Article Details

China's Volt Typhoon reportedly breached Singtel in 'test-run' for US telecom attacks. Alleged intrusion spotted in June. Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators. The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies." In February, the feds and other nations' governments warned that the Beijing-backed crew had compromised "multiple" critical infrastructure orgs' IT networks in America and globally, and were "disruptive or destructive cyberattacks" against those targets. Volt Typhoon's targets include communications, energy, transportation systems, and water and wastewater systems.  "Volt Typhoon's choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the US authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions," the US, Canada, UK, Australia, and New Zealand said at the time. More recently, another Chinese-government-backed group Salt Typhoon was accused of breaking into US telecom companies' infrastructure. These intrusions came to light in October with the spies reportedly breaching Verizon, AT&T, and Lumen Technologies, although all three have thus far declined to comment to The Register about the hacks. Salt Typhoon also reportedly targeted phones belonging to people affiliated with US Democratic presidential candidate Kamala Harris, along with Republican candidate Donald Trump and his running mate, JD Vance. China has repeatedly denied the Western governments' accusations — and that Volt Typhoon even exists. Singtel did not immediately respond to The Register's questions about the alleged Volt Typhoon attack, but sent the following statement to Bloomberg: "We understand the importance of network resilience, especially because we are a key infrastructure service provider. That's why we adopt industry best practices and work with industry-leading security partners to continuously monitor and promptly address the threats that we face on a daily basis. We also regularly review and enhance our cybersecurity capabilities and defenses to protect our critical assets from evolving threats." Also according to Bloomberg, citing people in the know, Volt Typhoon used a web shell in the Singtel breach. This echoes a similar report from Lumen Technologies' Black Lotus Labs, which in August warned that Volt Typhoon had abused a Versa SD-WAN vulnerability CVE-2024-39717 to plant custom, credential-harvesting web shells on customers' networks. The researchers attributed "with moderate confidence" both the new malware, dubbed VersaMem, and the exploitation of Volt Typhoon, warning that these attacks are "likely ongoing against unpatched Versa Director systems."