Security researchers have discovered that a group of hackers linked to the Chinese government have been targeting U.S. internet service providers using a previously unknown software vulnerability.
Researchers at Black Lotus Labs, a division of cybersecurity firm Lumen, said the group known as Bolt Typhoon exploited a zero-day vulnerability (meaning the vulnerability went unnoticed until the software maker patched it) in Versa Director software developed by Versa Networks.
Versa sells software that manages network configurations and is used by internet service providers (ISPs) and managed service providers (MSPs), making it a “highly valued and attractive target” for hackers, the researchers wrote in a report published Tuesday.
This is the latest discovery of hacking activity by Bolt Typhoon, a group believed to be operating on behalf of the Chinese government, which has focused on targeting critical infrastructure, including communications and telecommunications networks, with the goal of “inflicting real-world harm” in the event of a future conflict with the United States. U.S. government officials testified earlier this year that the hackers aimed to disrupt the U.S. military response to a potential future invasion of Taiwan.
According to researchers at Black Lotus Labs, the hackers' goal was to steal and use the credentials of downstream customers of the breached companies. In other words, the hackers were targeting the Versa servers as a crossing point from which they could infiltrate other networks connected to the vulnerable Versa servers, Mike Horka, a security researcher who investigated the incident, told TechCrunch in a phone interview.
Contact Us Do you have more information about Volt Typhoon or other government-sponsored hacking activities? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device on Signal (+1 917 257 1382), Telegram, Keybase @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
“This isn't just about telecommunications companies, but also managed service providers and internet service providers,” Holka said. “The targets are these epicenters that then provide further access.” Holka said these internet and network companies are themselves targets, “more likely because they may be able to provide access to downstream customers.”
Holka said he found four victims in the U.S. across two ISPs, one MSP and one IT provider, and one outside the U.S. at an ISP in India. Black Lotus Labs did not disclose the names of the victims.
Dan Maier, chief marketing officer for Versa, said in an email to TechCrunch that the company has fixed the zero-day vulnerability identified by Black Lotus Labs.
“Versa confirmed the vulnerability at the time and issued an emergency patch, and then issued a comprehensive patch that was distributed to all customers,” Maier said, adding that researchers had warned the company about the flaw in late June.
Meyer told TechCrunch that Versa itself had confirmed the flaw and had observed “APT actors” exploiting it.
Black Lotus Labs said it had alerted the US cybersecurity agency CISA about the zero-day vulnerability and the hacking activity. On Friday, CISA added the zero-day vulnerability to its list of vulnerabilities known to have been exploited in the wild. The agency warned that “this type of vulnerability is a frequent target for malicious cyber actors and poses significant risks to federal agencies.”