown flaw in the software — within Versa Director, a network management tool made by Versa Networks.
Versa Networks provides software critical to the operations of ISPs and managed service providers (MSPs), making it a desirable target for cyberattacks. Exploiting this software could grant attackers access to a wide range of downstream customers, expanding the potential impact of the breach, according to a report published on Tuesday.
"This wasn't limited to just telecoms, but also managed service providers and internet service providers," said Michael Horka, a security expert with Black Lotus Labs. "These central locations are targets because of the access they could potentially provide to additional downstream customers."
Horka disclosed that the investigation has identified four victims in the United States, including two ISPs, one MSP, and an Information Technology (IT) provider. Additionally, an ISP in India was also targeted. Black Lotus Labs has chosen not to reveal the names of the affected companies.
The Volt Typhoon group has a history of targeting critical infrastructure, focusing on communication and telecom networks. Their efforts are believed to be aimed at causing real-world harm in the event of a future conflict with the United States, such as a potential military response to an invasion of Taiwan. U.S. government officials have testified that these hackers intend to disrupt any such response, making their activities particularly concerning.
In response to the discovery, Versa Networks confirmed that it had patched the vulnerability.
"Versa confirmed the vulnerability and issued an emergency patch at that time. We have since issued a comprehensive patch and distributed this to all customers," said Dan Maier, Chief Marketing Officer of Versa Networks.
He added that the company became aware of the flaw after researchers reported it in late June.
Black Lotus Labs also notified the U.S. Cybersecurity and Infrastructure Security Agency (CISA) of the vulnerability and the hacking campaign. CISA subsequently added the zero-day vulnerability to its list of known exploited flaws, warning that such vulnerabilities pose significant risks to the federal enterprise.